SQL注入漏洞挖掘实战教学文档<\/h1>

0x01 路由信息分析<\/h2>

.NET Web.config 文件解析<\/h3>

关键元素<\/strong>：<httpHandlers><\/code> 用于配置HTTP处理程序 verb<\/code>：请求方式（GET\/POST\/*表示任何方式）<\/li> path<\/code>：请求文件路径（*表示通配符）<\/li> validate<\/code>：是否验证HTTP处理程序<\/li> type<\/code>：处理类的完整命名空间路径<\/li> <\/ul> <\/li> <\/ul> 请求处理流程示例<\/h3> POST \/A8TOP\/CarpaServer\/CarpaServer.LoginService.ajax\/UserLogin HTTP\/1.1 <\/code><\/pre> 请求.ajax<\/code>后缀 → 调用Carpa.Web.Ajax.AjaxHandlerFactory<\/code><\/li> GetHandler<\/code>方法处理请求，附加路径信息作为方法名（如UserLogin<\/code>）<\/li> Substring(1)<\/code>去除路径前的\/<\/code>获取实际方法名<\/li> <\/ul> 0x02 鉴权机制分析<\/h2> 鉴权核心方法CheckHasLogin<\/code><\/h3> 两种绕过方式： !needLogin<\/code>为真时直接返回true<\/code><\/li> 从context<\/code>获取session<\/code>判断登录状态<\/li> <\/ol> <\/li> <\/ul> C#特性(Attribute)机制<\/h3> 特性作用<\/strong>：为程序元素添加元数据（类似Python装饰器）<\/li> NeedLogin特性<\/strong>：完整类名：NeedLoginAttribute<\/code><\/li> 使用时可省略Attribute<\/code>后缀（[NeedLogin]<\/code>）<\/li> 通过IsDefined<\/code>方法检查类\/方法是否应用该特性<\/li> <\/ul> <\/li> <\/ul> Web服务方法暴露<\/h3> 只有标记[WebMethod]<\/code>的公共方法才能被外部访问<\/li> 审计重点：查找带有[WebMethod]<\/code>但未标记[NeedLogin]<\/code>的方法<\/li> <\/ul> 0x03 漏洞审计实战<\/h2> 初步筛选工具<\/h3> import<\/span> os <\/span><\/span>import<\/span> re <\/span><\/span>import<\/span> shutil <\/span><\/span> <\/span><\/span>def<\/span> traverse_directory<\/span>(source_dir, dest_dir): <\/span><\/span> for<\/span> root, dirs, files in<\/span> os.<\/span>walk(source_dir): <\/span><\/span> for<\/span> file_name in<\/span> files: <\/span><\/span> file_path =<\/span> os.<\/span>path.<\/span>join(root, file_name) <\/span><\/span> if<\/span> not<\/span> contains_need_login(file_path): <\/span><\/span> copy_file(file_path, dest_dir) <\/span><\/span> <\/span><\/span>def<\/span> contains_need_login<\/span>(file_path): <\/span><\/span> with<\/span> open(file_path, 'r'<\/span>) as<\/span> file: <\/span><\/span> for<\/span> line in<\/span> file: <\/span><\/span> if<\/span> '[NeedLogin]'<\/span> in<\/span> line: <\/span><\/span> return<\/span> True<\/span> <\/span><\/span> return<\/span> False<\/span> <\/span><\/span> <\/span><\/span>def<\/span> copy_file<\/span>(file_path, dest_dir): <\/span><\/span> relative_path =<\/span> os.<\/span>path.<\/span>relpath(file_path, os.<\/span>getcwd()) <\/span><\/span> dest_path =<\/span> os.<\/span>path.<\/span>join(dest_dir, relative_path) <\/span><\/span> dest_folder =<\/span> os.<\/span>path.<\/span>dirname(dest_path) <\/span><\/span> if<\/span> not<\/span> os.<\/span>path.<\/span>exists(dest_folder): <\/span><\/span> os.<\/span>makedirs(dest_folder) <\/span><\/span> shutil.<\/span>copy(file_path, dest_path) <\/span><\/span><\/code><\/pre>SQL执行方式分析<\/h3> 安全方式<\/strong>：<\/p> this<\/span>.dbHelper.SelectFirstRow() \/\/ 使用参数化查询<\/span> <\/span><\/span><\/code><\/pre><\/li> 危险方式A<\/strong>：直接字符串拼接<\/p> string<\/span> sql = "SELECT * FROM users WHERE id="<\/span> + userInput; <\/span><\/span>dbHelper.Select(sql); <\/span><\/span><\/code><\/pre><\/li> 危险方式B<\/strong>：字符串格式化<\/p> string<\/span>.Format("SELECT * FROM users WHERE id={0}"<\/span>, userInput); <\/span><\/span><\/code><\/pre><\/li> <\/ol> 正则匹配模式<\/h3> # 直接拼接检测<\/span> <\/span><\/span>pattern1 =<\/span> r<\/span>'string sql = ".