记录黑客技术中优秀的内容,传播黑客文化,分享黑客技术精华

逐浪cms SQL注入漏洞

2014-08-07 06:05

地址

http://demo.zoomla.cn/Customer.aspx





源码如下

protected void Page_Load(object sender, EventArgs e)

{

if (base.Request.QueryString["type"] != null)

{

if (base.Request.QueryString["type"] == "Seat")

{

this.GetSeat();

}

if (base.Request.QueryString["type"] == "add")

{

this.SetInfo(base.Request.Form.ToString());

}

bool flag1 = base.Request.QueryString["type"] == "answer";

if ((base.Request.QueryString["type"] == "getservice") && (base.Request.QueryString["uid"] != null))

{

this.GetServerInfo(base.Request.QueryString["uid"].ToString(), base.Request.Cookies["Provisional"]["Uid"]); //跟进

}

if (base.Request.QueryString["type"] == "OnlineUsers")

{

this.GetOnlineUsers();

}

bool flag2 = base.Request.QueryString["type"] == "CallMe";

if (base.Request.QueryString["type"] == "msg")

{

this.GetMsg(); //跟进

}

this.DelUser();

}

}





private void GetMsg()

{

StringBuilder builder = new StringBuilder();

DataTable table = this.bcsbll.Select_Where(" CS_Type=0 and CS_OID=" + base.Request.Cookies["Provisional"]["Uid"], " DISTINCT CS_SendID,CS_SendName ", ""); //没处理存在注入

for (int i = 0; i < table.Rows.Count; i++)

{

builder.Append(string.Concat(new object[] { table.Rows[i]["CS_SendID"], ",", table.Rows[i]["CS_SendName"], ";" }));

}

string s = builder.ToString();

if (s.EndsWith(";"))

{

s = s.Substring(0, s.Length - 1);

}

base.Response.Write(s);

}





另一处

private void GetServerInfo(string uid, string sessid)

{

DataTable customerByUid = this.bcsbll.GetCustomerByUid(DataConverter.CLng(uid), sessid); //跟进

StringBuilder builder = new StringBuilder();

if (!string.IsNullOrEmpty(uid) && !string.IsNullOrEmpty(sessid))

{

for (int i = 0; i < customerByUid.Rows.Count; i++)

{

if (((customerByUid.Rows[i]["CS_OID"] != null) && (sessid == customerByUid.Rows[i]["CS_OID"].ToString())) && (customerByUid.Rows[i]["CS_SendID"].ToString() == sessid))

{

builder.Append(string.Concat(new object[] { customerByUid.Rows[i]["CS_AddTime"], " 你对", customerByUid.Rows[i]["CS_CtoName"], "说:<br />&nbsp;&nbsp;", customerByUid.Rows[i]["CS_Context"], "<br />" }));

}

else

{

builder.Append(string.Concat(new object[] { customerByUid.Rows[i]["CS_AddTime"].ToString(), " ", customerByUid.Rows[i]["CS_SendName"], "对你说:<br />&nbsp;&nbsp;", customerByUid.Rows[i]["CS_Context"], "<br />" }));

}

}

}

base.Response.Write(builder.ToString());

}





public DataTable GetCustomerByUid(int id, string sessid)

{

string strSQL = "";

if (id > 0)

{

string str2 = strSQL;

strSQL = str2 + " (CS_SendID=" + id.ToString() + " or CS_Ctouid=" + id.ToString() + ")";

}

if (!string.IsNullOrEmpty(sessid))

{

strSQL = strSQL + " and CS_OID='" + sessid + "'"; //没处理存在注入

}

DataTable dt = this.SelectWhere(strSQL, " CS_ID,CS_Context,CS_SendName,CS_SendID,CS_CtoName,CS_AddTime,CS_OID ", " CS_AddTime asc");

this.updateType(dt, id, sessid);

return dt;

}







漏洞证明:

访问

http://demo.zoomla.cn/



添加cookie值

582.png





然后访问

http://demo.zoomla.cn/Customer.aspx?type=msg



584.png





或者访问

http://demo.zoomla.cn/Customer.aspx?type=getservice&uid=1





cookie构造如下



581.png







修复方案:

对cookie进行处理


知识来源: www.wooyun.org/bugs/wooyun-2014-059965

阅读:156539 | 评论:0 | 标签:注入 cms 漏洞

想收藏或者和大家分享这篇好文章→复制链接地址

“逐浪cms SQL注入漏洞”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

黑帝公告 📢

永久免费持续更新精选优质黑客技术文章Hackdig,帮你成为掌握黑客技术的英雄

广而告之 💖

标签云 ☁