Nest wangju music sharing V 2.5 Vulnerability

Code by Link

Blog:Www.link0day.cn

Reprinted, please note the old saying

Officially speaking of this system:

Nest Network music sharing V 2.5

Version 2.5 update:

1. added the lyrics synchronization function;
2. solve the problem that the player is incompatible with other browsers;
3. Errors Caused by database connection modification;
4. Homepage interface beautification;

It imitates a simple music sharing program made by a music website and is suitable for personal sites.
The code is simple and suitable for beginners. The interface is simple and beautiful.
Main functions:

Add music and comments, rank by playback times, and display the lyrics synchronously.

The background can modify, review submitted songs, and manage comments.

Poor functionality, as little as no way to get shell ~

However, if we encounter a large station with a sub-station using this program, we can try to exploit this vulnerability to crack the password and then perform social engineering for the Administrator ~ Let's look at the code.

Many files contain conn. asp. Let's take a look at how to write:

<%
On error resume next
Set conn = Server. CreateObject ("ADODB. Connection ")
Conn. open "Driver = {Microsoft Access Driver (*. mdb)}; DBQ =" & Server. MapPath ("data/# data. mdb ")
%>
<%
ASP universal anti-injection code

Page_Path = LCase (Cstr (Request. ServerVariables ("PATH_INFO ")))
IF InStr (Page_Path, "adminzrb") = 0 Then
Dim GetFlag Rem (submission method)
Dim ErrorSql Rem (invalid character)
Dim RequestKey Rem (submit data)
Dim ForI Rem (Cyclic mark)
ErrorSql = "~;~ And ~ (~)~ Exec ~ Update ~ Count ~ *~ % ~ Chr ~ Mid ~ Master ~ Truncate ~ Char ~ Declare"
ErrorSql = split (ErrorSql ,"~ ")
If Request. ServerVariables ("REQUEST_METHOD") = "GET" Then
GetFlag = True
Else
GetFlag = False
End If
If GetFlag Then
For Each RequestKey In Request. QueryString
For ForI = 0 To Ubound (ErrorSql)
If Instr (LCase (Request. QueryString (RequestKey), ErrorSql (ForI) <> 0 Then
Response. write "<script> alert (" "Warning: Do not use sensitive characters" "); location. href =" "index. asp" "; </script>"
Response. End
End If
Next
Next
Else
For Each RequestKey In Request. Form
For ForI = 0 To Ubound (ErrorSql)
If Instr (LCase (Request. Form (RequestKey), ErrorSql (ForI) <> 0 Then
Response. write "<script> alert (" "Warning: Do not use sensitive characters" "); location. href =" "index. asp" "; </script>"
Response. End
End If
Next
Next
End If
End IF
%>

This is an anti-injection file that filters post and get, but does not filter cookies. cookies are not injected for the moment. (However, it is difficult to use this file because several key words are filtered, for example, %)

Let's not talk about this first .. Have you seen our lovely union not in it ~? Hey, it proves that the union can be cracked ~

Have you noticed that order by is not in the blacklist? Hey, again, YD ~~

The rest of the work is to find the variable ~ Find and find several ~

Play. asp:

<% @ Language = "vbscript"Codepage =" 65001 "%>
<%
Response. Charset = "UTF-8"
Wowo wangju music sharing: Jiang Lei QQ: 1020097575Http://www.wowo520.cn
%>
<% Session. CodePage = 65001%>

<! -- # Include file = "conn. asp" -->

<%
Id = request. QueryString ("id ")
Playsql = "select * from list where id =" & id &""
Set playrs = Server. CreateObject ("ADODB. Recordset ")
Playrs. open playsql, conn, 1, 3
Playrs ("hit") = playrs ("hit") + 1
Playrs. update
%>
<%
Pid1 = playrs ("id ")
Function Getpre
SQL = "select top 1 * from list where id>" & pid1 & "and yn = y order by id asc"
Set frs=conn.exe cute (SQL)
If fr. eof or playrs. bof then
Response. Write ("no ")
Else
Pid2 = FR ("id ")
T1 = FR ("title ")
Response. Write ("<a href = play. asp? Id = "& pid2 &" title = previous: "& t1 &"> "& cutstring (FR (" title "), 26 ,"") & "</a> ")
End if
End function

