### 0x01漏洞简介 shop7z商城系统在Advsearchadmin.asp 处的参数kindnum由于过滤不严,存在kindnumSQL注入漏洞。远程攻击者可以利用该漏洞执行任意SQL指令。 ### 0x02漏洞分析 Advsearchadmin.asp代码如下: ``` kindnum=trim(request("kindnum")) pipai=trim(request("pipai")) model=trim(request("model")) productname=trim(request("productname")) price11=trim(request("price11")) price12=trim(request("price12")) price21=trim(request("price21")) price22=trim(request("price22")) if price11="" then price11="0" if price12="" then price12="9999999" if price21="" then price21="0" if price22="" then price22="9999999" sqlcon=" where pkid>0 and updown='1' " if kindnum<>"" then sqlcon = sqlcon &" and kind like '"&kindnum&"%' "//都没过滤 end if if pipai<>"" then sqlcon = sqlcon &" and pipai like '%"&pipai&"%' " end if if model<>"" then sqlcon = sqlcon &" and model like '%"&model&"%' " end if if productname<>"" then sqlcon = sqlcon &" and productname like '%"&productname&"%' " end if sql="select...
### 0x01漏洞简介 shop7z商城系统在Advsearchadmin.asp 处的参数kindnum由于过滤不严,存在kindnumSQL注入漏洞。远程攻击者可以利用该漏洞执行任意SQL指令。 ### 0x02漏洞分析 Advsearchadmin.asp代码如下: ``` kindnum=trim(request("kindnum")) pipai=trim(request("pipai")) model=trim(request("model")) productname=trim(request("productname")) price11=trim(request("price11")) price12=trim(request("price12")) price21=trim(request("price21")) price22=trim(request("price22")) if price11="" then price11="0" if price12="" then price12="9999999" if price21="" then price21="0" if price22="" then price22="9999999" sqlcon=" where pkid>0 and updown='1' " if kindnum<>"" then sqlcon = sqlcon &" and kind like '"&kindnum&"%' "//都没过滤 end if if pipai<>"" then sqlcon = sqlcon &" and pipai like '%"&pipai&"%' " end if if model<>"" then sqlcon = sqlcon &" and model like '%"&model&"%' " end if if productname<>"" then sqlcon = sqlcon &" and productname like '%"&productname&"%' " end if sql="select pkid,model,productname,smallpicpath,price1,price"&session("customkind")&",kindname,pipai,addtime from view_product "&sqlcon&" order by pkid desc" 'response.write sql ``` 可见,没有任何过滤。 ### 0x03漏洞证明  ### 0x04修复方案 过滤。
