### 简要描述: Espcms 某处挺有意思的注入,虽然对传值有加密并且随机key,但可以逆向重举这个弱伪随机数来控制sql任意参数,导致系统注入 ### 详细说明: interface\membermain.php 第 33行 ``` $db_sql = "SELECT * FROM $db_table1 LEFT JOIN $db_table2 ON a.userid = b.userid WHERE a.userid = $this->ec_member_username_id "; ``` ec_member_username_id 直接从cookies的ecisp_member_info 系统对cookie进行特定的加密 并且随机出key 加密函数: public\class_function.php 第179 行 ``` function eccode($string, $operation = 'DECODE', $key = '@LFK24s224%@safS3s%1f%') { $result = ''; if ($operation == 'ENCODE') { for ($i = 0; $i < strlen($string); $i++) { $char = substr($string, $i, 1); $keychar = substr($key, ($i % strlen($key)) - 1, 1); $char = chr(ord($char) + ord($keychar)); $result.=$char; } $result = base64_encode($result); $result = str_replace(array('+', '/', '='), array('-', '_', ''), $result); } elseif ($operation == 'DECODE') { $data = str_replace(array('-', '_'), array('+', '/'), $string); $mod4 = strlen($data) % 4; if ($mod4) { $data .= substr('====', $mod4); } $string =...
### 简要描述: Espcms 某处挺有意思的注入,虽然对传值有加密并且随机key,但可以逆向重举这个弱伪随机数来控制sql任意参数,导致系统注入 ### 详细说明: interface\membermain.php 第 33行 ``` $db_sql = "SELECT * FROM $db_table1 LEFT JOIN $db_table2 ON a.userid = b.userid WHERE a.userid = $this->ec_member_username_id "; ``` ec_member_username_id 直接从cookies的ecisp_member_info 系统对cookie进行特定的加密 并且随机出key 加密函数: public\class_function.php 第179 行 ``` function eccode($string, $operation = 'DECODE', $key = '@LFK24s224%@safS3s%1f%') { $result = ''; if ($operation == 'ENCODE') { for ($i = 0; $i < strlen($string); $i++) { $char = substr($string, $i, 1); $keychar = substr($key, ($i % strlen($key)) - 1, 1); $char = chr(ord($char) + ord($keychar)); $result.=$char; } $result = base64_encode($result); $result = str_replace(array('+', '/', '='), array('-', '_', ''), $result); } elseif ($operation == 'DECODE') { $data = str_replace(array('-', '_'), array('+', '/'), $string); $mod4 = strlen($data) % 4; if ($mod4) { $data .= substr('====', $mod4); } $string = base64_decode($data); for ($i = 0; $i < strlen($string); $i++) { $char = substr($string, $i, 1); $keychar = substr($key, ($i % strlen($key)) - 1, 1); $char = chr(ord($char) - ord($keychar)); $result.=$char; } } return $result; } ``` key的生成: install\fun_center.php 第 238 行 ``` $pscode = rand('99', '999'); $config .= "define('db_pscode', '" . md5(md5($pscode)) . "');\r\n"; ``` 额 两次md5 随机值 在围观下 cookies中 ecisp_member_info的生成吧 interface\member.php 第 110 行 ``` $this->fun->setcookie('ecisp_member_info', $this->fun->eccode("$memberread[userid]|$memberread[alias]|$memberread[integral]|$memberread[mcid]|$memberread[email]|$memberread[lastip]|$ipadd|" . md5($_SERVER['HTTP_USER_AGENT']) . '|' . md5(admin_ClassURL), 'ENCODE', db_pscode)); ``` 用户id 名称 邮箱 等等信息,这些对于攻击者都是可知的,那不是可以重举99到999 的key来匹配这些信息 简单计算出key之后,即可以操作cookie,传入任意sql语句 例如 官方演示站 [<img src="https://images.seebug.org/upload/201303/27154741e578361dae24b7a160651255cfa5554c.jpg" alt="5.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201303/27154741e578361dae24b7a160651255cfa5554c.jpg) key为 95e87f86a2ffde5110e93c2823634927 查看当前语句 把member_info 明文为 1 and 1=2 union select 1,2,3,user(),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28 eccode 之后修改cookie值即可查询出mysql 当前用户 [<img src="https://images.seebug.org/upload/201303/271634071ca9e556afb0ac9d5d3536858f728752.jpg" alt="6.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201303/271634071ca9e556afb0ac9d5d3536858f728752.jpg) ### 漏洞证明: 通过一系列编码cookie操作可以获取管理员用户名 密码 [<img src="https://images.seebug.org/upload/201303/27163448ed818f07f7a717a325ef998504f67775.jpg" alt="3.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201303/27163448ed818f07f7a717a325ef998504f67775.jpg) 登陆系统后台 可在模板编辑处 getshell,从而拿下权限 [<img src="https://images.seebug.org/upload/201303/271638133555eb84f9700e8b8969ab3b6aae5ade.jpg" alt="10.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201303/271638133555eb84f9700e8b8969ab3b6aae5ade.jpg)