Function Getnext
SQL = "select top 1 * from list where id <" & pid1 & "and yn = y order by id desc"
Set frs=conn.exe cute (SQL)
If fr. eof then
Response. Write ("no ")
Else
Pid3 = FR ("id ")
T2 = FR ("title ")
Response. Write ("<a href = play. asp? Id = "& pid3 &" title = Next: "& t2 &"> "& cutstring (FR (" title "), 20 ,"") & "</a> ")
End if
End function
%>
<%
Hitsql = "select * from list where (yn = y) order by hit desc"
Set hitrs = Server. CreateObject ("ADODB. Recordset ")
Hitrs. open hitsql, conn, 1, 1
Hitrs. pagesize = 15
%>
<%
Function CutString (byval A_strString, byval A_intLen, byval A_strAddString)
Dim MM_objRe, MM_objMs, MM_objMh
Dim MM_strCut, MM_intLen
Set MM_objRe = new RegExp
MM_objRe.Global = true global search
MM_objRe.IgnoreCase = true is case insensitive
MM_objRe.Pattern = "[^ x00-xff]"
MM_intLen = A_intLen
If len (A_strString) <= A_intLen then
MM_strCut = A_strString
Else
MM_strCut = left (A_strString, MM_intLen)
Set mm_objms1_mm_objre.exe cute (MM_strCut)
If MM_objMs.count <> MM_intLen then
For each MM_objMh in MM_objMs
If MM_objMh.FirstIndex <MM_intLen then
MM_intLen = MM_intLen-1
Else
Exit
End if
Next
Else
MM_intLen = MM_intLen/2
End if
MM_strCut = left (A_strString, MM_intLen) & A_strAddString
End if
CutString = MM_strCut
Set MM_objRe = nothing
End function
%>
<%
Id2 = playrs ("id ")
Tsql = "select top 1 * from list where id <" & id2 & "and yn = y order by id desc"
Set trs = Server. CreateObject ("ADODB. Recordset ")
Trs. open tsql, conn, 1, 1
Trsid = trs ("id ")
%>

<%
Commentid = playrs ("id ")
Csql = "select * from comment where playid =" & commentid & "order by ctime asc"
Set commrs = Server. CreateObject ("ADODB. Recordset ")
Commrs. open csql, conn, 1, 1
%>
<! DOCTYPE html PUBLIC "-// W3C // dtd xhtml 1.0 Transitional // EN ""Http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<Html xmlns ="Http://www.w3.org/1999/xhtml"Xml: lang =" zh-CN "lang =" zh-CN ">
<Head>
<Meta http-equiv = "Content-Type" content = "text/html; charset = UTF-8"/>
<Meta http-equiv = "Content-Language" content = "zh-CN"/>
<Meta name = "keywords" content = "share music, nest, interesting website, interesting webpage, and nest network together"/>
<Meta name = "description" content = "wowo5w.cn interesting blogs interesting and creative content! "/>
<Link rel = "stylesheet" rev = "stylesheet" href = "sinid.css" type = "text/css" media = "screen"/>
<META HTTP-EQUIV = "REFRESH" CONTENT = "300; URL = <% if trsid <>" "then response. write (" play. asp? Id = "& trsid) else response. write (" index. asp ") end if %>">
<Title> <% = playrs ("title") %> -- play music-nest network aggregation </title>

<Style type = text/css>
. Wpflickr_container {
Width: 400px;
Margin: 0 auto;
Text-align: center;
}
. Wpflickr_title {
Text-align: left;
Font-weight: bold;
Font-family: Tahoma, Arial, sans-serif;
Font-size: 11px;
Line-height: 1.0em;
}
. Wpflickr_footer {
Text-align: right;
Font-face: Tahoma, Arial, sans-serif;
Font-size: 11px;
Line-height: 1.0em;
}
. Wpflickr_footer {
Text-decoration: none;
}
. STYLE1 {font-family: ""}
. STYLE3 {
Font-family: Verdana, Arial, Helvetica, sans-serif;
Font-size: 16px;
Font-weight: bold;
}
. STYLE8 {font-family: ""; color: #265E15 ;}
. STYLE9 {
Color: # FF0000;
Font-weight: bold;
}
. Wpflickr_footer1 {text-align: right;
Font-face: Tahoma, Arial, sans-serif;
Font-size: 11px;
Line-height: 1.0em;
}
. Wpflickr_footer2 {text-align: right;
Font-face: Tahoma, Arial, sans-serif;
Font-size: 11px;
Line-height: 1.0em;
}
. STYLE10 {color: # CCCCCC}
</Style>
<Style type = "text/css">

# Lrcollbox TD {
FONT-WEIGHT: bold; FONT-SIZE: 9pt; FONT-FAMILY: ""
}
# Lrcollbox FONT {
FONT-WEIGHT: bold; FONT-SIZE: 9pt; FONT-FAMILY: ""
}
# Lrcoll TD