A Better Member-Based ASP Photo Gallery SQL Injection patch Analysis

Riusksks blog

Previously, an SQL injection vulnerability about A Better Member-Based ASP Photo Gallery was published on milw0rm:Http://www.milw0rm.org/exploits/8012And then it was officially repaired. If you open the following address:Http://www.ontarioabandonedplaces.com/ipguardian/gallery/view.asp? Entry =-1 + union + select + 0, title, 2, creator, longpolling, 5, pics + from + photos
The following statement is displayed:

You poor shithead, SQL injection is for kids.

Download the patch code below:

This is used to delete images
IfRequest. Form ("btnDelete") = DeleteButtonLabel Then
Val = request. form ("fval ")
Else
Val = request. querystring ("Entry")
Val =Replace(Val,"+","")Replace "+" with "". In fact, this filtering is not a waste, because we can use other symbols to replace spaces,For example, you can use the annotator/**/to replace it. This is also very common.
Val =Replace(Val,"-","")Replace "-" ""
Val =Left(Val, 4)Only four characters on the left of val can be used. This operation is tough enough to limit the length of the injection statement.
End if
Above gets either location id from whats passed in wiki string or
From delete form belOw

SetObjConn = Server.CreateObject("ADODB. Connection")
ObjConn. Provider ="Microsoft. Jet. OLEDB.4.0"
Objconn. ConnectionString ="Data Source ="& Server. Mappath("Databasephotodb. mdb")
Objconn. open
StrSQL ="SELECT * FROM photos where id ="& ValAdd the variable val to an SQL statement

 SetObjRS = objConn. Execute (strSQL)Execute SQL

In fact, the preceding SQL injection vulnerability still exists, but it increases the difficulty of exploitation. limit the injection statement to four characters. you can discuss how to break through this limitation!