风讯 注射0day part 1
文章作者:落叶纷飞[J.L.S.T]
信息来源:安全叶子技术小组[J.Leaves Security Team]
注意:本文首发于 安全叶子技术小组[J.Leaves Security Team],转载请注明出处。
dvbbs php的注射0day发完了,现在发发asp类cms的大哥风讯的0day~~
每天一0day,生活更精彩~~
漏洞存在于Click_Ajax.asp文件,以下是漏洞代码:
.....................................................................................................
spanid = NoHtmlHackInput(NoSqlHack(request.QueryString("spanid")))
WriteID = spanid
if stype="" then stype="js"
if SubSys="" then TmpStr = "Error:SubSys is null!"
if spanid="" then TmpStr = "Error:spanid is null!"
TmpArr = split(spanid,"_")
if ubound(TmpArr)<3 then TmpStr = "Error:spanid's _ is Err!"
spanid = TmpArr(3)
If TmpStr="" Then
select case SubSys
....................................................................................................
case "DS"
if NoSqlHack(request.QueryString("Get"))="ClickNum" then
set Click_RS=Conn.execute("select ClickNum from FS_DS_List where ID="&NoSqlHack(spanid)&"")
if not Click_RS.eof then TmpStr = cstr(Click_RS(0))
RsClose()
..........................................................................................................
然后我们再看看nosqlhack和nohtmlhack两个函数是怎么写~~
=============================================================================================================
NoHtmlHackInput()函数
Function NoHtmlHackInput(Str) '过滤跨站脚本和HTML标签
Dim regEx
Set regEx = New RegExp
regEx.IgnoreCase = True
regEx.Pattern = "<|>|(script)|on(mouseover|mouseon|mouseout|click|dblclick|blur|focus|change)|eval|\t"
If regEx.Test(LCase(Str)) Then
Response.Write "<html><title>警告</title><body bgcolor=""EEEEEE"" leftmargin=""60"" topmargin=""30""><font style=""font-size:16px;font-weight:bolder;color:blue;""><li>您提交的数据有恶意字符</li></font><font style=""font-size:14px;font-weight:bolder;color:red;""><br><li>提交的内容不能包括[<|>|(script)|on(mouseover|mouseon|mouseout|click|dblclick|blur|focus|change)|eval]</li><li>您的数据已经被记录!</li><br><li>您的IP:"&Request.ServerVariables("Remote_Addr")&"</li><br><li>操作日期:"&Now&"</li></font></body></html><!--Powered by Foosun Inc.,AddTime:"&now&"-->"
Response.End
End If
Set regEx = Nothing
NoHtmlHackInput = Str
End Function
=============================================================================================================
NoSqlHack()函数
Function NoSqlHack(FS_inputStr)
FS_inputStr = Trim(FS_inputStr)
If FS_inputStr = "" Or Isnull(FS_inputStr) Then
FS_inputStr = ""
End if
FS_inputStr = Replace(FS_inputStr,"'","''")
'FS_inputStr = Replace(FS_inputStr,";","")
'FS_inputStr = Replace(FS_inputStr,"%","")
'FS_inputStr = Replace(FS_inputStr," ","")
'FS_inputStr = Replace(FS_inputStr," ","")
NoSqlHack = FS_inputStr
End Function
=============================================================================================================
注射语句中不能含有单引号“'”,各位自行测试吧~~
您现在的位置: 
