新云 3.0.0.518 SQL注入

新云网站管理系统是一个采用ASP和MSSQL等其他多种数据库生成静态页面构建的高效网站解决方案。

先看const.asp的GetUserTodayInfo过程。

QUOTE:
Lastlogin = Request.Cookies("newasp_net")("LastTime")
UserDayInfo = Request.Cookies("newasp_net")("UserToday")
If DateDiff("d",LastLogin,Now())<>0 Then
………………
UserDayInfo = "0,0,0,0,0,0"
Response.Cookies("newasp_net")("UserToday") = UserDayInfo
end if
UserToday = Split(UserDayInfo, ",")
If Ubound(UserToday) <> 5 Then
………………
UserDayInfo = "0,0,0,0,0,0"
Response.Cookies("newasp_net")("UserToday") = UserDayInfo
end if

然后是

QUOTE:
Public Function updateUserToday(ByVal str)
On Error Resume Next
If Trim(str) <> "" Then
Newasp.Execute("update [NC_User] SET UserToday=‘" & str & "’ where username=‘"& Newasp.membername &"’ And userid=" & Newasp.memberid)
Response.Cookies("newasp_net")("UserToday") = str
End If
End Function

大家都能看出来。updateUserToday(ByVal str)str没有经过任何过滤就防进了数据库。

然后就是
articlepost.asp
message.asp
softpost.asp
upfile.asp
upload.asp
这几个文件对GetUserTodayInfo和updateUserToday过程没有验证的直接调用，导致了sql注入

Newasp ContentManageSystem Version 3.0.0.518
过滤UserDayInfo