岁月联盟 - 技术社区 - BBS.SYUE.COM's Archiver

猪猪 发表于 2007-11-7 17:24

风汛CMS<=4.0 userlist.asp注入漏洞(0day)

[大蝉原创] 转载请著明出处,谢谢

影响系统:风汛cms 4.0以及4.0以下所有ACC/SQL版本

漏洞分析:user/userlist.asp

---------------------------------------------------------------------------------------------------------------------------------------------------    If Request("Keyword")<>"" then
      if Request("searchtype") <>"" then
        if  Request("Name") = "UserName" then
           strSQLs = " and UserName like '%" & Request("Keyword")& "%' "& StrOrders &""
        Elseif  Request("Name") = "UserNumber" then
           strSQLs = " and UserNumber  like '%" & Request("Keyword")& "%' "& StrOrders &""
        Elseif  Request("Name") = "NickName" then
           strSQLs = " and NickName  like '%" & Request("Keyword")& "%' "& StrOrders &""
        Elseif  Request("Name") = "RealName" then
           strSQLs = " and RealName  like '%" & Request("Keyword")& "%' "& StrOrders &""
        Elseif  Request("Name") = "Email" then
           strSQLs = " and Email  like '%" & Request("Keyword")& "%' "& StrOrders &""
        Elseif  Request("Name") = "QQ" then
           strSQLs = " and QQ  like '%" & Request("Keyword")& "%' "& StrOrders &""
        Elseif  Request("Name") = "MSN" then
           strSQLs = " and MSN  like '%" & Request("Keyword")& "%' "& StrOrders &""
        Elseif  Request("Name") = "Integral" then
           strSQLs = " and Integral <"& Request("Keyword") &"+50 and Integral>"& Request("Keyword") &"-50 "& StrOrders &""
        Elseif  Request("Name") = "Province" then
           strSQLs = " and Province  like '%" & Request("Keyword")& "%' "& StrOrders &""
        Elseif  Request("Name") = "city" then
           strSQLs = " and city  like '%" & Request("Keyword")& "%' "& StrOrders &""
        End if
      Else
        if  Request("Name") = "UserName" then
           strSQLs = " and UserName = '" & Request("Keyword")& "' "& StrOrders &""
        Elseif  Request("Name") = "UserNumber" then
           strSQLs = " and UserNumber  = '" & Request("Keyword")& "' "& StrOrders &""
        Elseif  Request("Name") = "NickName" then
           strSQLs = " and NickName  = '" & Request("Keyword")& "' "& StrOrders &""
        Elseif  Request("Name") = "RealName" then
           strSQLs = " and RealName  = '" & Request("Keyword")& "' "& StrOrders &""
        Elseif  Request("Name") = "Email" then
           strSQLs = " and Email  = '" & Request("Keyword")& "' "& StrOrders &""
        Elseif  Request("Name") = "QQ" then
           strSQLs = " and QQ  = '" & Request("Keyword")& "' "& StrOrders &""
        Elseif  Request("Name") = "MSN" then
           strSQLs = " and MSN  = '" & Request("Keyword")& "' "& StrOrders &""
        Elseif  Request("Name") = "Integral" then
           strSQLs = " and Integral =" & clng(Request("Keyword"))& " "& StrOrders &""
        Elseif  Request("Name") = "Province" then
           strSQLs = " and Province ='" & Request("Keyword")& "' "& StrOrders &""
        Elseif  Request("Name") = "city" then
           strSQLs = " and city ='" & Request("Keyword")& "' "& StrOrders &""
        End if
      End if
    Else
      strSQLs = " "& StrOrders &""
    End if

---------------------------------------------------------------------------------------------------------------------------------------------------

keyword参数通过Request直接获得,没有经过任何形式的过滤,导致入侵者构造恶意参数操作数据库。

测试代码:http://localhost/user/UserList.asp?Name=UserName&keyword=usual'

[大蝉原创] 转载请著明出处,谢谢



PS:哎,最近漏洞大爆发,让暴风雨来的更猛烈些吧。。。。。

页: [1]

Powered by Discuz! Archiver 6.1.0  © 2001-2007 Comsenz Inc.