青果cms sql注入

代码审计
1

麻蛋突然找不到源码的dll文件了!

public static string FindSQLCmd(string[] aryQry, string pIP, string pURL, string pUserID, string pSwitch)
		{
			string result = "";
			if (pUserID == null)
			{
				pUserID = "";
			}
			string text = "1.05";
			string[] array = new string[]
			{
				"select",
				"sysobjects",
				"exec",
				"creat",
				"drop",
				"insert",
				"update",
				"delete",
				"truncate",
				"xp_cmdshell",
				"declare",
				"char(",
				"/**/",
				"<script",
				"<iframe",
				"user",
				"host_name",
				"system_user",
				"@@version",
				"quotename",
				"db_name"
			};
			string text2 = "";
			string text3 = "";
			for (int i = 0; i < aryQry.Length; i++)
			{
				string text4 = aryQry[i].ToLower();
				for (int j = 0; j < array.Length; j++)
				{
					if (text4.IndexOf(array[j].Trim()) >= 0 && text4.Length > 11)
					{
						text3 = array[j];
						text2 = text4;
						break;
					}
				}
				if (text2 != "")
				{
					break;
				}
			}
			if (text2 != "")
			{
				result = "log";
				if (pSwitch == "1")
				{
					result = "<script>alert('系统警告!参数中不能使用敏感字符串(" + text3 + ")。');</script>";
				}
				else if (pSwitch == "2")
				{
					result = "<script>alert('系统警告!参数中不能使用敏感字符。');</script>";
					string text4 = string.Concat(new string[]
					{
						"http://i.kingosoft.net/s10/?v=",
						text,
						"&ip=",
						pIP,
						"&uid=",
						pUserID,
						"&kwd=",
						text3,
						"&url=",
						pURL.Replace("http:/", "/")
					});
					if (pURL.IndexOf("?") == -1)
					{
						text4 = text4 + "&post=" + text2;
					}
					Safe.PushData(text4);
					Log.WriteFile(string.Concat(new string[]
					{
						"【SQL注入警告V",
						text,
						"】来自IP",
						pIP,
						" 参数",
						text2,
						" ",
						pUserID,
						" ",
						pURL.Substring(pURL.IndexOf("/", 10)),
						""
					}));
				}
				else if (pSwitch == "9")
				{
					Log.WriteFile(string.Concat(new string[]
					{
						"【SQL注入警告V",
						text,
						"】来自IP",
						pIP,
						" 参数",
						text2,
						" ",
						pUserID,
						" ",
						pURL.Substring(pURL.IndexOf("/", 10)),
						""
					}));
				}
			}
			return result;
		}

以上为sql防注入,看着确实无懈可击但我们看看调用点

		private void StartProcessRequest(string kg)
		{
			string text = base.Request.Url.ToString();
			if (!Global.IsExcept(text))
			{
				string userZH = new FilesAccessControl().getUserZH();
				if (base.Request.QueryString.ToString() != string.Empty)
				{
					int count = base.Request.QueryString.Keys.Count;
					string[] array = new string[count];
					base.Request.QueryString.CopyTo(array, 0);
					string text2 = Outer.FindSQLCmd(array, base.Request.ServerVariables["REMOTE_HOST"], text, userZH, kg);
					if (text2 != "")
					{
						if (text2 != "log")
						{
							base.Response.Write(text2);
						}
						base.Response.End();
					}
				}
				if (base.Request.Form.ToString() != string.Empty)
				{
					int count = base.Request.Form.Keys.Count;
					string[] array = new string[count];
					base.Request.Form.CopyTo(array, 0);
					string text2 = Outer.FindSQLCmd(array, base.Request.ServerVariables["REMOTE_HOST"], text, userZH, kg);
					if (text2 != "")
					{
						if (text2 != "log")
						{
							base.Response.Write(text2);
						}
						base.Response.End();
					}
				}
			}
		}

当get以及post的时候则调用这处sql注入拦截但我们cookie时则不受影响所有我们需要找request获取或cookie获取或server获取的导致的注入,当然大佬可以绕过这也行。

/KSSW/tea_ksap_jkap_xsinfo.aspx

cookie xn参数注入