发布作者:LinkEr
影响版本:迅风影视系统
:http://www.gxwglm.com
漏洞类型:SQL注入
漏洞描述:讯风影视系统存在多处SQL注入漏洞,
讯风影视系统 注册处注入和鸡肋的防注入漏洞预警
。#1.注册处注入:
wwwroot\reg\reg.asp
<% szPath = "../../" %> /*包含了也可以绕过 请看#2*/ <% if Request.Form("submit") <> "" then szUserName = Request.Form("UserName") szPassWord = Request.Form("UserPass") szEmail = Request.Form("UserMail") szMemo = Request.Form("UserMemo") iPayMode = Request.Form("PayMode") szPBQuestion = Request.Form("PBQuestion") szPBAnswer = Request.Form("PBAnswer") szGetCode = Trim(Request.Form("codestr")) szSQL = "SELECT * FROM MOVIE_Users WHERE UserName='" & szUserName & "' OR UserEmail='" & szEmail & "'" set rsData_User = Server.CreateObject("ADODB.Recordset") rsData_User.Open szSQL,conn,1,3 if not rsData_User.EOF then Response.Write "" Response.End else iAccount = 0 if Session("Option_RegMode") = 1 then iAccount = 10 If IsEmpty(Session("VerifyCode")) Or szGetCode <> CStr(Session("VerifyCode")) Then Response.Write "" Response.End end if if Left(szUserName, 1) = "!" then Response.Write "" Response.End end if szSQL = "INSERT INTO MOVIE_Users(UserName,UserPass,UserRegisterTime,MovieEdate,UserEmail,UserInfo,MovieUserType,UserSign,UserBio,UserAccountStatus) " szSQLszSQL = szSQL & "VALUES('" & szUserName & "','" & MD5(szPassWord) & "','" & now & "','" & date+30 & "','" & szEmail & "','" & szMemo & "'," & iPayMode & ",'" & szPBQuestion & "','" & szPBAnswer & "',1)" conn.Execute szSQL Response.Write "" Response.End end if rsData_User.Close end if UserName,UserPass,UserRegisterTime,MovieEdate,UserEmail,UserInfo,MovieUserType,UserSign,UserBio,UserAccountStatus 等等变量都经过很鸡肋的防注入过滤就insert进movie_user里面 一切都是防注入惹的祸
wwwroot/Conn.asp
<% Response.Addheader "Content-Type","text/html; charset=GB2312" Response.Buffer=True Server.ScriptTimeOut=9999999 '防注入 if nochecksqlin<>1 then dim sql_injdata,SQL_inj,SQL_Get SQL_injdata = "'|exec |delete |insert | update |select " SQL_inj = split(SQL_Injdata,"|") If Request.QueryString<>"" Then For Each SQL_Get In Request.QueryString For SQL_Data=0 To Ubound(SQL_inj) if instr(Request.QueryString(SQL_Get),Sql_Inj(Sql_DATA))>0 Then Response.Write "" Response.end end if next Next End If If Request.Form<>"" Then For Each Sql_Post In Request.Form For SQL_Data=0 To Ubound(SQL_inj) if instr(Request.Form(Sql_Post),Sql_Inj(Sql_DATA))>0 Then Response.Write "" Response.end end if next next end if end if %>
#2.1 防get 防post 就是没防cookies注入
利用在wwwroot/FZPLAYER.ASP处:
<% Progid=Request("progid") Set Rs=CreateObject("Adodb.RecordSet") Rs.Open "Select * From Movie_FileList Where FileListID="&progid,Conn,1,1 Response.Write "
SQL_injdata = "'|exec |delete |insert | update |select "
SQL_inj = split(SQL_Injdata,"|")
过滤的关键字少是一回事 主要是大小写都没注意到,