Anti-injection and repair of xunfeng film and television system registry injection and chicken ribs

Source: Internet
Author: User

Author: LinkEr

Affected Versions: xunfeng video system
Http://www.gxwglm.com

Vulnerability Type: SQL Injection
Vulnerability Description: The xunfeng video system has multiple SQL injection vulnerabilities.


#1. Register injection:

Wwwrootegeg. asp
 

<% SzPath = ".../../" %> <! -- # Include file = "../conn. asp" -->/* contains or can be bypassed. See #2 */<! -- # Include file = "md5.asp" --> <% if Request. form ("submit") <> "" then szUserName = Request. form ("UserName") szPassWord = Request. form ("UserPass") szEmail = Request. form ("UserMail") szMemo = Request. form ("UserMemo") iPayMode = Request. form ("PayMode") szPBQuestion = Request. form ("PBQuestion") szPBAnswer = Request. form ("PBAnswer") szGetCode = Trim (Request. form ("codestr") szSQL = "SELECT * FROM MOVIE _ Users WHERE UserName = "& szUserName &" OR UserEmail = "& szEmail &" "set rsData_User = Server. createObject ("ADODB. recordset ") rsData_User.Open szSQL, conn, 1, 3 if not rsData_User.EOF then Response. write "<script language = JScript> alert (your registered user name or email address already exists !); History. back (); </script> "Response. end else iAccount = 0 if Session ("Option_RegMode") = 1 then iAccount = 10 If IsEmpty (Session ("VerifyCode ")) or szGetCode <> CStr (Session ("VerifyCode") Then Response. write "<script language = JScript> alert (the verification code does not match !); Documentdocument. URL = document. referrer; </script> "Response. End if Left (szUserName, 1) = "! "Then Response. Write" <script language = JScript> alert (please do not use invalid characters to register a user !); History. back (); </script> "Response. end end if szSQL = "insert into MOVIE_Users (UserName, UserPass, UserRegisterTime, MovieEdate, UserEmail, UserInfo, MovieUserType, UserSign, UserBio, UserAccountStatus) "szSQLszSQL = szSQL &" VALUES ("& szUserName &", "& MD5 (szPassWord) &", "& now &", "& date + 30 &", "& szEmail &", "& szMemo &", "& iPayMode &", "& szPBQuestion &", "& szPBAnswer &", 1) "conn. execute SzSQL Response. Write "<script language = JScript> alert (congratulations-" & szUserName & "-you have registered successfully! ); Window. navigate (.. /index. asp); </script> "Response. end end if rsData_User.Close end if UserName, UserPass, UserRegisterTime, MovieEdate, UserEmail, UserInfo, MovieUserType, UserSign, UserBio, all variables such as UserAccountStatus are vulnerable to injection-free filtering and are inserted into movie_user.
Wwwroot/Conn. asp

<% Response. addheader "Content-Type", "text/html; charset = GB2312" Response. buffer = True Server. scriptTimeOut = 9999999 anti-injection if nochecksqlin <> 1 then dim SQL _injdata, SQL _inj, SQL _Get SQL _injdata = "| exec | delete | insert | update | select" SQL _inj = split (SQL _Injdata, "|") If Request. queryString <> "" Then For Each SQL _Get In Request. queryString For SQL _Data = 0 To Ubound (SQL _inj) if instr (Request. queryString (SQ L_Get), SQL _Inj (SQL _DATA)> 0 Then Response. Write "<Script Language = javascript> alert (please do not include invalid characters in the parameter to try to inject !); History. back (-1) </Script> "Response. end if next Next End If Request. form <> "" Then For Each SQL _Post In Request. form For SQL _Data = 0 To Ubound (SQL _inj) if instr (Request. form (SQL _Post), SQL _Inj (SQL _DATA)> 0 Then Response. write "<Script Language = javascript> alert (please do not include invalid characters in the parameter to try to inject! ); History. back (-1) </Script> "Response. end if next end if %>
#2.1 anti-get anti-post is not anti-Cookie Injection

In wwwroot/FZPLAYER. ASP:
 

<! -- # Include file = "conn. asp "--> <% Progid = Request (" progid ") Set Rs = CreateObject (" Adodb. recordSet ") Rs. open "Select * From Movie_FileList Where FileListID =" & progid, Conn, 1, 1 Response. write "<? Xml version = 1.0 encoding = GB2312?> <Webplayer> <Param ServerMode = 2> </Param> <Param UserName = unknow> </Param> <Param UserID = 1> </Param> <Param PlayMode = 1> </Param> <Param PlayModeValue = "& progid &"> </Param> <Param ChannelID = "& progid &"> </Param> <Param ServerHost = "& Rs (" fileMd5 ") & "> </Param> <Param Session = 1> </Param> <Param ProtocolType = 1> </Param> <Param EmbedMode = 1> </Param> <Param ProgName = 1> </Param> <Param PlayInExe = 1> </Param> </webplayer> "Rs. close %> #2.2
SQL _injdata = "| exec | delete | insert | update | select"
SQL _inj = split (SQL _Injdata, "| ")

The primary reason for filtering few keywords is that they are case-insensitive. With Exec, you can bypass the anti-injection method.

 

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.