Easy room search system type injection exploit-vulnerability warning-the black bar safety net

ID MYHACK58:62201027179
Type myhack58
Reporter 佚名
Modified 2010-06-12T00:00:00


This system is a housing transactions, rental of the system.

Vulnerability file: search_sell. asp; the search_hire. asp; the search_buy. asp conn. asp

Keyword inurl: efwmanager; the inurl: the search_hire. asp; and (inurl: in sub_hack. asp? This keyword is a bit much)

By Macromedia Dreamweaver the search request( to find and there is no filter cloth serious vulnerabilities. There's also just the presence of integer overflow nothing use value. Turn for a long time found search_hire. asp this file, there is Code as follows:

<!--# include file=efwmanager/include/config. asp - > <!--# include file=conn_view. asp - > <!--# include file=efwmanager/include/function. asp - > <% dim search,search_qy,search_lx,search_hx,search_zj,search_mj_min,search_mj_max,search_jg_min,search_jg_max search_qy=request("search_qy") search_lx=request("search_lx") search_hx=request("search_hx") search_zj=request("search_zj") search_mj_min=trim(request("search_mj_min")) search_mj_max=trim(request("search_mj_max")) search_jg_min=trim(request("search_jg_min")) search_jg_max=trim(request("search_jg_max")) search="" if request("search_qy")<>"" then search=search & "and qy='" & request("search_qy") & "'" end if if request("search_lx")<>"" then search=search & " & wylx='" & request("search_lx") & "'" end if if request("search_hx")<>"" then search=search & " and hx='" & request("search_hx") & "'" end if if request("search_zj")<>"" then search=search & " and zj='" & request("search_zj") & "'" end if

This is a search for the file. In the header files also and not anti-injection, and this I was not explained. Vulnerability it is obvious that no filtering of the various characters, leading to the presence of cross-site and injection. What we need is a password and account number, then the following to build the injection address:

Search type of the injected statement is not written. Can be directly thrown into the Pangolin3. 0. run out. The presence of the table section of the admin fields username;

userpassword broke up the administrator account password, the background: the efang /efwmanager/index. asp background to get the Shell method is very simple,

Since the file upload vulnerability exists, direct access to the efwmanager/admin/Upfile_Photo. asp with a bright kid upload on it. This app

In addition there are a vulnerability of the file is conn. asp link to the file(in this program the presence of both of Conn. asp )2 connection file Conn. asp code

Less on error resume next this line code there is a storm library. Directly to the secondary directory in the/ converted to%5C, or direct access to broke the database then

After written into the thunder to download. Download back to the database there is a password, the encryption method is very simple. Use accesskey and other tools to hack on it

The other vulnerability is temporarily not excavation out. There is something wrong place please point it out. In addition to write the other two files using the character

search_sell. asp file: the vulnerability of the character search_buy. asp file: vulnerability in characters:

Then provide a couple of reference background: system/manage. asp /system/index. asp /efwmanager/index. asp sub_hack? This keyword is online about the same a system. This file filter is not strict, the presence of the same vulnerability. Not much to say. Use up about the same. With Pangolin with bright kid with 4. 2 The can.