易达CMS企业建站系统 漏洞0day in注入: 相关代码: ........................省略一部分.................................... id=request(id):id1=Split(id,, ):delid=replace(request(id),,) set rs = server.createobject(adodb.recordset) sql=DELETE fr
in注入:
相关代码:
........................省略一部分....................................
id=request("id"):id1=Split(id,", "):delid=replace(request("id"),"'","")
set rs = server.createobject("adodb.recordset")
sql="DELETE from shuaiweb_buycart where id in ("&delid&")"
rs.open sql,dbok,3,2
rs.close
在结算页面 处理购物车。
相关页面:buy_settlement.asp
......................................................................
搜索框代码问题:
相关代码:
function tSearch()
yidacms_l=request("l")
yidacms_n=request("n")
yidacms_y=request("yidacms_search")
........................省略一部分....................................
if yidacms_language = "zh" then
set rs = server.createobject("adodb.recordset")
if yidacms_l = "news" then
sql="select * from [shuaiweb_news] where (shuaiweb_newstitle like '%"&yidacms_n&"%' or shuaiweb_newsContent like '%"&yidacms_n&"%') and yida_language = 'ch' order by id desc"
elseif yidacms_l = "products" then
sql="select * from [shuaiweb_products] where (shuaiweb_productsname like '%"&yidacms_n&"%' or shuaiweb_productscontent like '%"&yidacms_n&"%' or shuaiweb_productsbprice like '%"&yidacms_n&"%' or shuaiweb_productsmodel like '%"&yidacms_n&"%') and yida_language = 'ch' order by id desc"
elseif yidacms_l = "photo" then
sql="select * from [shuaiweb_photo] where (shuaiweb_photoname like '%"&yidacms_n&"%') and yida_language = 'ch' order by id desc"
end if
rs.open sql,dbok,1,1
else
set rs = server.createobject("adodb.recordset")
if yidacms_l = "news" then
sql="select * from [shuaiweb_news] where (shuaiweb_newstitle like '%"&yidacms_n&"%') or (shuaiweb_newsContent like '%"&yidacms_n&"%') order by id desc"
elseif yidacms_l = "products" then
sql="select * from [shuaiweb_products] where (shuaiweb_productsname like '%"&yidacms_n&"%') or (shuaiweb_productscontent like '%"&yidacms_n&"%') or (shuaiweb_productsbprice like '%"&yidacms_n&"%') or (shuaiweb_productsmodel like '%"&yidacms_n&"%') order by id desc"
elseif yidacms_l = "photo" then
sql="select * from [shuaiweb_photo] where shuaiweb_photoname like '%"&yidacms_n&"%' order by id desc"
end if
rs.open sql,dbok,1,1
end if
if rs.bof and rs.eof then
tSearch = tSearch & "暂无记录!"&vbcrlf
Else
tSearch = tSearch & "<table width='100%' border='0' align='left' cellpadding='5' cellspacing='0'>"&vbcrlf
do while not rs.eof
相关页面:search.asp
-----------------------------------------------------------------------------------------------
会员注册逻辑错误/权限绕过
相关代码:
response.write "<script language=javascript> alert('注册成功!\n\n"&mailtz&"');location.replace('index.asp');</script>"
elseif yidacms_jmailuserreg = 2 then
if shuaiweb_usercontrol = 1 then //这是关键,只要shuaiweb_usercontrol不是1就行,改成2就可以绕过了~!
response.write "<script language=javascript> alert('注册成功!但是您的账户需要管理员审核才能正常使用。');location.replace('index.asp');</script>"
session("shuaiweb_useremail")=empty
else
response.write "<script language=javascript> alert('注册成功!');location.replace('index.asp');</script>"
end if
详细说明:可以在注册页面用火狐插件修改下shuaiweb_usercontrol的值就可以了~!
-----------------------------------------------------------------------------------------------
sql注入问题代码:
订单页面:
相关代码:
if request("yidacms")="buydel" Then
set rs=server.createobject("adodb.recordset")
user_id3 = request("id") //这里user_id3
sql="select * from shuaiweb_buy WHERE id= "&user_id3&"" //进去了!~!
rs.open sql,dbok,1,1
if rs("shuaiweb_reading") = 1 then
response.write "<script language=javascript> alert('已发货的订单不可以删除!');history.go(-1);</script>"
response.end
else
if(request("id") <> "") then id = request("id")
set rs = server.createobject("adodb.recordset")
user_id4 = request("id") //一样
sql="DELETE * FROM shuaiweb_buy WHERE id= "&user_id4&""
rs.open sql,dbok,3,2
rs.update
rs.close
set rs=nothing
response.write "<script language=javascript> alert('成功删除!');location.replace('user_buy.asp');</script>"
End If
end if
----------------------------------------------------------------------------------------------------
没测试这个sql注入,因为本地搭建时没有产品所以无法下订单,怕麻烦 所以也没弄了~! 这个漏洞利用起来也麻烦。就不弄了~!
以上2个问题都出现在user.asp这个页面~!