+?"[\s]*\+'<\/span> <\/span><\/span> <\/span><\/span># 字符串格式化检测<\/span> <\/span><\/span>pattern2 =<\/span> r<\/span>'string.Format$"SELECT.*?"$'<\/span> <\/span><\/span><\/code><\/pre>连接字符串问题<\/h3> 常见问题<\/strong>：AppUtils.CreateDbHelper()<\/code>从UserInfo<\/code>获取连接字符串<\/li> 绕过方法<\/strong>：查找调用CreateDbHelper<\/code>重载方法（接受database参数）<\/li> 查找直接实例化DbHelper<\/code>的代码<\/li> <\/ul> <\/li> <\/ul> 改进的筛选函数：<\/p> def<\/span> contains_need_login<\/span>(file_path): <\/span><\/span> with<\/span> open(file_path, 'r'<\/span>, encoding=<\/span>"gb18030"<\/span>, errors=<\/span>'ignore'<\/span>) as<\/span> file: <\/span><\/span> for<\/span> line in<\/span> file: <\/span><\/span> if<\/span> re.<\/span>findall('new DbHelper$.+?$\)'<\/span>, line): <\/span><\/span> return<\/span> False<\/span> <\/span><\/span> if<\/span> re.<\/span>findall('CreateDbHelper$.+?$\)'<\/span>, line): <\/span><\/span> return<\/span> False<\/span> <\/span><\/span> return<\/span> True<\/span> <\/span><\/span><\/code><\/pre>实战案例<\/h3> [WebMethod]<\/span> <\/span><\/span>public<\/span> string<\/span> GetData(string<\/span> dbName, string<\/span> param1, string<\/span> jsonStr) <\/span><\/span>{ <\/span><\/span> \/\/ json解析获取参数<\/span> <\/span><\/span> var<\/span> etypeid = jsonObj["etypeid"<\/span>]; <\/span><\/span> var<\/span> vipcardid = jsonObj["vipcardid"<\/span>]; <\/span><\/span> <\/span><\/span> \/\/ 危险拼接<\/span> <\/span><\/span> string<\/span> sql = "SELECT * FROM table WHERE id="<\/span> + etypeid; <\/span><\/span> return<\/span> dbHelper.Select(sql); <\/span><\/span>} <\/span><\/span><\/code><\/pre>漏洞验证流程<\/h2> 未授权验证<\/strong>：<\/p> 不携带任何cookie直接访问<\/li> 确认返回有效数据而非鉴权错误<\/li> <\/ul> <\/li> 注入验证<\/strong>：<\/p> POST<\/span> \/targetEndpoint HTTP<\/span>\/<\/span>1.1<\/span> <\/span><\/span>Host:<\/span> target.com<\/span> <\/span><\/span>Content-Type:<\/span> application\/json<\/span> <\/span><\/span> <\/span><\/span>{ <\/span><\/span> "dbName"<\/span>: "testdb"<\/span>, <\/span><\/span> "param1"<\/span>: "value1"<\/span>, <\/span><\/span> "jsonStr"<\/span>: "{\"etypeid\":\"1' AND 1=CONVERT(int,@@version)--\"}"<\/span> <\/span><\/span>} <\/span><\/span><\/code><\/pre><\/li> 错误处理<\/strong>：<\/p> 观察是否返回数据库错误信息<\/li> 确认是否执行了拼接的SQL语句<\/li> <\/ul> <\/li> <\/ol> 防御建议<\/h2> 代码层面<\/strong>：<\/p> 对所有数据库操作使用参数化查询<\/li> 避免直接拼接用户输入到SQL语句<\/li> <\/ul> <\/li> 架构层面<\/strong>：<\/p> 最小权限原则：数据库账户仅需必要权限<\/li> 统一数据库访问层，禁止开发直接拼接SQL<\/li> <\/ul> <\/li> 审计工具<\/strong>：<\/p> 使用SAST工具扫描SQL拼接模式<\/li> 建立代码审计流程，特别是对[WebMethod]<\/code>标记的方法<\/li> <\/ul> <\/li> <\/ol> 总结<\/h2> 通过本教学文档，我们系统性地学习了：<\/p> .NET路由处理机制与鉴权绕过方法<\/li> C#特性在权限控制中的应用<\/li> 三种SQL执行方式的区别与风险<\/li> 自动化筛选漏洞代码的技术<\/li> 连接字符串问题的解决方案<\/li> 完整的漏洞验证流程<\/li> <\/ol> 关键要点：关注未授权+SQL拼接的组合漏洞，特别是使用重载方法绕过鉴权的场景。<\/p>