siteserver最新版3.6.4 sql inject（第三四五蛋） - 网站

第三个注入存在usercenter/platform/user. asp x

 

用.NET Reflector 反编译UserCenter.Pages.dll这个文件

 

查看代码如下：

if (!string.IsNullOrEmpty(base.Request.QueryString["Lock"])) { str = base.Request.QueryString["UserNameCollection"]; userNameArrayList = TranslateUtils.StringCollectionToArrayList(str); UserDataProvider.UserDAO.Lock(userNameArrayList, true); LogUtils.AddLog("用户：" + UserDataProvider.UserDAO.CurrentUserName, "锁定用户", string.Format("用户:{0}", str)); } Lock不为空即可，UserNameCollection就带入了UserDataProvider.UserDAO.Lock函数内 public void Lock(ArrayList userNameArrayList, bool isLockOut) { string commandText = string.Format("UPDATE bairong_Users SET IsLockedOut = '{0}' WHERE [UserName] IN ({1})", isLockOut.ToString(), TranslateUtils.ObjectCollectionToSqlInStringWithQuote(userNameArrayList)); base.ExecuteNonQuery(commandText); UserManager.Clear(); }

UserNameCollection没有进行有效的过滤

修复方案： 对UserNameCollection进行过滤  

第四个注入存在/siteserver/bbs/background_keywordsFilting.aspx

用.NET Reflector 反编译SiteServer.BBS.dll这个文件

查看代码如下：

this.spContents.ItemsPerPage = 20; this.spContents.ConnectionString = DataProvider.ConnectionString; this.spContents.SelectCommand = DataProvider.KeywordsFilterDAO.GetSelectCommend(ConvertHelper.GetInteger(base.Request.QueryString["grade"]), ConvertHelper.GetInteger(base.Request.QueryString["categoryid"]), ConvertHelper.GetString(base.Request.QueryString["keyword"])); this.spContents.SortField = "Taxis"; if ((((uint) num) | 15) == 0) { goto Label_00A0; } this.spContents.SortMode = SortMode.ASC; this.btnDelAll.Attributes.Add("onclick", "return checkstate('myform','删除');"); isPostBack = base.Request.QueryString["Delete"] == null; goto Label_00D8;

上面可以利用的参数: keyword

 

public string GetSelectCommend(int grade, int categoryid, string keyword) { string str; StringBuilder builder = new StringBuilder(); builder.Append("SELECT * FROM bbs_KeywordsFilter WHERE CategoryID !=0 "); bool flag = grade == 0; goto Label_00D6; Label_0095: flag = string.IsNullOrEmpty(keyword); if (!flag) { builder.Append(" AND Name like '%" + keyword + "%'"); if ((((uint) categoryid) | uint.MaxValue) != 0) { } } builder.Append(" ORDER BY Taxis DESC"); if ((((uint) categoryid) + ((uint) categoryid)) <= uint.MaxValue) { if (((uint) grade) <= uint.MaxValue) { return builder.ToString(); } goto Label_00D6; } Label_00AA: builder.Append(" AND CategoryID=" + categoryid); if (((uint) categoryid) <= uint.MaxValue) { goto Label_0095; } return str; Label_00D6: if (!flag) { builder.Append(" AND Grade=" + grade); } flag = categoryid == 0; if (flag) { goto Label_0095; } goto Label_00AA; }

很明显，可以导致注入

 

修复方案： 对keyword进行过滤  

第五个注入存在/siteserver/userRole/background_administrator.aspx

用.NET Reflector 反编译UserCenter.Pages.dll这个文件

查看代码如下：

this.spContents.SelectCommand = UserDataProvider.AdministratorDAO.GetSelectCommand(base.Request.QueryString["Keyword"], base.Request.QueryString["RoleName"], TranslateUtils.ToInt(base.Request.QueryString["LastActivityDate"]), PermissionsManager.Current.IsConsoleAdministrator, AdminManager.Current.UserName, num, TranslateUtils.ToInt(base.Request.QueryString["AreaID"])); this.spContents.SortField = base.Request.QueryString["Order"]; isPostBack = !StringUtils.EqualsIgnoreCase(this.spContents.SortField, "UserName"); if (0xff == 0) { goto Label_0624; } goto Label_07B8; 注意RoleName和Keyword str = string.Empty; bool flag = string.IsNullOrEmpty(roleName); if (!flag) { flag = builder.Length <= 0; } else { string str3; if (builder.Length <= 0) { goto Label_000D; } str = string.Format("WHERE {0}", builder.ToString()); if (0 == 0) { goto Label_000D; } return str3; } if (!flag) { str = string.Format("AND {0}", builder.ToString()); if ((((uint) areaID) + ((uint) areaID)) > uint.MaxValue) { goto Label_000D; } } str = string.Format("WHERE (UserName IN (SELECT UserName FROM bairong_AdministratorsInRoles WHERE RoleName = '{0}')) {1}", roleName, str); goto Label_000D;

上面roleName被拼接至sql语句，与此同时

builder.AppendFormat("(UserName LIKE '%{0}%' OR EMAIL LIKE '%{0}%' OR DisplayName LIKE '%{0}%')", searchWord);

在另外一个地方，searchWord(Keyword) 也被拼接至sql语句 修复方案： 对Keyword, RoleName进行过滤

查看更多关于siteserver最新版3.6.4 sql inject（第三四五蛋） - 网站的详细内容...