Oblog4.6注入漏洞分析一
Date:2008-2-15<BR>Author:Yamato<BR>Version:Oblog 4.6<BR><BR>漏洞文件AjaxServer.asp:<BR>Sub digglog() //第691行<BR>If Not lcase(Request.ServerVariables("REQUEST_METHOD"))="post" Then Response.End<BR>。。。。。。<BR>If request("ptrue")=1 Then //第703行<BR> pdigg=oblog.checkuserlogined_digg(unescape(Trim(request("puser"))),Trim(request("ppass")))<BR>oblog.checkuserlogined_digg在/inc/ class_sys.asp文件下:<BR>Public Function CheckUserLogined_digg(puser,ppass)<BR> Dim rs <BR> If Not IsObject(conn) Then link_database<BR> Set rs = Server.CreateObject("adodb.recordset")<BR> rs.open "select top 1 userid,username from oblog_user where username='"&puser&"' and truepassword='"&ppass&"'", conn, 1, 1<BR> If Not (rs.eof Or rs.bof) Then<BR> CheckUserLogined_digg="1$$"&rs("userid")&"$$"&rs("username")<BR> Else <BR> CheckUserLogined_digg="0$$0$$0"<BR> End If <BR> rs.close<BR> Set rs=Nothing <BR> End Function<BR>变量ppass没有任何过滤放入sql执行语句导致sql注入的产生。利用方法必须使用post提交.re:Oblog4.6注入漏洞分析一
<P>家门,真诚祝福你生日快乐!!!</P>
页:
[1]