|Espcms 通杀 SQL注入漏洞 - VULHUB开源网络安全威胁库

Espcms 通杀 SQL注入漏洞

- AV AC AU C I A

发布： 2025-04-13

修订： 2025-04-13

漏洞在interface/search.php 文件和interface/3gwap_search.php文件in_taglist()函数都存在，一样的问题，以 interface/search.php为例说明： <code>function in_taglist() { parent::start_pagetemplate(); include_once admin_ROOT . 'public/class_pagebotton.php'; $page = $this->fun->accept('page', 'G'); $page = isset($page) ? intval($page) : 1; $lng = (admin_LNG == 'big5') ? $this->CON['is_lancode'] : admin_LNG; $tagkey = urldecode($this->fun->accept('tagkey', 'R')); $tagkey = $this->fun->inputcodetrim($tagkey); $db_where = ' WHERE lng=\'' . $lng . '\' AND isclass=1'; if (empty($tagkey)) { $linkURL = $_SERVER['HTTP_REFERER']; $this->callmessage($this->lng['search_err'], $linkURL, $this->lng['gobackbotton']); } if (!empty($tagkey)) { $db_where.=" AND FIND_IN_SET('$tagkey',tags)"; } $pagemax = 20; $pagesylte = 1; $templatesDIR = $this->get_templatesdir('article'); $templatefilename = $lng . '/' . $templatesDIR . '/search'; $db_table = db_prefix . 'document'; $countnum = $this->db_numrows($db_table, $db_where); if ($countnum > 0) { $numpage = ceil($countnum / $pagemax); } else { $numpage = 1; } $sql = "SELECT did,lng,pid,mid,aid,tid,sid,fgid,linkdid,isclass,islink,ishtml,ismess,isorder,purview,recommend,tsn,title,longtitle, color,author,source,pic,link,oprice,bprice,click,description,keywords,addtime,template,filename,filepath FROM $db_table $db_where LIMIT 0,$pagemax"; $this->htmlpage = new PageBotton($sql, $pagemax, $page, $countnum, $numpage, $pagesylte, $this->CON['file_fileex'], 5, $this->lng['pagebotton'], $this->lng['gopageurl'], $this->CON['is_rewrite']); $sql = $this->htmlpage->PageSQL('pid,did', 'down'); $rs = $this->db->query($sql); while ($rsList = $this->db->fetch_assoc($rs)) { </code> 由于$tagkey变量使用了urldecode，从而可以绕过GPC，最终 $db_where.=” AND FIND_IN_SET(‘$tagkey’,tags)”; $tagkey被带入SQL语句。可以看到下面有 <code>$sql = "SELECT did,lng,pid,mid,aid,tid,sid,fgid,linkdid,isclass,islink,ishtml,ismess,isorder,purview,recommend,tsn,title,longtitle,color,author,source,pic,link,oprice,bprice,click,description,keywords,addtime,template,filename,filepath FROM $db_table $db_where LIMIT 0,$pagemax";</code> 也被带入数据库查询，两条语句可以注入，可以看到第二条SQL语句是可以查询出数据的。但是由于espcms默认配置是不显示SQL语句错误的，而第一条SQL语句查询出来的是count(*)，即int，更蛋疼的是只要第一条查询报错，第二条就不会执行。所以只有用第一条盲注来搞了。漏洞测试EXP：http://localhost/espcms/index.php?ac=search&at=taglist&tagkey=a%2527 由于espcms本身有防注入函数，在文件 public\class_function.php inputcodetrim()函数。 <pre>function inputcodetrim($str) { if (empty($str)) return $str; $str = str_replace("&amp;", "&", $str); $str = str_replace("&gt;", ">", $str); $str = str_replace("&lt;", "<", $str); $str = str_replace("&lt;", "<", $str); $str = str_ireplace("select", "", $str); $str = str_ireplace("join", "", $str); $str = str_ireplace("union", "", $str); $str = str_ireplace("where", "", $str); $str = str_ireplace("insert", "", $str); $str = str_ireplace("delete", "", $str); $str = str_ireplace("update", "", $str); $str = str_ireplace("like", "", $str); $str = str_ireplace("drop", "", $str); $str = str_ireplace("create", "", $str); $str = str_ireplace("modify", "", $str); $str = str_ireplace("rename", "", $str); $str = str_ireplace("count", "", $str); $str = str_ireplace("from", "", $str); $str = str_ireplace("group by", "", $str); $str = str_ireplace("concat", "", $str); $str = str_ireplace("alter", "", $str); $str = str_ireplace("ca&#115;", "cast", $str); $str = preg_replace("/<span[^>]+>/i", "<span>", $str); $str = preg_replace("/<p[^>]+>/i", "<p>", $str); $str = preg_replace("/<font[^>]+>/i", "<font>", $str); $str = preg_replace("/width=(\'|\")?[\d%]+(\'|\")?/i", "", $str); $str = preg_replace("/height=(\'|\")?[\d%]+(\'|\")?/i", "", $str); $str = preg_replace("'<style[^\f]*?(\/style>)'si", "", $str); return $str; }</pre> 只是把关键字替换为空，例如union可uunionnion绕过本身防注入，还可以无视不拦截单引号的waf。