易达CMS企业建站系统 漏洞 0day漏洞预警 -电脑资料
   
    易达CMS企业建站系统 漏洞0day
    in注入:
   
    相关代码:
    ........................省略一部分....................................
    id=request("id"):id1=Split(id,", "):delid=replace(request("id"),"'","")
    set rs = ateobject("dset")
    sql="DELETE from shuaiweb_buycart where id in ("&delid&")"
    rs.open sql,dbok,3,2
    rs.close
    在结算页面 处理购物车,
易达CMS企业建站系统 漏洞 0day漏洞预警
    相关页面:buy_settlement.asp
    ......................................................................
    搜索框代码问题:
    相关代码:
    function tSearch
    yidacms_l=request("l")
    yidacms_n=request("n")
    yidacms_y=request("yidacms_search")
    ........................省略一部分....................................
    if yidacms_language = "zh" then
    set rs = ateobject("dset")
    if yidacms_l = "news" then
    sql="select * from [shuaiweb_news] where (shuaiweb_newstitle like '%"&yidacms_n&"%' or shuaiweb_newsContent like '%"&yidacms_n&"%') and yida_language = 'ch' order by id desc"
    elseif yidacms_l = "products" then
    sql="select * from [shuaiweb_products] where (shuaiweb_productsname like '%"&yidacms_n&"%' or shuaiweb_productscontent like '%"&yidacms_n&"%' or shuaiweb_productsbprice like '%"&yidacms_n&"%' or shuaiweb_productsmodel like '%"&yi
dacms_n&"%') and yida_language = 'ch' order by id desc"
    elseif yidacms_l = "photo" then
    sql="select * from [shuaiweb_photo] where (shuaiweb_photoname like '%"&yidacms_n&"%') and yida_language = 'ch' order by id desc"
    end if
    rs.open sql,dbok,1,1
    else
    set rs = ateobject("dset")
    if yidacms_l = "news" then
    sql="select * from [shuaiweb_news] where (shuaiweb_newstitle like '%"&yidacms_n&"%') or (shuaiweb_newsContent like '%"&yidacms_n&"%') order by id desc"
    elseif yidacms_l = "products" then
    sql="select * from [shuaiweb_products] where (shuaiweb_productsname like '%"&yidacms_n&"%') or (shuaiweb_productscontent like '%"&yidacms_n&"%') or (shuaiweb_productsbprice like '%"&yidacms_n&"%') or (shuaiweb_productsmodel like '%"&yidacms_n&"%') order by id desc"
    elseif yidacms_l = "photo" then
    sql="select * from [shuaiweb_photo] where shuaiweb_photoname like '%"&yidacms_n&"%' order by id desc"
    end if
    rs.open sql,dbok,1,1cms系统搭建
    end if
    if rs.bof f then
    tSearch = tSearch & "暂无记录!"&vbcrlf
    Else
    tSearch = tSearch & ""&vbcrlf
    do while f
    相关页面:search.asp
    -----------------------------------------------------------------------------------------------
    会员注册逻辑错误/权限绕过
    相关代码:
    response.write ""
    session("shuaiweb_useremail")=empty
    else
    response.write ""
    d
    else
    if(request("id") <> "") then id = request("id")
    set rs = ateobject("dset")
    user_id4 = request("id")   //一样
    sql="DELETE * FROM shuaiweb_buy WHERE id= "&user_id4&""
    rs.open sql,dbok,3,2
    rs.update
    rs.close
    set rs=nothing
    response.write " "
    End If
    end if
    ----------------------------------------------------------------------------------------------------
    没测试这个sql注入,因为本地搭建时没有产品所以无法下订单,怕麻烦 所以也没弄了~! 这个漏洞利用起来也麻烦,
电脑资料
《易达CMS企业建站系统 漏洞 0day漏洞预警》。就不弄了~!
    以上2个问题都出现在user.asp这个页面~!