关于动易６.６ ６.７注入漏洞

Sub UpdateOrder(ByVal PaymentNum, ByVal amount, ByVal eBankInfo, ByVal Remark, Status, UpdateDeliverStatus, UpdateOrderStatus)
Dim PaymentID, OrderFormID, MoneyReceipt, MoneyPayout, eBankID
Dim sqlPayment, rsPayment
Dim DoUpdate

PaymentNum = ReplaceBadChar(PaymentNum)
sqlPayment = "select * from PE_Payment where PaymentNum='" & PaymentNum & "'"
Set rsPayment = Server.CreateObject("Adodb.RecordSet")
rsPayment.Open sqlPayment, Conn, 1, 3
If rsPayment.BOF And rsPayment.EOF Then
      FoundErr = True
      If IsMessageShow = True Then
      Response.Write "找不到指定的支付单！"
      End If
Else

这里的ＳＱＬ语句
sqlPayment = "select * from PE_Payment where PaymentNum='" & PaymentNum & "'"
PaymentNum调用的是AutoRecieve1.asp中的v_oid
v_oid = Trim(Request("v_oid"))    '支付定单号
v_oid这个参数没有经过任何过滤进入了ＳＱＬ语句当中，可以形成注入
在这里注入需要一个条件

看到很多地方都转帖了，看了一下源代码并测试了一下，
PaymentNum = ReplaceBadChar(PaymentNum)  这一句可能楼主看漏掉了吧，
这个参数是经过ReplaceBadChar（）这个函数过滤的，

再来看看ReplaceBadChar（）这个函数怎么定义的

Function ReplaceBadChar(strChar)
If strChar = "" Or IsNull(strChar) Then
      ReplaceBadChar = ""
      Exit Function
End If
Dim strBadChar, arrBadChar, tempChar, i
strBadChar = "',^,&,?,(,),<,>,[,],{,},/,\,;,:," & Chr(34) & "," & Chr(0) & ""
arrBadChar = Split(strBadChar, ",")
tempChar = strChar
For i = 0 To UBound(arrBadChar)
      tempChar = Replace(tempChar, arrBadChar(i), "")
Next
ReplaceBadChar = tempChar
End Function

过滤得不是很多，不过好像不能成功利用
大家任意拍砖

关于动易６.６６.７注入漏洞

文章目录