Hearing the wind television system registry injection and tasteless of the anti-injection-vulnerability warning-the black bar safety net

ID MYHACK58:62201128944
Type myhack58
Reporter 佚名
Modified 2011-01-26T00:00:00


Publishing author: LinkEr

Affected versions: rapid-wind film and television system Official website: http://www.gxwglm.com

Vulnerability type: SQL injection Vulnerability description: news air television system there is more thanSQL injectionvulnerabilities.

1. Register at injection:

wwwroot\reg\reg. asp

<% szPath = "../../" %> <!--# include file="../conn. asp" - > /contains a Also can bypass the look#2/ <!--# include file = "md5. asp"--> <% if Request. Form("submit") <> "" then szUserName = Request. Form("UserName") szPassWord = Request. Form("UserPass") szEmail = Request. Form("UserMail") szMemo = Request. Form("UserMemo") iPayMode = Request. Form("PayMode") szPBQuestion = Request. Form("PBQuestion") szPBAnswer = Request. Form("PBAnswer") szGetCode = Trim(Request. Form("codestr")) szSQL = "SELECT * FROM MOVIE_Users WHERE UserName='" & amp; szUserName & "' OR UserEmail='" & amp; szEmail & "'" set rsData_User = Server. CreateObject("ADODB. Recordset") rsData_User. Open szSQL,conn,1,3 if not rsData_User. EOF then Response. Write "<script language='JScript'>alert('your registered username or email address already exists!'); history. back();</script>" Response. End else iAccount = 0 if Session("Option_RegMode") = 1 then iAccount = 1 0 If IsEmpty(Session("VerifyCode")) Or szGetCode <> CStr(Session("VerifyCode")) Then Response. Write "<script language='JScript'>alert('verification code does not match up!'); documentdocument. URL=document. referrer;</script>" Response. End end if if Left(szUserName, 1) = "!" then the Response. Write "<script language='JScript'>alert('please don't use illegal characters registered user!'); history. back();</script>" Response. End end if szSQL = "INSERT INTO MOVIE_Users(UserName,UserPass,UserRegisterTime,MovieEdate,UserEmail,UserInfo,MovieUserType,UserSign,UserBio,UserAccountStatus)" szSQLszSQL = szSQL & "VALUES('" & amp; szUserName & "','" & MD5(szPassWord) & "','" & now & "','" & date+3 0 & "','" & amp; szEmail & "','" & amp; szMemo & "', "& amp; iPayMode & ",'" & amp; szPBQuestion & "','" & amp; szPBAnswer & "',1)" conn. Execute szSQL Response. Write "<script language='JScript'>alert('congratulations -" & amp; szUserName & " - you have registered successfully! ');window. navigate('../index. asp');</script>" Response. End end if rsData_User. Close end if UserName,UserPass,UserRegisterTime,MovieEdate,UserEmail,UserInfo,MovieUserType,UserSign,UserBio,UserAccountStatus, etc. variables have been very tasteless of the anti-injection filter is an insert INTO THE movie_user inside everything is anti-injection to blame wwwroot/Conn. asp

<% Response. Addheader "Content-Type","text/html; charset=GB2312" Response. Buffer=True Server. ScriptTimeOut=9 9 9 9 9 9 9 'anti-injection if nochecksqlin<>1 then dim sql_injdata,SQL_inj,SQL_Get SQL_injdata = "'|exec |delete |insert | update |select " SQL_inj = split(SQL_Injdata,"|") If Request. QueryString<>"" Then For Each SQL_Get In Request. The QueryString For SQL_Data=0 To Ubound(SQL_inj) if instr(Request. QueryString(SQL_Get),Sql_Inj(Sql_DATA))>0 Then Response. Write "<Script Language=javascript>alert('please do not in the parameters contain illegal characters try to inject it!'); history. back(-1)</Script>" Response. end end if next Next End If If Request. Form<>"" Then For Each Sql_Post In the Request. Form For SQL_Data=0 To Ubound(SQL_inj) if instr(Request. Form(Sql_Post),Sql_Inj(Sql_DATA))>0 Then Response. Write "<Script Language=javascript>alert('please do not in the parameters contain illegal characters try to inject it! ');history. back(-1)</Script>" Response. end end if next next end if end if %>

2.1 anti-get anti-post is not anti-cookies injection

Use in the wwwroot/FZPLAYER. ASP:

<!--# include file="conn. asp"--> <% Progid=Request("progid") Set Rs=CreateObject("Adodb. RecordSet") Rs. Open "Select * From Movie_FileList Where FileListID="&progid,Conn,1,1 Response. Write "<? xml version='1.0' encoding='GB2312' ?& gt;<webplayer><Param ServerMode='2'></Param><Param UserName='unknow'></Param><Param UserID='1'></Param><Param PlayMode='1'></Param><Param PlayModeValue='" & progid & "'></Param>< Param ChannelID='" & progid & "'></Param><Param ServerHost='" & Rs("FileMd5") & "'></Param><Param Session='1'></Param><Param ProtocolType='1'></Param><Param EmbedMode='1'></Param><Param ProgName='1'></Param><Param PlayInExe='1'></Param></webplayer>" Rs. Close %> #2.2 SQL_injdata = "'|exec |delete |insert | update |select" SQL_inj = split(SQL_Injdata,"|")

Filter keywords less is one thing is mainly the case haven't noticed. The Exec so it can bypass anti-injection strutted injection. ladies black wide