Author: LinkEr
Affected Versions: xunfeng video system
Http://www.gxwglm.com
Vulnerability Type: SQL Injection
Vulnerability Description: The xunfeng video system has multiple SQL injection vulnerabilities.
#1. Register injection:
Wwwrootegeg. asp
<% SzPath = ".../../" %> <! -- # Include file = "../conn. asp" -->/* contains or can be bypassed. See #2 */<! -- # Include file = "md5.asp" --> <% if Request. form ("submit") <> "" then szUserName = Request. form ("UserName") szPassWord = Request. form ("UserPass") szEmail = Request. form ("UserMail") szMemo = Request. form ("UserMemo") iPayMode = Request. form ("PayMode") szPBQuestion = Request. form ("PBQuestion") szPBAnswer = Request. form ("PBAnswer") szGetCode = Trim (Request. form ("codestr") szSQL = "SELECT * FROM MOVIE _ Users WHERE UserName = "& szUserName &" OR UserEmail = "& szEmail &" "set rsData_User = Server. createObject ("ADODB. recordset ") rsData_User.Open szSQL, conn, 1, 3 if not rsData_User.EOF then Response. write "<script language = JScript> alert (your registered user name or email address already exists !); History. back (); </script> "Response. end else iAccount = 0 if Session ("Option_RegMode") = 1 then iAccount = 10 If IsEmpty (Session ("VerifyCode ")) or szGetCode <> CStr (Session ("VerifyCode") Then Response. write "<script language = JScript> alert (the verification code does not match !); Documentdocument. URL = document. referrer; </script> "Response. End if Left (szUserName, 1) = "! "Then Response. Write" <script language = JScript> alert (please do not use invalid characters to register a user !); History. back (); </script> "Response. end end if szSQL = "insert into MOVIE_Users (UserName, UserPass, UserRegisterTime, MovieEdate, UserEmail, UserInfo, MovieUserType, UserSign, UserBio, UserAccountStatus) "szSQLszSQL = szSQL &" VALUES ("& szUserName &", "& MD5 (szPassWord) &", "& now &", "& date + 30 &", "& szEmail &", "& szMemo &", "& iPayMode &", "& szPBQuestion &", "& szPBAnswer &", 1) "conn. execute SzSQL Response. Write "<script language = JScript> alert (congratulations-" & szUserName & "-you have registered successfully! ); Window. navigate (.. /index. asp); </script> "Response. end end if rsData_User.Close end if UserName, UserPass, UserRegisterTime, MovieEdate, UserEmail, UserInfo, MovieUserType, UserSign, UserBio, all variables such as UserAccountStatus are vulnerable to injection-free filtering and are inserted into movie_user.
Wwwroot/Conn. asp
<% Response. addheader "Content-Type", "text/html; charset = GB2312" Response. buffer = True Server. scriptTimeOut = 9999999 anti-injection if nochecksqlin <> 1 then dim SQL _injdata, SQL _inj, SQL _Get SQL _injdata = "| exec | delete | insert | update | select" SQL _inj = split (SQL _Injdata, "|") If Request. queryString <> "" Then For Each SQL _Get In Request. queryString For SQL _Data = 0 To Ubound (SQL _inj) if instr (Request. queryString (SQ L_Get), SQL _Inj (SQL _DATA)> 0 Then Response. Write "<Script Language = javascript> alert (please do not include invalid characters in the parameter to try to inject !); History. back (-1) </Script> "Response. end if next Next End If Request. form <> "" Then For Each SQL _Post In Request. form For SQL _Data = 0 To Ubound (SQL _inj) if instr (Request. form (SQL _Post), SQL _Inj (SQL _DATA)> 0 Then Response. write "<Script Language = javascript> alert (please do not include invalid characters in the parameter to try to inject! ); History. back (-1) </Script> "Response. end if next end if %>
#2.1 anti-get anti-post is not anti-Cookie Injection
In wwwroot/FZPLAYER. ASP:
<! -- # Include file = "conn. asp "--> <% Progid = Request (" progid ") Set Rs = CreateObject (" Adodb. recordSet ") Rs. open "Select * From Movie_FileList Where FileListID =" & progid, Conn, 1, 1 Response. write "<? Xml version = 1.0 encoding = GB2312?> <Webplayer> <Param ServerMode = 2> </Param> <Param UserName = unknow> </Param> <Param UserID = 1> </Param> <Param PlayMode = 1> </Param> <Param PlayModeValue = "& progid &"> </Param> <Param ChannelID = "& progid &"> </Param> <Param ServerHost = "& Rs (" fileMd5 ") & "> </Param> <Param Session = 1> </Param> <Param ProtocolType = 1> </Param> <Param EmbedMode = 1> </Param> <Param ProgName = 1> </Param> <Param PlayInExe = 1> </Param> </webplayer> "Rs. close %> #2.2
SQL _injdata = "| exec | delete | insert | update | select"
SQL _inj = split (SQL _Injdata, "| ")
The primary reason for filtering few keywords is that they are case-insensitive. With Exec, you can bypass the anti-injection method.