8 6 0 3 music management system v2009. 1 0 0 1 0day-vulnerability warning-the black bar safety net

ID MYHACK58:62200925451
Type myhack58
Reporter 佚名
Modified 2009-11-30T00:00:00


8 6 0 3 music management system v2009. 1 0 0 1 The database can be inserted into Word and Cookies injection

The database did not make any processing, can be inserted into a word. Continue to insert the classic word.┼ Pay offs number 畣 whole 爠 Hwan enemy 瑳∨≡┩anger password a

Google for: inurl:player. asp? classid open the page, Click on requests you add a song, in the song at the address inserted into the word, submit, connect to the database. Database address:/data/%23datalink. asa

Second, the classid may be Cookies injection classid=request("classid") set rs1=server. createobject("adodb. recordset") rs1. open "select * from feilei where classid="&classid,conn,1,3 classid=rs1("classid")

Here are more long-winded a few words. On Cookies injected into the problem. Someone asked my that a few words in code why the presence of Cookies implanted. This is actually my in the micro-Mar web site management system V1. 5 1 The cookies the injected article. Here in long-winded a few. If there is an error, please feel free to correct me.

Variables can be used to request to accrue directly to, and is sequenced, such as you with such a statement request("id")to obtain the id variable, the asp will start with the Form over the data to find variables, then the QueryString section, then the Cookie part. However, if you have specified a request. cookies("id")will only be from the cookie for the variable contents, not while it is empty, similarly, if you are using the request. form("id")will be only from the form takes a variable and does not ignore the other submission of content. These three made the variable of place is also is we often submit data in place,and are very easy to modify, and player. asp written by him is a direct request("classid"), and does not specify is that way, even if the addition of the anti-injection, we can also break anti-implantation, with cookies to injection, the patch approach is coupled with the request method, the request("classid")instead of request. queryString("classid"), the

Look at the anti-injected into the page, the anti-injected into the page only for'----- to get the query value of the filter. And'----- the post table single-value filter.

That is to filter the request. QueryString and request. form of the method, and does not filter the request. cookies method, cookies note

Into also produced.

With the injected transit. How fast how.