|
发表于 2006-12-30 01:59:33
|
显示全部楼层
来自
JoeKoeV6.5Post_Poll.asp漏洞。
晚上检查了一下JoeKoe V6.5系统是否存在SQL注入漏洞,发现一处SQL注入威胁:
- <!-- #include file="include/config_forum.asp" -->
- <!-- #include file="include/config_poll.asp" -->
- <% if not(isnumeric(forumid)) then call cookies_type("forum_id") %>
- <!-- #include file="include/config_frm.asp" -->
- <!-- #include file="include/conn.asp" -->
- <%
- call forum_first()
- dim reid,founderr
- call web_head(2,0,2,0,0)
- strRqPollType = Request.Form("Vote_Type")
- strRqPollID = Request.Form("VoTE_ID")
- strRqTopicID = Request.Form("ToPIC_ID")
- 'strRqCatID = Request.Form("CAT_ID")
- strRqForumID = Request.Form("FoRUM_ID")
- strRqMyChoice = Request.Form("myChoice")
- reid=strRqTopicID
- forumid=strRqForumID
- 'if int(popedom_format(login_popedom,41)) then call close_conn():call cookies_type("locked")
- '-----------------------------------center---------------------------------
- response.write reply_chk()
- '---------------------------------center end-------------------------------
- call web_end(0)
- function reply_chk()
- founderr = ""
- if GetPollUsers(strPollUser) = "yes" then
- founderr = "<LI>请不要重复投票!<br>"
- end if
- if strRqMyChoice = "" then
- founderr =founderr&"<LI>你未选投票,请重投!<br>"
- end if
- strSql = "SELECT V_ID, ToPIC_ID, V_NUM, V_USER, V_DETAIL, V_TYPE, V_HIDE FRoM BBS_VoTE "
- strSql = strSql & " WHERE V_ID = "& strRqPollID
- set vrs = Conn.Execute (strSql)
- if vrs.eof and vrs.bof then
- founderr=founderr&"<li>请您选择投票的主题进行投票。<br>"
- end if
- if founderr="" then
- strTopicID = vrs("ToPIC_ID")
- strPollNum = vrs("V_NUM")
- strPollUser = vrs("V_USER")
- strPollDetail= vrs("V_DETAIL")
- strPollType = vrs("V_TYPE")
- strPollHide = vrs("V_HIDE")
- strRqMyChoice= Replace(Request.Form("myChoice"), ", ", ",")
- strPollChoiceArr = Split(strRqMyChoice, ",")
- For J = 0 To UBound(strPollChoiceArr)
- strPollNumArr = Split(strPollNum, ",")
- strPollNumArr(strPollChoiceArr(j)) = cInt(strPollNumArr(strPollChoiceArr(J))) + 1
-
- '-----------------V_NUM
-
- strPollNum_New= ""
- For P = 0 To UBound(strPollNumArr)
- strPollNum_New = strPollNum_New & strPollNumArr(P) & ","
- Next
- strPollNum = Left(strPollNum_New, Len(strPollNum_New)-1)
- Set strPollNumArr = Nothing
-
- '-----------------V_DETAIL
- strPollDetailArr= Split(strPollDetail, ",")
- strPollDetailNew= Replace(Replace(strPollDetailArr(strPollChoiceArr(j)), "{", ""), "}", "")
- If strPollDetailNew = "" Then
- strPollDetailNew = "{" & login_username & "}"
- Else
- strPollDetailNew = strPollDetailNew & "|" & login_username
- strPollDetailNew = "{" & strPollDetailNew & "}"
- End If
- strPollDetailArr(strPollChoiceArr(j)) = strPollDetailNew
- '----------------V-DETAIL
- strPollDetail = ""
- For Q = 0 To UBound(strPollDetailArr)
- strPollDetail = strPollDetail & strPollDetailArr(Q) & ","
- Next
- strPollDetail = Left(strPollDetail, Len(strPollDetail)-1)
- Next
- '---------V_USER
- if ""&strPollUser&"" = "" then
- strPollUser = login_username
- else
- strPollUser = strPollUser & "," & login_username
- End if
-
- strSql = "UPDATE bbs_vote SET "
- strSql = strSql & "V_NUM = '" & strPollNum & "'"
- strSql = strSql & ", V_USER = '" & strPollUser & "'"
- strSql = strSql & ", V_DETAIL = '" & strPollDetail & "'"
- strSql = strSql & " WHERE V_ID = " & strRqPollID
- Conn.Execute (strSql)
- response.write forum_top("进行投票") & kong
- response.write VbCrLf & "<table border=0><tr><td align=center height=200>" & _
- VbCrLf & "<table border=0 width=300>" & _
- VbCrLf & "<tr><td align=center height=30><font class=red>成功进行了投票!谢谢您的投票。</font></td></tr>" & _
- VbCrLf & "<tr><td height=30>您现在可以选择以下操作:</td></tr>" & _
- VbCrLf & "<tr><td> 1、<a href='forum_view.asp?forum_id=" & forumid & "&view_id=" & reid & "'>您所投票的帖子</a>" & _
- VbCrLf & "<tr><td> 2、<a href='forum_list.asp?forum_id=" & forumid & "'>返回 <b>" & forumname & "</b></a></td></tr>" & _
- VbCrLf & "<tr><td> 3、<a href='forum.asp'>返回论坛首页</a></td></tr>" & _
- VbCrLf & "<tr><td height=30>系统将在 " & web_var(web_num,5) & " 秒钟后自动返回 <b>您所投票的帖子</b> 。</td></tr>" & _
- VbCrLf & "</table>" & _
- VbCrLf & "</td></tr></table>" & _
- VbCrLf & "<meta http-equiv='refresh' content='" & web_var(web_num,5) & "; url=forum_view.asp?forum_id=" & forumid & "&view_id=" & reid & "'>"
- else
- response.write found_error(founderr,"350")
- end if
- end function
- %>
复制代码
原版本没有对 Request.Form 的数据进行检验,容易发生SQL注入的攻击。
但由于是 Request.Form 数据,威胁发生的可能性较小(需要借助工具)。。
请Steven检查一下这个文件有没有修正过。
|
|