记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

易达CMS企业建站系统两个sql注入和权限绕过

2013-06-01 09:40
易达CMS企业建站系统 漏洞0day
 
in注入:
 
相关代码:
 
 
........................省略一部分....................................
 

id=request("id"):id1=Split(id,", "):delid=replace(request("id"),"'","")


set rs = server.createobject("adodb.recordset")
sql="DELETE from shuaiweb_buycart where id in ("&delid&")"
rs.open sql,dbok,3,2
rs.close

 

 
在结算页面 处理购物车。
 
相关页面:buy_settlement.asp
 
......................................................................
 
搜索框代码问题:
 
相关代码:
 



function tSearch()

yidacms_l=request("l")
yidacms_n=request("n")
yidacms_y=request("yidacms_search")

........................省略一部分....................................

if yidacms_language = "zh" then

set rs = server.createobject("adodb.recordset")
if yidacms_l = "news" then
sql="select * from [shuaiweb_news] where (shuaiweb_newstitle like '%"&yidacms_n&"%' or shuaiweb_newsContent like '%"&yidacms_n&"%') and yida_language = 'ch' order by id desc"
elseif yidacms_l = "products" then
sql="select * from [shuaiweb_products] where (shuaiweb_productsname like '%"&yidacms_n&"%' or shuaiweb_productscontent like '%"&yidacms_n&"%' or shuaiweb_productsbprice like '%"&yidacms_n&"%' or shuaiweb_productsmodel like '%"&yidacms_n&"%') and yida_language = 'ch' order by id desc"
elseif yidacms_l = "photo" then
sql="select * from [shuaiweb_photo] where (shuaiweb_photoname like '%"&yidacms_n&"%') and yida_language = 'ch' order by id desc"
end if
rs.open sql,dbok,1,1

else

set rs = server.createobject("adodb.recordset")
if yidacms_l = "news" then
sql="select * from [shuaiweb_news] where (shuaiweb_newstitle like '%"&yidacms_n&"%') or (shuaiweb_newsContent like '%"&yidacms_n&"%') order by id desc"
elseif yidacms_l = "products" then
sql="select * from [shuaiweb_products] where (shuaiweb_productsname like '%"&yidacms_n&"%') or (shuaiweb_productscontent like '%"&yidacms_n&"%') or (shuaiweb_productsbprice like '%"&yidacms_n&"%') or (shuaiweb_productsmodel like '%"&yidacms_n&"%') order by id desc"
elseif yidacms_l = "photo" then
sql="select * from [shuaiweb_photo] where shuaiweb_photoname like '%"&yidacms_n&"%' order by id desc"
end if
rs.open sql,dbok,1,1

end if

if rs.bof and rs.eof then
tSearch = tSearch & "暂无记录!"&vbcrlf
Else
tSearch = tSearch & "<table width='100%' border='0' align='left' cellpadding='5' cellspacing='0'>"&vbcrlf
do while not rs.eof

 

 
 
相关页面:search.asp
 
-----------------------------------------------------------------------------------------------
 
 
会员注册逻辑错误/权限绕过
 
 
相关代码:
 
response.write "<script language=javascript> alert('注册成功!\n\n"&mailtz&"');location.replace('index.asp');</script>"
                elseif yidacms_jmailuserreg = 2 then
                    if shuaiweb_usercontrol = 1 then //这是关键,只要shuaiweb_usercontrol不是1就行,改成2就可以绕过了~!
                        response.write "<script language=javascript> alert('注册成功!但是您的账户需要管理员审核才能正常使用。');location.replace('index.asp');</script>"
                            session("shuaiweb_useremail")=empty
                            else
                        response.write "<script language=javascript> alert('注册成功!');location.replace('index.asp');</script>"
                    end if
 
详细说明:可以在注册页面用火狐插件修改下shuaiweb_usercontrol的值就可以了~!
 
-----------------------------------------------------------------------------------------------
 
sql注入问题代码:
 
订单页面:
 
相关代码:
 
  

if request("yidacms")="buydel" Then
set rs=server.createobject("adodb.recordset")
user_id3 = request("id") //这里user_id3
sql="select * from shuaiweb_buy WHERE id= "&user_id3&"" //进去了!~!
rs.open sql,dbok,1,1
if rs("shuaiweb_reading") = 1 then
response.write "<script language=javascript> alert('已发货的订单不可以删除!');history.go(-1);</script>"
response.end
else
if(request("id") <> "") then id = request("id")
set rs = server.createobject("adodb.recordset")
user_id4 = request("id") //一样
sql="DELETE * FROM shuaiweb_buy WHERE id= "&user_id4&""
rs.open sql,dbok,3,2
rs.update
rs.close
set rs=nothing
response.write "<script language=javascript> alert('成功删除!');location.replace('user_buy.asp');</script>"
End If
end if

 

 
 
 
----------------------------------------------------------------------------------------------------
没测试这个sql注入,因为本地搭建时没有产品所以无法下订单,怕麻烦 所以也没弄了~! 这个漏洞利用起来也麻烦。就不弄了~!
 
以上2个问题都出现在user.asp这个页面~!
 
知识来源: www.2cto.com/Article/201306/216200.html

阅读:84485 | 评论:0 | 标签:注入 cms

想收藏或者和大家分享这篇好文章→复制链接地址

“易达CMS企业建站系统两个sql注入和权限绕过”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

九层之台,起于累土;黑客之术,始于阅读

推广

工具

标签云

本页关键词