[转载]MetaCart e-Shop多个脚本注入漏洞

EvilOctal

团队执行官

Rank: 8 Rank: 8

E.S.T社区执行帐号

帖子: 9869
精华: 771
积分: 40986
阅读权限: 200
性别: 男
在线时间: 3986 小时
注册时间: 2004-7-4
最后登录: 2008-12-3

发短消息
加为好友
当前离线

楼主大中小发表于 2005-5-17 23:45 只看该作者

[转载]MetaCart e-Shop多个脚本注入漏洞

信息来源：www.securiteam.com

Summary
MetaCart e-Shop is a "shopping cart application for small businesses and support MSSQL, MS Access and MySQL". The MetaCart e-Shop product has been found to contain multiple vulnerabilities ranging from cross site scripting to SQL injection attacks.

Credit:
The information has been provided by dedi dwianto.
The original article can be found at: http://echo.or.id/adv/adv13-theday-2005.txt

Details
Cross-Site Scripting (XSS)
By issuing a URL such as the following:
http://[url]/mcartlite/productsByCategory.asp?intCatalogID=1 &strCatalog_NAME=<script>alert('test')</script>
An attacker can cause the remote host to include arbitrary HTML and/or JavaScript.

Vulnerable code in productsByCategory.asp:
strCatalog_name = Request.QueryString("strCatalog_NAME")
...
...
strParam = Response.Write (rsCatalog("catalogID")) &strCatalog_NAME=Response.Write
(Server.URLEncode(rsCatalog("catalogName"))) &rsCatalog("catalogName")

SQL Injection
By issuing any of the following URLs:
http://[url]/mcartlite/productsByCategory.asp?strSubCatalogID=2'(Sql Injection)
http://[url]/mcartlite/product.asp?intProdID=1'(SQL Injection)
An attacker can cause the remote host to include arbitrary SQL statements into the product's existing SQL statements.

Vulnerable code in productsByCategory.asp:
intCatalogID = Request.QueryString("intCatalogID")
...
...
' Build SQL String using the parameters
strSQL = "SELECT productID,productName,productPrice FROM products WHERE catalogID = '"&strParam&"'"

Vulnerable code in product.asp:
intProdID = Request.QueryString("intProdID")
...
...
Set rsProdInfo = Conn.Execute("SELECT * FROM " & _
"products where productID="&intProdID)
if rsProdInfo.EOF then
Response.Write "Product Number " & intProdID & _
" does not exist."

Solution:
For productsByCategory.asp do the following:
* Find:
intCatalogID = Request.QueryString("intCatalogID")
After it add:
intCatalogID = Replace(intCatalogID,"'","")

* Find:
strCatalog_name = Request.QueryString("strCatalog_NAME")
After it add:
strCatalog_name = Replace(strCatalog_NAME,"<","")

For products.asp do the following:
* Find:
intProdID = Request.QueryString("intProdID")
After it add:
intProdID = Replace(intProdID,"'","")

曾几何时，有人对我说：装B遭雷劈。我说：去你妈的。于是，这个人又对我说：如果再说脏话，上帝会惩罚你的。我说：我操上帝。结论：彪悍的人生不需要上帝。

TOP

‹‹ 上一主题 | 下一主题 ››

邪恶八进制信息安全团队技术讨论组 » 重要安全公告{ Security Advisory Bulletin } » 漏洞分析[ Vulnerability Analyse ] » [转载]MetaCart e-Shop多个脚本注入漏洞