VULHUB ™

### 简要描述： 昨天提交科讯getshell的洞，通知官方后，说是V9移除wap模块..... 然后就没下文了，好吧，那就来个V9的 ### 详细说明： 漏洞存在于User/ChinaBankAutoReceive.asp ``` <%@LANGUAGE="VBSCRIPT" CODEPAGE="936"%> <%option explicit%> <!--#include file="../Conn.asp"--> <!--#include file="../Plus/md5.asp"--> <!--#include file="../KS_Cls/Kesion.MemberCls.asp"--> <!--#include file="payfunction.asp"--> <% '**************************************************** ' Software name:Kesion CMS 9.0 ' Email: service@kesion.com . QQ:111394,9537636 ' Web: http://www.kesion.com http://www.kesion.cn ' Copyright (C) Kesion Network All Rights Reserved. '**************************************************** Response.Buffer = true Response.Expires = 1 Response.CacheControl = "no-cache" Dim KSUser:Set KSUser=New UserCls Dim KS:Set KS=New PublicCls Dim PaymentPlat:PaymentPlat=1 Dim RSP:Set RSP=Server.CreateObject("ADODB.RECORDSET") RSP.Open "Select top 1 * From KS_PaymentPlat where id=" & PaymentPlat,conn,1,1 If RSP.Eof Then RSP.Close:Set RSP=Nothing...

### 简要描述： 昨天提交科讯getshell的洞，通知官方后，说是V9移除wap模块..... 然后就没下文了，好吧，那就来个V9的 ### 详细说明： 漏洞存在于User/ChinaBankAutoReceive.asp ``` <%@LANGUAGE="VBSCRIPT" CODEPAGE="936"%> <%option explicit%> <!--#include file="../Conn.asp"--> <!--#include file="../Plus/md5.asp"--> <!--#include file="../KS_Cls/Kesion.MemberCls.asp"--> <!--#include file="payfunction.asp"--> <% '**************************************************** ' Software name:Kesion CMS 9.0 ' Email: service@kesion.com . QQ:111394,9537636 ' Web: http://www.kesion.com http://www.kesion.cn ' Copyright (C) Kesion Network All Rights Reserved. '**************************************************** Response.Buffer = true Response.Expires = 1 Response.CacheControl = "no-cache" Dim KSUser:Set KSUser=New UserCls Dim KS:Set KS=New PublicCls Dim PaymentPlat:PaymentPlat=1 Dim RSP:Set RSP=Server.CreateObject("ADODB.RECORDSET") RSP.Open "Select top 1 * From KS_PaymentPlat where id=" & PaymentPlat,conn,1,1 If RSP.Eof Then RSP.Close:Set RSP=Nothing Response.Write "Error!" Response.End() End If Dim AccountID:AccountID=RSP("AccountID") Dim MD5Key:MD5Key=RSP("MD5Key") Dim PayOnlineRate:PayOnlineRate=KS.ChkClng(RSP("Rate")) Dim RateByUser:RateByUser=KS.ChkClng(RSP("RateByUser")) RSP.Close:Set RSP=Nothing Call ChinaBank() '网银在线返回 Sub ChinaBank() Dim v_oid,v_pmode,v_pstatus,v_pstring,v_string,v_amount,v_moneytype,remark2,v_md5str,text,md5text,zhuangtai ' 取得返回参数值 v_oid=request("v_oid") ' 商户发送的v_oid定单编号 v_pmode=request("v_pmode") ' 支付方式（字符串） v_pstatus=request("v_pstatus") ' 支付状态 20（支付成功）;30（支付失败） v_pstring=request("v_pstring") ' 支付结果信息 支付完成（当v_pstatus=20时）；失败原因（当v_pstatus=30时）； v_amount=request("v_amount") ' 订单实际支付金额 v_moneytype=request("v_moneytype") ' 订单实际支付币种 remark2=request("remark2") ' 备注字段2 v_md5str=request("v_md5str") ' 网银在线拼凑的Md5校验串 if request("v_md5str")="" then response.Write("v_md5str：空值") response.end end if text = v_oid&v_pstatus&v_amount&v_moneytype&MD5Key 'md5校验 md5text = Ucase(trim(md5(text,32))) '商户拼凑的Md5校验串 if md5text<>v_md5str then' 网银在线拼凑的Md5校验串 与 商户拼凑的Md5校验串 进行对比 response.write("error") '告诉服务器验证失败，要求重发 response.end '中断程序 else response.write("ok") if v_pstatus=20 then '支付成功 Call UpdateOrder(v_amount,remark2,v_oid,v_pmode) Conn.Execute("Update KS_LogMoney Set PaymentID=1 Where OrderID='" & v_oid & "'") else response.write("error") '告诉服务器验证失败，要求重发 response.end '中断程序 end if end if end Sub %> ``` 上面代码中的v_oid=request("v_oid")没有过滤，然后就调用了 ``` Call UpdateOrder(v_amount,remark2,v_oid,v_pmode) ``` 我们接着看UpdateOrder ``` Sub UpdateOrder(v_amount,remark2,v_oid,v_pmode) Dim KSUser:Set KSUser=New UserCls Dim UserName,MoneyType,Money,Remark,sqlUser,rsUser,orderid,mobile,Action orderid=v_oid IF Cbool(KSUser.UserLoginChecked) Then UserName=KSUser.UserName Else UserName=KS.S("UserName") '=======================如果从request里得不到数据，则重新取值================= If UserName="" Then UserName=SUserName Dim UserCardID UserCardID=KS.ChkClng(KS.S("UserCardID")) iF