Analysis of Lnxdwj enterprise total Station v2010 vulnerability-vulnerability warning-the black bar safety net

2010-02-03T00:00:00
ID MYHACK58:62201026128
Type myhack58
Reporter 佚名
Modified 2010-02-03T00:00:00

Description

Author: knowledge seekers Learn to script there is a period of time, and Hey, no one taught! Can only rely on their own understanding. So progress is a bit slow.

In many black friends blog and magazine on both the analysis of the script of the article, and your own code a little to understand, so the heart itch,

Immediately went to the Baidu search the site source code in adrevmedia. cn a Lnxdwj enterprise total Station v2010 slowly look up!

Since there is no experience, so you see the first black box test! In the local open as shown in Figure 1 booming see this quite comfortable

!

Nonsense not to say this program appears to manyvulnerabilities 1. search. asp search injectionvulnerabilities 2. saveadd. asp guestbook cross-sitevulnerabilitycan be inserted into the wordTrojan

  1. sort. asp injectionvulnerabilities

4..should there's a lot I haven't found Oh

------------------------------------------------------------------------------------

The following is a search. the asp file appears in the injected code

----------------

word=trim(request("word")) //filter only the sides of the space it is placed into a database query. sql="select * from news where" // at the same time there are also cross-site sql=sql&" title&content like '%"&word&"%' order by id desc"

------------------------------------------------------------------------------------------------

Below is the message version saveadd. asp file in the part of the code

--------------------

set rs=server. createobject("adodb. recordset") sql="select * from book" rs. open sql,conn,1,3 rs. addnew if request("bookname")="" then //filter only the name can not be empty response. write "<script language='javascript'>" & chr(1 3) response. write "alert('username can not be empty!');" & Chr(1 3) response. write "javascript:onclick=history. go(-1)"&Chr(1 3) response. write "</script>" & Chr(1 3) response. end end if if request("bookphone")="" then //filter only the name can not be empty response. write "<script language='javascript'>" & chr(1 3) response. write "alert('phone number can not be empty!');" & Chr(1 3) response. write "javascript:onclick=history. go(-1)"&Chr(1 3) response. write "</script>" & Chr(1 3) response. end end if if request("bookemail")="" then //filter only the name can not be empty response. write "<script language='javascript'>" & chr(1 3) response. write "alert('Email address can not be empty!');" & Chr(1 3) response. write "javascript:onclick=history. go(-1)"&Chr(1 3) response. write "</script>" & Chr(1 3) response. end end if if request("bookmesage")="" then //filter only the message can not be empty response. write "<script language='javascript'>" & chr(1 3) response. write "alert('message content can not be empty!');" & Chr(1 3) response. write "javascript:onclick=history. go(-1)"&Chr(1 3) response. write "</script>" & Chr(1 3) response. end end if bookname=request. form("bookname") rs("bookname")=bookname bookphone=request. form("bookphone") if not isnumeric(bookphone) then //check bookphone whether the the digital response. write "<script language='javascript'>" & chr(1 3) response. write "alert('phone number must be numbers!');" & Chr(1 3) response. write "javascript:onclick=history. go(-1)"&Chr(1 3) response. write "</script>" & Chr(1 3) response. end end if rs("bookphone")=bookphone bookemail=request. form("bookemail") if Instr(bookemail,"@")=0 or Instr(bookemail,".")= 0 then response. write "<script language='javascript'>" & chr(1 3) response. write "alert('Email address incorrect!');" & Chr(1 3) response. write "javascript:onclick=history. go(-1)"&Chr(1 3) response. write "</script>" & Chr(1 3) response. end end if rs("bookemail")=bookemail bookmesage=request. form("bookmesage") if len(bookmesage)>2 5 5 then //message content**2 5 5 response. write "<script language='javascript'>" & chr(1 3) response. write "alert('message content is too long! Please make a long story short');" & Chr(1 3) response. write "javascript:onclick=history. go(-1)"&Chr(1 3) response. write "</script>" & Chr(1 3) response. end end if bookmesage=replace(bookmesage,vbcrlf,"<br>") rs("bookmesage")=bookmesage rs. update response. write "<script language='javascript'>" & chr(1 3) response. write "alert('added comment successfully!');" & Chr(1 3) response. write "window. document. location. href='book. asp';"&Chr(1 3) response. write "</script>" & Chr(1 3)

In the name or content of the input<%execute request("value")%>in the database to insert the wordTrojan.

And his default database path is data/#lnxdwj. asp

As shown in Figure 2 !

-------------------------------------------------------------------------------------------------

The following is sort. asp file part of the code

------------

dy=request("bigclassid") //get bigclassid the value to dy if dy<>"" then //only the judgment of the dy is not equal to empty it into the database query. Set rs=Server. CreateObject("ADODB. RecordSet") sqlid="select * from bigclass where bigclassid="&dy rs. Open sqlid,conn,1,3 bt=rs("bigclassname") end if

----------------------------------------

For the first time to write such an article what to write not good place please forgive me

If you have the analysis wrong somewhere kindly correct me because I'm still a rookie