数据加载中……


 

 登   陆

我的分类(专题)
数据加载中……

链接

Blog信息
数据加载中……

 

风汛CMS<=4.0 userlist.asp注入漏洞(0day)
樱木花盗 发表于 2008-2-1 1:53:51

影响系统:风汛cms 4.0以及4.0以下所有ACC/SQL版本

漏洞分析:user/userlist.asp

---------------------------------------------------------------------------------------------------------------------------------------------------    If Request("Keyword")<>"" then
      if Request("searchtype") <>"" then
        if  Request("Name") = "UserName" then
           strSQLs = " and UserName like '%" & Request("Keyword")& "%' "& StrOrders &""
        Elseif  Request("Name") = "UserNumber" then
           strSQLs = " and UserNumber  like '%" & Request("Keyword")& "%' "& StrOrders &""
        Elseif  Request("Name") = "NickName" then
           strSQLs = " and NickName  like '%" & Request("Keyword")& "%' "& StrOrders &""
        Elseif  Request("Name") = "RealName" then
           strSQLs = " and RealName  like '%" & Request("Keyword")& "%' "& StrOrders &""
        Elseif  Request("Name") = "Email" then
           strSQLs = " and Email  like '%" & Request("Keyword")& "%' "& StrOrders &""
        Elseif  Request("Name") = "QQ" then
           strSQLs = " and QQ  like '%" & Request("Keyword")& "%' "& StrOrders &""
        Elseif  Request("Name") = "MSN" then
           strSQLs = " and MSN  like '%" & Request("Keyword")& "%' "& StrOrders &""
        Elseif  Request("Name") = "Integral" then
           strSQLs = " and Integral <"& Request("Keyword") &"+50 and Integral>"& Request("Keyword") &"-50 "& StrOrders &""
        Elseif  Request("Name") = "Province" then
           strSQLs = " and Province  like '%" & Request("Keyword")& "%' "& StrOrders &""
        Elseif  Request("Name") = "city" then
           strSQLs = " and city  like '%" & Request("Keyword")& "%' "& StrOrders &""
        End if
      Else
        if  Request("Name") = "UserName" then
           strSQLs = " and UserName = '" & Request("Keyword")& "' "& StrOrders &""
        Elseif  Request("Name") = "UserNumber" then
           strSQLs = " and UserNumber  = '" & Request("Keyword")& "' "& StrOrders &""
        Elseif  Request("Name") = "NickName" then
           strSQLs = " and NickName  = '" & Request("Keyword")& "' "& StrOrders &""
        Elseif  Request("Name") = "RealName" then
           strSQLs = " and RealName  = '" & Request("Keyword")& "' "& StrOrders &""
        Elseif  Request("Name") = "Email" then
           strSQLs = " and Email  = '" & Request("Keyword")& "' "& StrOrders &""
        Elseif  Request("Name") = "QQ" then
           strSQLs = " and QQ  = '" & Request("Keyword")& "' "& StrOrders &""
        Elseif  Request("Name") = "MSN" then
           strSQLs = " and MSN  = '" & Request("Keyword")& "' "& StrOrders &""
        Elseif  Request("Name") = "Integral" then
           strSQLs = " and Integral =" & clng(Request("Keyword"))& " "& StrOrders &""
        Elseif  Request("Name") = "Province" then
           strSQLs = " and Province ='" & Request("Keyword")& "' "& StrOrders &""
        Elseif  Request("Name") = "city" then
           strSQLs = " and city ='" & Request("Keyword")& "' "& StrOrders &""
        End if
      End if
    Else
      strSQLs = " "& StrOrders &""
    End if

---------------------------------------------------------------------------------------------------------------------------------------------------

keyword参数通过Request直接获得,没有经过任何形式的过滤,导致入侵者构造恶意参数操作数据库。

测试代码:http://localhost/user/UserList.asp?Name=UserName&keyword=usual'

[大蝉原创] 转载请著明出处,谢谢

 

PS:哎,最近漏洞大爆发,让暴风雨来的更猛烈些吧。。。。。


阅读全文 | 回复(0) | 引用通告 | 编辑
 


发表评论:

    昵称:
    密码: (游客无须输入密码)
    主页:
    标题:
    数据加载中……


Powered by Oblog.