UserCardID=0 Then UserCardID=sUserCardID Action=KS.G("Action"): If Action="" Then Action=Saction '============================================================================== Mobile=KSUser.GetUserInfo("Mobile") Money=v_amount Remark=remark2 Dim RSLog,RS Set RSLog=Server.CreateObject("ADODB.RECORDSET") RSLog.Open "Select top 1 * From KS_LogMoney where orderid='" & v_oid & "'",Conn,1,1 if RSLog.Eof And RSLog.BoF Then Select Case Action case "shop" '商城中心购物 Set RS=Server.CreateObject("ADODB.RECORDSET") RS.Open "Select top 1 * From KS_Order Where OrderID='" & v_oid & "'",Conn,1,3 If RS.Eof Then RS.Close:Set RS=Nothing KS.Die " <li>支付过程中遇到问题，请联系网站管理员！" End If If Mobile="" Then Mobile=RS("Mobile") End If RS("MoneyReceipt")=Money If Money>=RS("MoneyTotal") Then RS("PayStatus")=1 '已付清 ElseIf Money<>0 Then RS("PayStatus")=2 '已收定金 Else RS("PayStatus")=0 '未付款 End If Dim OrderStatus:OrderStatus=rs("status") RS("Status")=1 RS("PaymentPlatId")=KS.ChkClng(Request("PaymentPlat")) '支付接口ID RS("PayTime")=now '记录付款时间 RS.Update orderid=RS("OrderID") Dim XID:XID=RS("ID") Call KS.MoneyInOrOut(rs("UserName"),RS("Contactman"),Money,2,1,now,rs("orderid"),"System","为购买订单：" &v_oid & "使用" & v_pmode & "在线充值",0,0,0) Call KS.MoneyInOrOut(rs("UserName"),RS("Contactman"),Money,4,2,now,rs("orderid"),"System",Remark,0,0,0) '====================更新库存量======================== Dim rsp:set rsp=conn.execute("select id,title from ks_product where id in(select proid from KS_OrderItem where orderid='" & rs("orderid") & "')") do while not rsp.eof dim rsi:set rsi=conn.execute("select amount,attrid from ks_orderitem where orderid='" & rs("orderid") & "' and proid=" & rsp(0)) if not rsi.eof then if OrderStatus<>1 Then '扣库存量 If RSI("AttrID")<>0 Then Conn.Execute("update KS_ShopSpecificationPrice set amount=amount-" & RSI(0) & " Where amount>=" & RSI(0) & " and ID=" & RSI(1)) Else conn.execute("update ks_product set totalnum=totalnum-" & rsi(0) &" where totalnum>=" & rsi(0) &" and id=" & rsp(0)) End If End If end if rsi.close set rsi=nothing 'Call KS.ScoreInOrOut(UserName,1,KS.ChkClng(rsp(0))*amount,"系统","购买商品<font color=red>" & rsp("title") & "</font>赠送!",0,0) rsp.movenext loop rsp.close set rsp=nothing '================================================================ RS.Close:Set RS=Nothing IF KS.C("UserName")<>"" Then response.Redirect "User_Order.asp?Action=ShowOrder&ID=" & XID Case else '会员中心充值 Set rsUser=Server.CreateObject("Adodb.RecordSet") sqlUser="select top 1 * from KS_User where UserName='" & UserName & "'" rsUser.Open sqlUser,Conn,1,1 if rsUser.bof and rsUser.eof then Response.Write " <li>充值过程中遇到问题，请联系网站管理员！" rsUser.close:set rsUser=Nothing exit sub end if Dim RealName:RealName=rsUser("RealName") Dim Edays:Edays=rsUser("Edays") Dim BeginDate:BeginDate=rsUser("BeginDate") rsUser.Close : Set rsUser=Nothing If UserCardID<>0 Then '充值卡 Call UpdateByCard(0,UserCardID,UserName,RealName,Edays,BeginDate,v_oid,v_pmode) Else Call KS.MoneyInOrOut(UserName,RealName,Money,3,1,now,v_oid,"System",v_pmode & "在线充值,订单号为:" & v_oid,0,0,0) End If End Select End If RSLog.Close:Set RSLog=Nothing End Sub ``` ``` RSLog.Open "Select top 1 * From KS_LogMoney where orderid='" & v_oid & "'",Conn,1,1 ``` 这句带入SQL了！那么然后构造参数才能触发漏洞呢？ 我们这样构造: /User/ChinaBankAutoReceive.asp?v_oid=1%27&v_pstatus=20&v_amount=1&v_moneytype=1&v_md5str=9B5BF7166AFBB5E1602BBCC964459B9B 其中的v_oid带入我们的SQL注射语句...你懂的，后面的v_md5str是md5(v_oid&v_pstatus&v_amount&v_moneytype&MD5Key)得到的，MD5Key的值来自数据库值为0 简单地说，v_oid构造SQL后，md5(v_oid&v_pstatus&v_amount&v_moneytype&MD5Key)计算出v_md5str,然后提交就行了 ### 漏洞证明： /User/ChinaBankAutoReceive.asp?v_oid=1%27&v_pstatus=20&v_amount=1&v_moneytype=1&v_md5str=9B5BF7166AFBB5E1602BBCC964459B9B [<img src="https://images.seebug.org/upload/201302/2217241308e508cbc8b94ba3f91fe2e44d3ec41c.jpg" alt="ke.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201302/2217241308e508cbc8b94ba3f91fe2e44d3ec41c.jpg)