网站地图    收藏   

主页 > 入门引导 > 黑客攻防 >

siteserver最新版3.6.4 sql inject(第三四五蛋) - 网站

来源:自学PHP网    时间:2015-04-15 15:00 作者: 阅读:

[导读] 第三个注入存在usercenter platform user aspx用 NET Reflector 反编译UserCenter Pages dll这个文件查看代码如下:if (!string IsNullOrEmpty(base Request QueryString[Lock])) {...

第三个注入存在usercenter/platform/user.aspx

 

用.NET Reflector 反编译UserCenter.Pages.dll这个文件

 

查看代码如下:


if (!string.IsNullOrEmpty(base.Request.QueryString["Lock"]))

    {

        str = base.Request.QueryString["UserNameCollection"];

        userNameArrayList = TranslateUtils.StringCollectionToArrayList(str);

        UserDataProvider.UserDAO.Lock(userNameArrayList, true);

        LogUtils.AddLog("用户:" + UserDataProvider.UserDAO.CurrentUserName, "锁定用户", string.Format("用户:{0}", str));

    }


Lock不为空即可,UserNameCollection就带入了UserDataProvider.UserDAO.Lock函数内

public void Lock(ArrayList userNameArrayList, bool isLockOut)

{

    string commandText = string.Format("UPDATE bairong_Users SET IsLockedOut = '{0}' WHERE [UserName] IN ({1})", isLockOut.ToString(), TranslateUtils.ObjectCollectionToSqlInStringWithQuote(userNameArrayList));

    base.ExecuteNonQuery(commandText);

    UserManager.Clear();

}


UserNameCollection没有进行有效的过滤


修复方案:
对UserNameCollection进行过滤


 

第四个注入存在/siteserver/bbs/background_keywordsFilting.aspx

用.NET Reflector 反编译SiteServer.BBS.dll这个文件

查看代码如下:

this.spContents.ItemsPerPage = 20;

    this.spContents.ConnectionString = DataProvider.ConnectionString;

    this.spContents.SelectCommand = DataProvider.KeywordsFilterDAO.GetSelectCommend(ConvertHelper.GetInteger(base.Request.QueryString["grade"]), ConvertHelper.GetInteger(base.Request.QueryString["categoryid"]), ConvertHelper.GetString(base.Request.QueryString["keyword"]));

    this.spContents.SortField = "Taxis";

    if ((((uint) num) | 15) == 0)

    {

        goto Label_00A0;

    }

    this.spContents.SortMode = SortMode.ASC;

    this.btnDelAll.Attributes.Add("onclick", "return checkstate('myform','删除');");

    isPostBack = base.Request.QueryString["Delete"] == null;

    goto Label_00D8;


上面可以利用的参数: keyword

 

public string GetSelectCommend(int grade, int categoryid, string keyword)

{

    string str;

    StringBuilder builder = new StringBuilder();

    builder.Append("SELECT * FROM bbs_KeywordsFilter WHERE CategoryID !=0 ");

    bool flag = grade == 0;

    goto Label_00D6;

Label_0095:

    flag = string.IsNullOrEmpty(keyword);

    if (!flag)

    {

        builder.Append(" AND Name like '%" + keyword + "%'");

        if ((((uint) categoryid) | uint.MaxValue) != 0)

        {

        }

    }

    builder.Append(" ORDER BY Taxis DESC");

    if ((((uint) categoryid) + ((uint) categoryid)) <= uint.MaxValue)

    {

        if (((uint) grade) <= uint.MaxValue)

        {

            return builder.ToString();

        }

        goto Label_00D6;

    }

Label_00AA:

    builder.Append(" AND CategoryID=" + categoryid);

    if (((uint) categoryid) <= uint.MaxValue)

    {

        goto Label_0095;

    }

    return str;

Label_00D6:

    if (!flag)

    {

        builder.Append(" AND Grade=" + grade);

    }

    flag = categoryid == 0;

    if (flag)

    {

        goto Label_0095;

    }

    goto Label_00AA;

}


很明显,可以导致注入

 

修复方案:
对keyword进行过滤


 

第五个注入存在/siteserver/userRole/background_administrator.aspx

用.NET Reflector 反编译UserCenter.Pages.dll这个文件

查看代码如下:

this.spContents.SelectCommand = UserDataProvider.AdministratorDAO.GetSelectCommand(base.Request.QueryString["Keyword"], base.Request.QueryString["RoleName"], TranslateUtils.ToInt(base.Request.QueryString["LastActivityDate"]), PermissionsManager.Current.IsConsoleAdministrator, AdminManager.Current.UserName, num, TranslateUtils.ToInt(base.Request.QueryString["AreaID"]));

    this.spContents.SortField = base.Request.QueryString["Order"];

    isPostBack = !StringUtils.EqualsIgnoreCase(this.spContents.SortField, "UserName");

    if (0xff == 0)

    {

        goto Label_0624;

    }

    goto Label_07B8;


注意RoleName和Keyword

str = string.Empty;

    bool flag = string.IsNullOrEmpty(roleName);

    if (!flag)

    {

        flag = builder.Length <= 0;

    }

    else

    {

        string str3;

        if (builder.Length <= 0)

        {

            goto Label_000D;

        }

        str = string.Format("WHERE {0}", builder.ToString());

        if (0 == 0)

        {

            goto Label_000D;

        }

        return str3;

    }

    if (!flag)

    {

        str = string.Format("AND {0}", builder.ToString());

        if ((((uint) areaID) + ((uint) areaID)) > uint.MaxValue)

        {

            goto Label_000D;

        }

    }

    str = string.Format("WHERE (UserName IN (SELECT UserName FROM bairong_AdministratorsInRoles WHERE RoleName = '{0}')) {1}", roleName, str);

    goto Label_000D;


上面roleName被拼接至sql语句,与此同时

builder.AppendFormat("(UserName LIKE '%{0}%' OR EMAIL LIKE '%{0}%' OR DisplayName LIKE '%{0}%')", searchWord);


在另外一个地方,searchWord(Keyword) 也被拼接至sql语句

修复方案:
对Keyword, RoleName进行过滤

自学PHP网专注网站建设学习,PHP程序学习,平面设计学习,以及操作系统学习

京ICP备14009008号-1@版权所有www.zixuephp.com

网站声明:本站所有视频,教程都由网友上传,站长收集和分享给大家学习使用,如由牵扯版权问题请联系站长邮箱904561283@qq.com

添加评论