漏洞在interface/search.php 文件和interface/3gwap_search.php文件in_taglist()函数都存在，一样的问题，以 interface/search.php为例说明： <pre class="prettyprint linenums">function in_taglist() { parent::start_pagetemplate(); include_once admin_ROOT . 'public/class_pagebotton.php'; $page = $this->fun->accept('page', 'G'); $page = isset($page) ? intval($page) : 1; $lng = (admin_LNG == 'big5') ? $this->CON['is_lancode'] : admin_LNG; $tagkey = urldecode($this->fun->accept('tagkey', 'R')); $tagkey = $this->fun->inputcodetrim($tagkey); $db_where = ' WHERE lng=\'' . $lng . '\' AND isclass=1'; if (empty($tagkey)) { $linkURL = $_SERVER['HTTP_REFERER']; $this->callmessage($this->lng['search_err'], $linkURL, $this->lng['gobackbotton']); } if (!empty($tagkey)) { $db_where.=" AND FIND_IN_SET('$tagkey',tags)"; } $pagemax = 20; $pagesylte = 1; $templatesDIR = $this->get_templatesdir('article'); $templatefilename = $lng . '/' . $templatesDIR . '/search'; $db_table = db_prefix . 'document'; $countnum = $this->db_numrows($db_table, $db_where); if ($countnum > 0) { $numpage = ceil($countnum / $pagemax); } else { $numpage = 1; } $sql = "SELECT did,lng,pid,mid,aid,tid,sid,fgid,linkdid,isclass,islink,ishtml,ismess,isorder,purview,recommend,tsn,title,longtitle, color,author,source,pic,link,oprice,bprice,click,description,keywords,addtime,template,filename,filepath FROM $db_table $db_where LIMIT 0,$pagemax"; $this->htmlpage = new PageBotton($sql, $pagemax, $page, $countnum, $numpage, $pagesylte, $this->CON['file_fileex'], 5, $this->lng['pagebotton'], $this->lng['gopageurl'], $this->CON['is_rewrite']); $sql = $this->htmlpage->PageSQL('pid,did', 'down'); $rs = $this->db->query($sql); while ($rsList = $this->db->fetch_assoc($rs)) { </pre> 由于$tagkey变量使用了urldecode，从而可以绕过GPC，最终 $db_where.=” AND FIND_IN_SET(‘$tagkey’,tags)”; $tagkey被带入SQL语句。可以看到下面有 <pre class="prettyprint linenums">$sql = "SELECT did,lng,pid,mid,aid,tid,sid,fgid,linkdid,isclass,islink,ishtml,ismess,isorder,purview,recommend,tsn,title,longtitle,color,author,source,pic,link,oprice,bprice,click,description,keywords,addtime,template,filename,filepath FROM $db_table $db_where LIMIT 0,$pagemax";</pre> 也被带入数据库查询，两条语句可以注入，可以看到第二条SQL语句是可以查询出数据的。但是由于espcms默认配置是不显示SQL语句错误的，而第一条SQL语句查询出来的是count(*)，即int，更蛋疼的是只要第一条查询报错，第二条就不会执行。所以只有用第一条盲注来搞了。漏洞测试EXP：http://localhost/espcms/index.php?ac=search&at=taglist&tagkey=a%2527 由于espcms本身有防注入函数，在文件 public\class_function.php inputcodetrim()函数。 <pre class="prettyprint linenums">function inputcodetrim($str) { if (empty($str)) return $str; $str = str_replace("&amp;", "&", $str); $str = str_replace("&gt;", ">", $str); $str = str_replace("&lt;", "<", $str); $str = str_replace("&lt;", "<", $str); $str = str_ireplace("select", "", $str); $str = str_ireplace("join", "", $str); $str = str_ireplace("union", "", $str); $str = str_ireplace("where", "", $str); $str = str_ireplace("insert", "", $str); $str = str_ireplace("delete", "", $str); $str = str_ireplace("update", "", $str); $str = str_ireplace("like", "", $str); $str = str_ireplace("drop", "", $str); $str = str_ireplace("create", "", $str); $str = str_ireplace("modify", "", $str); $str = str_ireplace("rename", "", $str); $str = str_ireplace("count", "", $str); $str = str_ireplace("from", "", $str); $str = str_ireplace("group by", "", $str); $str = str_ireplace("concat", "", $str); $str = str_ireplace("alter", "", $str); $str = str_ireplace("ca&#115;", "cast", $str); $str = preg_replace("/<span[^>]+>/i", "<span>", $str); $str = preg_replace("/<p[^>]+>/i", "<p>", $str); $str = preg_replace("/<font[^>]+>/i", "<font>", $str); $str = preg_replace("/width=(\'|\")?[\d%]+(\'|\")?/i", "", $str); $str = preg_replace("/height=(\'|\")?[\d%]+(\'|\")?/i", "", $str); $str = preg_replace("'<style[^\f]*?(\/style>)'si", "", $str); return $str; }</pre> 只是把关键字替换为空，例如union可uunionnion绕过本身防注入，还可以无视不拦截单引号的waf。 Espcms 等待官方补丁 http://www.ecisp.cn

漏洞利用/PoC

暂无可用Exp或PoC

受影响的平台与产品

当前有0条受影响产品信息

您还没有登录，登录后可查看更多

添加资源
收藏资源
问题反馈

贡献用户

暂无贡献用户

VULHUB ™