W78CMS v2. 7. 6 search type injection problems and repair solutions-vulnerability warning-the black bar safety net

2011-03-17T00:00:00
ID MYHACK58:62201129747
Type myhack58
Reporter 佚名
Modified 2011-03-17T00:00:00

Description

Brief description: W78CMS enterprise website management system v2. 7. 6 UTF-8 the presence of search-type injection problems

Detailed description:

File so. asp 2 2 row

<%

t=request. QueryString("t")

key=request. QueryString("key")

if t="" then

Response. Write("<script>alert('please select to search the column!'); history. back();</script>")

Response. End()

end if

if key="" then

Response. Write("<script>alert('please input keywords!'); history. back();</script>")

Response. End()

end if

set rs=server. createobject("adodb. recordset")

if t=1 then

exec="select * from [news] where title like '%"&key&"%' order by id desc"

elseif t=2 then

exec="select * from [Products] where title like '%"&key&"%' order by id desc"

else

exec="select * from [download] where title like '%"&key&"%' order by id desc"

end if

if t=4 then

exec="select * from [anli] where title like '%"&key&"%' order by id desc"

end if

rs. open exec,conn,1,1

if rs. eof then

response. Write " no search to relevant content!"

else

Obviously for the key without the filter, directly into the database query, leading to injection problems.

Vulnerability to prove:

/so. asp? t=1&key=[sql]

Repair solutions:

The author in many of the files are included in the anti-file injection sql. asp and w78_sql. the asp files but in many places it does not use one of the anti-injection function, the other w78_sql. asp anti-injected into the file was missing for the cookies submitted by the filtration.