乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-12-18: 细节已通知厂商并且等待厂商处理中 2014-12-23: 厂商已经确认,细节仅向厂商公开 2014-12-26: 细节向第三方安全合作伙伴开放 2015-02-16: 细节向核心白帽子及相关领域专家公开 2015-02-26: 细节向普通白帽子公开 2015-03-08: 细节向实习白帽子公开 2015-03-18: 细节向公众公开
RT
有人提交过漏洞,看前面两位前辈。 WooYun: 某通用在线学习平台SQL注入 WooYun: 某通用在线学习平台一处SQL注入 关键词:inurl:e-learning/index.asp文件:\e-learning\ShowNews.asp
id=request("id")Set rsnews=Server.CreateObject("ADODB.RecordSet") sql="Update News set Hits=Hits+1 where id="&cstr(request("id"))conn.execute sqlsql="Select * From News Where id="&idrsnews.Open sql,conn,1,1Title=rsnews("Title")BigClassName=rsnews("BigClassName")SmallClassName=rsnews("SmallClassName")
文件:\inc\Check_Sql.asp
'----- 对 get query 值 的过滤.if request.QueryString<>"" thenChk_badword=split(Query_Badword,"∥")FOR EACH Query_Name IN Request.QueryStringfor i=0 to ubound(Chk_badword)If Instr(LCase(request.QueryString(Query_Name)),Chk_badword(i))<>0 ThenSelect Case Err_Message Case "1"Response.Write "<Script Language=JavaScript>alert('传参错误!参数 "&name&" 的值中包含非法字符串!\n\n请不要在参数中出现:and update delete ; insert mid master 等非法字符!');window.close();</Script>" Case "2"Response.Write "<Script Language=JavaScript>location.href='"&Err_Web&"'</Script>" Case "3"Response.Write "<Script Language=JavaScript>alert('传参错误!参数 "&name&"的值中包含非法字符串!\n\n请不要在参数中出现:and update delete ; insert mid master 等非法字符!');location.href='"&Err_Web&"';</Script>"End SelectResponse.EndEnd IfNEXTNEXTEnd if'-----对 post 表 单值的过滤.if request.form<>"" thenChk_badword=split(Form_Badword,"∥")FOR EACH name IN Request.Formfor i=0 to ubound(Chk_badword)If Instr(LCase(request.form(name)),Chk_badword(i))<>0 ThenSelect Case Err_Message Case "1"Response.Write "<Script Language=JavaScript>alert('出错了!表单 "&name&" 的值中包含非法字符串!\n\n请不要在表单中出现: % & * # ( ) 等非法字符!');window.close();</Script>" Case "2"Response.Write "<Script Language=JavaScript>location.href='"&Err_Web&"'</Script>" Case "3"Response.Write "<Script Language=JavaScript>alert('出错了!参数 "&name&"的值中包含非法字符串!\n\n请不要在表单中出现: % & * # ( ) 等非法字符!');location.href='"&Err_Web&"';</Script>"End SelectResponse.EndEnd IfNEXTNEXTend if
看看过滤代码,简直坑爹啊,只过滤了get、post。
相关案例:http://xitong.mingjuan.net/e-learning/index.asphttp://www.mdjiaoyu.com/e-learning/shownews.asp?id=1520http://www.xuejiedu.com/e-learning/index.asphttp://www.xgnjiaoyu.com/e-learning/index.asphttp://www.mdjiaoyu.com/e-learning/index.asphttp://www.wanhuaedu.com/E-learning/index.asphttp://www.bajianedu.org/E-learning/index.asphttp://haerbinjiajiao.com/e-learning/index.asphttp://jiajiao.xuezikeji.com/e-learning/index.asphttp://www.juntop.com/E-learning/index.asp
相关案例有些升级了,但是很多站点还是存在问题的。
危害等级:高
漏洞Rank:17
确认时间:2014-12-23 08:43
CNVD确认并复现所述情况,暂未建立与软件生产厂商的直接处置渠道,还正在积极联系,待认领和处置。
暂无