乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2012-08-08: 积极联系厂商并且等待厂商认领中,细节不对外公开 2012-08-08: 厂商已经主动忽略漏洞,细节向公众公开
简介:IdeaCMS网站内容管理系统是主要服务于中小企业的CMS内容管理系统,一般的开发人员能够使用系统提供的模块以最低的成本、最少的人力投入在最短的时间内架设一个功能齐全、性能优异的网站平台。 IdeaCMS是基于ASP+Access/ASP+MSSQL开发的网站内容管理系统,这样一般的开发人员都能比较轻松的掌握本系统。目前本系统集成了简介类模块,新闻类模块,产品类模块,视频类模块,图片类模块,下载类模块。并且有评论,订单,应聘等插件供选择。并支持生成静态网站,方便搜索引擎收录。 本系统从2007年发布至今经历了1.0,1.1,2.0,3.0,4.0四个版本,受到了许多用户的肯定以及市场的检验,并不断吸收来自各方面的发展建议和成功经验,其功能不断完善和发展,目前系统不仅适用于企业网站,也适合门户、政府、学校、以及其他各种资讯类网站使用。
<!--#include file="../inc/Main_Class.asp"--><%'****************************************************'Code for IdeaCMS'****************************************************dim action,str,page,sql,MesTitle,LinkName,Content,validcode,Company,Address,Telephone,Email,backaction=filterPara(getForm("action","get")) : str=filterPara(getForm("str","get")) : page=filterPara(getForm("page","get"))MesTitle=filterPara(getForm("MesTitle","post")) : LinkName=filterPara(getForm("LinkName","post")) : Content=codeTextarea(filterPara(getForm("Content","post")),"en")Company=filterPara(getForm("LinkComp","post")) : Address=filterPara(getForm("LinkAddr","post")) : Telephone=filterPara(getForm("LinkTel","post")) : Email=filterPara(getForm("LinkEmail","post"))back="GuestBook.asp"if action="add" then if isNul(Content) then alertback "内容为空!" validcode = replace(filterPara(getForm("input_yzm","post")),"'","") if Session("GetCode")<>validcode then alert "验证码错误!",back else sql="insert into {pre}GuestBook(MesTitle,LinkName,Content,Company,Address,Telephone,Email) values('"&MesTitle&"','"&LinkName&"','"&Content&"','"&Company&"','"&Address&"','"&Telephone&"','"&Email&"')" conn.db sql,"0" if err then err.clear : alert "留言添加失败",back else if cint(guestmode)=1 then alert "留言添加成功,将在审核后显示!",back else alert "留言添加成功!",back end ifend ifif isNul(page) then page=1 else if isNum(page) then page=clng(page) else alert "参数错误!",backend ifdim templateobj,channelTemplatePath : set templateobj = mainClassobj.createObject("MainClass.template")dim channelTemplateName,channelStrchannelTemplatePath = PubPath("guestbook.html")with templateObj : .load(channelTemplatePath) : .parseComm() : .parseColumn() : .parseChannel("") : .parseList 0,page,"guestlist","" : .parseIf() : channelStr = .content : end withif str="签写留言" then channelStr = replace(channelStr,"id=guestlist>","id=guestlist style=display:none>") channelStr = replace(channelStr,"id=guestwrite style=display:none>","id=guestwrite>")end ifEcho channelStrset templateobj =nothing : terminateAllObjects%>跟踪getForm 和 filterParaFunction getForm(element,mtype) Select case mtype case "get" getForm=trim(request.QueryString(element)) case "post" getForm=trim(request.Form(element)) case else if isNul(request.QueryString(element)) then getForm=trim(request.Form(element)) else getForm=trim(request.QueryString(element)) End SelectEnd Function去掉空格继续跟踪函数Function filterPara(byVal Para) filterPara=preventSqlin(filterStr(Para,"jsiframe"))End Function先来看看Function preventSqlin(content) dim sqlStr,sqlArray,i,speStr sqlStr="%27|*|and|exec|dbcc|alter|drop|insert|select|update|delete|count|master|truncate|char|declare|where|set|declare|mid|chr" if isNul(content) then Exit Function sqlArray=split(sqlStr,"|") for i=lbound(sqlArray) to ubound(sqlArray) if instr(lcase(content),sqlArray(i))<>0 then alertback "你提交的数据含非法字符" : Exit Function next preventSqlin=contentEnd Function你还想注入么????再看'去除html格式Function filterStr(Byval str,Byval filtertype) if isNul(str) then filterStr = "" : Exit Function dim regObj, outstr,rulestr : set regObj = New Regexp regObj.IgnoreCase = true : regObj.Global = true Select case filtertype case "html" rulestr = "(<[a-zA-Z].*?>)|(<[\/][a-zA-Z].*?>)" case "jsiframe" rulestr = "(<(script|iframe).*?>)|(<[\/](script|iframe).*?>)" end Select regObj.Pattern = rulestr outstr = regObj.Replace(str, "") outstr=replace(outstr,"{ideacms:page}","") outstr=replace(outstr," ","") set regObj = Nothing : filterStr = outstrEnd Function这是过滤html么
绕过之<style/onload=alert(/welcome to my blog www.moonhack.org by mOon/)>
各种过滤!!!!!
未能联系到厂商或者厂商积极拒绝
