This article can communicate with the author here: http://bbs.2cto.com/read.php? Tid = 91636
Code by: Link
Web site: www.link0day.cn
Source: red black guest Alliance www.2cto.com
Please specify the source for Reprinted article. Thank you.
This source code has been put into the machine for a long time. Let's take a look at it today .. Who knows there is really a legendary "Vulnerability"
I. Cookie Injection
In the past, I opened index. asp and saw that conn. asp is a database connection file or an anti-injection file .. Conn. asp:
<%
SQL _ = "| and | exec | insert | select | delete | update | count | * | % | chr | mid | master | truncate | char | declare"
SQL _inj = split (SQL _, "| ")
If Request. QueryString <> "Then
For Each SQL _Get In Request. QueryString
For SQL _Data = 0 To Ubound (SQL _inj)
If instr (Request. QueryString (SQL _Get), SQL _Inj (SQL _DATA)> 0 Then
Response. Write "please do not try to use the injection program! ^_^"
Response. end
End if
Next
Next
End If
If Request. Form <> "" Then
For Each SQL _Post In Request. Form
For SQL _Data = 0 To Ubound (SQL _inj)
If instr (Request. Form (SQL _Post), SQL _Inj (SQL _DATA)> 0 Then
Response. Write "please do not try to use the injection program! ^_^"
Response. end
End if
Next
Next
End if
%>
<%
On Error Resume Next
Servermappath = server. mappath ("/serverinfo.txt ")
Set fso = CreateObject ("Scripting. FileSystemObject ")
Set txt = fso. OpenTextFile (servermappath, 1)
DBstr = "" & txt. ReadLine & "" database address name
Txt. close
Set fso = nothing
Dbname = "" & DBstr &""
Cn = "Provider = Microsoft. Jet. OLEDB.4.0; Data Source =" & Server. MapPath (dbname)
%>
Hey, the database connection and anti-injection functions are all in this file ..
(We can look at the words they filter .. I tested it myself .. )
Let's take a closer look .. The Administrator carefully filtered out some words ..
Are all Gpc filtered? (Gpc is XX in the php world .. G is get, p is post, c is cookies ..)
Looks like... If you take it seriously, you will find that they only filter the get and post data.
And so on... Suppose we find a statement similar to request (*) In other files .. Then we can inject through cookies...
No, I still find many of them .. The most obvious is in pay/index. asp ..
What do you want to do...
I did not take a closer look at this program. It is estimated that the programmer has neglected some things, so that the programmer can find something that can be used.
In addition, a lot of people are using this program ..
To use shell, scan a file with an excavator .. The serverinfo.txt file records the database address .. * (I really don't know what the administrator Thinks ...) In this way, we can intrude into some lazy websites ..
It is generally written in this way:
/Chinammc_data/chinammc_shop.mdb
.. Article report completed