乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-05-08: 细节已通知厂商并且等待厂商处理中 2014-05-09: 厂商已经确认,细节仅向厂商公开 2014-05-12: 细节向第三方安全合作伙伴开放 2014-07-03: 细节向核心白帽子及相关领域专家公开 2014-07-13: 细节向普通白帽子公开 2014-07-23: 细节向实习白帽子公开 2014-08-06: 细节向公众公开
逐浪最新版x1.5sql注入
地址
http://demo.zoomla.cn/Customer.aspx
源码如下
protected void Page_Load(object sender, EventArgs e){ if (base.Request.QueryString["type"] != null) { if (base.Request.QueryString["type"] == "Seat") { this.GetSeat(); } if (base.Request.QueryString["type"] == "add") { this.SetInfo(base.Request.Form.ToString()); } bool flag1 = base.Request.QueryString["type"] == "answer"; if ((base.Request.QueryString["type"] == "getservice") && (base.Request.QueryString["uid"] != null)) { this.GetServerInfo(base.Request.QueryString["uid"].ToString(), base.Request.Cookies["Provisional"]["Uid"]); //跟进 } if (base.Request.QueryString["type"] == "OnlineUsers") { this.GetOnlineUsers(); } bool flag2 = base.Request.QueryString["type"] == "CallMe"; if (base.Request.QueryString["type"] == "msg") { this.GetMsg(); //跟进 } this.DelUser(); }}
private void GetMsg(){ StringBuilder builder = new StringBuilder(); DataTable table = this.bcsbll.Select_Where(" CS_Type=0 and CS_OID=" + base.Request.Cookies["Provisional"]["Uid"], " DISTINCT CS_SendID,CS_SendName ", ""); //没处理存在注入 for (int i = 0; i < table.Rows.Count; i++) { builder.Append(string.Concat(new object[] { table.Rows[i]["CS_SendID"], ",", table.Rows[i]["CS_SendName"], ";" })); } string s = builder.ToString(); if (s.EndsWith(";")) { s = s.Substring(0, s.Length - 1); } base.Response.Write(s);}
另一处
private void GetServerInfo(string uid, string sessid){ DataTable customerByUid = this.bcsbll.GetCustomerByUid(DataConverter.CLng(uid), sessid); //跟进 StringBuilder builder = new StringBuilder(); if (!string.IsNullOrEmpty(uid) && !string.IsNullOrEmpty(sessid)) { for (int i = 0; i < customerByUid.Rows.Count; i++) { if (((customerByUid.Rows[i]["CS_OID"] != null) && (sessid == customerByUid.Rows[i]["CS_OID"].ToString())) && (customerByUid.Rows[i]["CS_SendID"].ToString() == sessid)) { builder.Append(string.Concat(new object[] { customerByUid.Rows[i]["CS_AddTime"], " 你对", customerByUid.Rows[i]["CS_CtoName"], "说:<br /> ", customerByUid.Rows[i]["CS_Context"], "<br />" })); } else { builder.Append(string.Concat(new object[] { customerByUid.Rows[i]["CS_AddTime"].ToString(), " ", customerByUid.Rows[i]["CS_SendName"], "对你说:<br /> ", customerByUid.Rows[i]["CS_Context"], "<br />" })); } } } base.Response.Write(builder.ToString());}
public DataTable GetCustomerByUid(int id, string sessid){ string strSQL = ""; if (id > 0) { string str2 = strSQL; strSQL = str2 + " (CS_SendID=" + id.ToString() + " or CS_Ctouid=" + id.ToString() + ")"; } if (!string.IsNullOrEmpty(sessid)) { strSQL = strSQL + " and CS_OID='" + sessid + "'"; //没处理存在注入 } DataTable dt = this.SelectWhere(strSQL, " CS_ID,CS_Context,CS_SendName,CS_SendID,CS_CtoName,CS_AddTime,CS_OID ", " CS_AddTime asc"); this.updateType(dt, id, sessid); return dt;}
访问
http://demo.zoomla.cn/
添加cookie值
然后访问
http://demo.zoomla.cn/Customer.aspx?type=msg
或者访问
http://demo.zoomla.cn/Customer.aspx?type=getservice&uid=1
cookie构造如下
对cookie进行处理
危害等级:中
漏洞Rank:6
确认时间:2014-05-09 08:14
感谢
暂无
