鸿 网 互 联 www.68idc.cn

易达CMS企业建站系统两个sql注入和权限绕过

来源:互联网 作者:佚名 时间:2016-05-07 10:03
易达CMS企业建站系统 漏洞0day in注入: 相关代码: ........................省略一部分.................................... id=request(id):id1=Split(id,, ):delid=replace(request(id),,) set rs = server.createobject(adodb.recordset) sql=DELETE fr
易达CMS企业建站系统 漏洞0day
 
in注入:
 
相关代码:
 
 
........................省略一部分....................................
 
id=request("id"):id1=Split(id,", "):delid=replace(request("id"),"'","")


        set rs = server.createobject("adodb.recordset")
        sql="DELETE from shuaiweb_buycart where id in ("&delid&")"
        rs.open sql,dbok,3,2
        rs.close

 

 
在结算页面 处理购物车。
 
相关页面:buy_settlement.asp
 
......................................................................
 
搜索框代码问题:
 
相关代码:
 


function tSearch()

yidacms_l=request("l")
yidacms_n=request("n")
yidacms_y=request("yidacms_search")

........................省略一部分....................................

if yidacms_language = "zh" then

set rs = server.createobject("adodb.recordset")
if yidacms_l = "news" then
    sql="select * from [shuaiweb_news] where (shuaiweb_newstitle like '%"&yidacms_n&"%' or shuaiweb_newsContent like '%"&yidacms_n&"%') and yida_language = 'ch' order by id desc" 
        elseif yidacms_l = "products" then
            sql="select * from [shuaiweb_products] where (shuaiweb_productsname like '%"&yidacms_n&"%' or shuaiweb_productscontent like '%"&yidacms_n&"%' or shuaiweb_productsbprice like '%"&yidacms_n&"%' or shuaiweb_productsmodel like '%"&yidacms_n&"%') and yida_language = 'ch' order by id desc" 
                        elseif yidacms_l = "photo" then
                            sql="select * from [shuaiweb_photo] where (shuaiweb_photoname like '%"&yidacms_n&"%') and yida_language = 'ch' order by id desc" 
end if
rs.open sql,dbok,1,1

        else

set rs = server.createobject("adodb.recordset")
if yidacms_l = "news" then
    sql="select * from [shuaiweb_news] where (shuaiweb_newstitle like '%"&yidacms_n&"%') or (shuaiweb_newsContent like '%"&yidacms_n&"%') order by id desc" 
        elseif yidacms_l = "products" then
            sql="select * from [shuaiweb_products] where (shuaiweb_productsname like '%"&yidacms_n&"%') or (shuaiweb_productscontent like '%"&yidacms_n&"%') or (shuaiweb_productsbprice like '%"&yidacms_n&"%') or (shuaiweb_productsmodel like '%"&yidacms_n&"%') order by id desc" 
                        elseif yidacms_l = "photo" then
                            sql="select * from [shuaiweb_photo] where shuaiweb_photoname like '%"&yidacms_n&"%' order by id desc" 
end if
rs.open sql,dbok,1,1

end if

        if rs.bof and rs.eof then
              tSearch = tSearch & "暂无记录!"&vbcrlf
                Else
      tSearch = tSearch & "<table width='100%' border='0' align='left' cellpadding='5' cellspacing='0'>"&vbcrlf
do while not rs.eof

 

 
 
相关页面:search.asp
 
-----------------------------------------------------------------------------------------------
 
 
会员注册逻辑错误/权限绕过
 
 
相关代码:
 
response.write "<script language=javascript> alert('注册成功!\n\n"&mailtz&"');location.replace('index.asp');</script>"
                elseif yidacms_jmailuserreg = 2 then
                    if shuaiweb_usercontrol = 1 then //这是关键,只要shuaiweb_usercontrol不是1就行,改成2就可以绕过了~!
                        response.write "<script language=javascript> alert('注册成功!但是您的账户需要管理员审核才能正常使用。');location.replace('index.asp');</script>"
                            session("shuaiweb_useremail")=empty
                            else
                        response.write "<script language=javascript> alert('注册成功!');location.replace('index.asp');</script>"
                    end if
 
详细说明:可以在注册页面用火狐插件修改下shuaiweb_usercontrol的值就可以了~!
 
-----------------------------------------------------------------------------------------------
 
sql注入问题代码:
 
订单页面:
 
相关代码:
 
  
  if request("yidacms")="buydel" Then
    set rs=server.createobject("adodb.recordset")
    user_id3 = request("id")    //这里user_id3
    sql="select * from shuaiweb_buy WHERE id= "&user_id3&"" //进去了!~!
    rs.open sql,dbok,1,1
    if rs("shuaiweb_reading") = 1 then
            response.write "<script language=javascript> alert('已发货的订单不可以删除!');history.go(-1);</script>"
            response.end
               else
    if(request("id") <> "") then id = request("id")
    set rs = server.createobject("adodb.recordset")
    user_id4 = request("id")    //一样
    sql="DELETE * FROM shuaiweb_buy WHERE id= "&user_id4&""
    rs.open sql,dbok,3,2
    rs.update
    rs.close
    set rs=nothing
    response.write "<script language=javascript> alert('成功删除!');location.replace('user_buy.asp');</script>"
    End If
    end if

 

 
 
 
----------------------------------------------------------------------------------------------------
没测试这个sql注入,因为本地搭建时没有产品所以无法下订单,怕麻烦 所以也没弄了~! 这个漏洞利用起来也麻烦。就不弄了~!
 
以上2个问题都出现在user.asp这个页面~!
 
网友评论
<