OBlog (tags.asp) Remote SQL Injection Exploit

SBEUGID:SEBUGV2008053273
发布时间:2008-04-26
受影响版本:
3.13-20060429 [access & mssql]
4.02-20070112 [access & mssql]
4.50 Final Build0619 [access & mssql]
4.60 Final Build0921 [access & mssql]
4.60 Final Build1107 [access & mssql]
描述:
漏洞文件tags.asp
变量tagid未经过滤传值,带入sql执行,导致注入产生。

再来啰嗦一下代码的问题tags.asp行15-36

sType = LCase(Trim(Request.Querystring(”t”)))
iTagId = Trim(Request.Querystring(”tagid”)) ’这个地方没过滤,在36行处传值给函数GetUsersByTag
iUserId = Trim(Request.Querystring(”userid”))
sKeyword= Trim(Request(”keyword”))
sAll=Trim(Request.Querystring)
If sAll & sKeyword=”\" Then sType=”hottags”

Call link_database()

select Case sType
Case ”hottags”
sTitle=”最热门的100个” & P_TAGS_DESC
sContent=Tags_Hottags()
Case ”cloud”
sTitle=P_TAGS_DESC & ”云图”
sContent=Tags_SystemTags(1)
Case ”list”
sTitle=P_TAGS_DESC & ”列表”
sContent=Tags_SystemTags(0)
Case ”user”
sTitle=P_TAGS_DESC & ”用户”
sContent=GetUsersByTag(iTagId)

函数GetUsersByTag的原型在文件Inc_Tags.asp行320-338

Function GetUsersByTag(byval sTagId)
Dim rst,sSql,sContent
Set rst = Server.CreateObject(”Adodb.Recordset”)
sSql = ”select Top 100 b.userName,b.user_dir,b.user_folder From (select Userid From oblog_usertags Where Tagid=” & sTagId & ” Group By UserId) a,oblog_user b Where a.Userid=b.UserId”
rst.Open sSql,conn,1,1
If rst.Eof Then
sContent=”没有符合条件的用户”
rst.Close
Set rst = Nothing
End If
i=0
Do While Not rst.Eof
sContent=sContent & ”” & rst(”userName”) & ”

rst.movenext
Loop
rst.Close
Set rst = Nothing
GetUsersByTag=sContent
End Function
<* 参考:
Whytt & Tr4c3[at]126[dot]com
*>
建议:
检查用户提交的tagid,只允许是数字。
例如:
将iTagId = Trim(Request.Querystring(”tagid”))改成iTagId = Clng(Trim(Request.Querystring(”tagid”)))
// Sebug.net [ 2008-05-11 ]

本安全信息由SEBUG翻译整理,版权所有,未经许可,不得转载

提交信息 | 本站声明 | 帮助 | 论坛 | 合作伙伴
Copyright © SEBUG Security Database 2006  All rights Reserved.
鄂ICP备05024839号