admin

JumboTCMS_7.2.0通用版SQL注入
JumboTCMS_7.2.0通用版SQL注入漏洞位置JumboTCMS_7.2.0/JumboTCMS_src/...
扫描右侧二维码阅读全文
26
2018/12

JumboTCMS_7.2.0通用版SQL注入

JumboTCMS_7.2.0通用版SQL注入

漏洞位置

JumboTCMS_7.2.0/JumboTCMS_src/JumboTCMS.WebFile/passport/register.aspx

审计过程

提交注册表单后向ajax.aspx发送请求
定位到源码文件ajax.aspx.cs 121-162

  private void ajaxRegister()
        {
            string _code = f("txtCode");
            string _realcode = "";
            if (!JumboTCMS.Common.ValidateCode.CheckValidateCode(_code, ref _realcode))
            {
                Response.Write("JumboTCMS.Alert('验证码错误', '0');");
                Response.End();
            }
            if (f("txtUserName").Length > 0 && f("txtPass1").Length > 0 && f("txtEmail").Length > 0)
            {
                string usersign = GetRandomNumberString(64, false);
                if (new JumboTCMS.DAL.Normal_UserDAL().Register(f("txtUserName"), "", f("txtPass1"), Str2Int(f("rblSex")), f("txtEmail"), f("txtBirthday"), usersign, "", "", "", "", false) > 0)
                {
                    if (site.CheckReg)//说明需要邮件激活
                    {
                        string _body = f("txtUserName") + ", 您好!<br>" +
                            "感谢您注册" + site.Name + ",点击下面的链接即可完成注册:<br>" +
                            "<a href=\"" + site.Url + site.Dir + "passport/active.aspx?username=" + Server.UrlEncode(f("txtUserName")) + "&amp;email=" + f("txtEmail") + "&amp;usersign=" + usersign + "\" target=\"_blank\">" +
                            site.Url + site.Dir + "passport/active.aspx?username=" + Server.UrlEncode(f("txtUserName")) + "&amp;email=" + f("txtEmail") + "&amp;usersign=" + usersign + "</a><br>" +
                            "(如果链接无法点击,请将它拷贝到浏览器的地址栏中)";
                        if (new JumboTCMS.DAL.Normal_UserMailDAL().SendMail(f("txtEmail"), site.Name + "注册激活邮件", _body))
                        {
                            Session["jcms_user_register"] = "1";
                            this._response = "location='register_step2.aspx?username=" + Server.UrlEncode(f("txtUserName")) + "&amp;email=" + f("txtEmail") + "&amp;usersign=" + usersign + "';";
                        }
                        else
                            this._response = "JumboTCMS.Alert('注册成功,但由于某种原因,邮件发送失败', '1', \"window.location='login.aspx';\");";
                    }
                    else
                    {
                        this._response = "JumboTCMS.Alert('注册成功,请登录', '1', \"window.location='login.aspx';\");";
                    }
                }
                else
                {
                    this._response = "JumboTCMS.Alert('注册失败,原因未知', '0');";
                }
            }
            else
                this._response = "JumboTCMS.Alert('提交有误', '0');";
        }

首先验证了验证码是否正确,然后验证了用户名、密码和邮箱都不为空满足上面条件会实例化一个UserDAL对象

new JumboTCMS.DAL.Normal_UserDAL().Register(f("txtUserName"), "", f("txtPass1"), Str2Int(f("rblSex")), f("txtEmail"), f("txtBirthday"), usersign, "", "", "", "", false) > 0)

定位到JumboTCMS_7.2.0/JumboTCMS_src/JumboTCMS.DAL/normal/UserDAL.cs 359-435 只贴出部分代码

public int Register(string _username, string _nickname, string _userpass, int _sex, string _email, string _birthday, string _usersign, string _adminname, string _adminpass, string _oauth_code, string _oauth_token, bool _fromforum)
        {
            if (_oauth_code == "") _oauth_code = "qq";
            if (Exists(string.Format("username='{0}'", _username)))
                return 0;
            using (DbOperHandler _doh = new Common().Doh())
            {
                string _userpass2 = JumboTCMS.Utils.MD5.Last64(_userpass);
                string _adminpass2 = JumboTCMS.Utils.MD5.Last64(_adminpass);
                int dPoints = Str2Int(JumboTCMS.Utils.XmlCOM.ReadConfig("~/_data/config/site", "DefaultPoints"), 0);
                int uState = site.CheckReg ? 0 : 1;
                object[,] addFields = new object[2, 19] {
                        {
                            "UserName", "NickName", "UserPass", "Sex", "Email", "Birthday", 
                            "Group", "Points", "Login", "State", "AdminId", "AdminSetting", "UserSign", 
                            "AdminState", "IsVIP", "Integral","RegTime", "RegIp","Token_"+_oauth_code}, 
                        {
                            _username, _nickname, _userpass2, _sex,_email, _birthday, 
                            1, dPoints, 0, uState,0, ",,", _usersign, 
                            0,0, 0, DateTime.Now.ToString(),IPHelp.ClientIP,_oauth_token} 
                        };
                _doh.Reset();
                _doh.AddFieldItems(addFields);
                int _uID = _doh.Insert("jcms_normal_user");


创建了一个object数组,使用_doh数据库操作对象 AddFieldItems后执行insert操作

定位到DbOperHandler.cs

作用就是批量添加字段和值到数组中,并没有对传入的参数进行过滤和处理

最后到了insert

这里直接进行了sql插入操作从而引发了sql注入

漏洞测试

demo:http://www.jumbotcms.net/

这里就不构造语句直接使用sqlmap注入
python sqlmap.py -r sql.txt -p "txtUserName" --dbs

Last modification:January 4th, 2019 at 01:11 pm
If you think my article is useful to you, please feel free to appreciate

Leave a Comment