Bug of the Shadow Library Alliance program

Code By Link @ T. r. F

Web Site: www.trfweb.cn

Blog: www.link0day.cn

You may be confused when you see the article .. Why is a vulnerability called a Bug discovered by the analysis program?

Because .. What I found, cainiao, is not a great thing. It is just a Cross-Site program that does not interact with databases. So I can't talk about any good articles. I just think that it is better to put programs in the computer to waste space than to write a bad article. There is no technical content ..

The surprising program of "security" is because there is no database .. Static. Last night I saw a movie Station Program for the first time.

Do not talk nonsense code:

Search. asp:

<! -- # Include File = "Config. asp" -->

<%

If Request. QueryString ("Demo") <> "Then

PageCode = GetHttpPage (Request. QueryString ("Demo "))

Else

PageCode = GetHttpPage ("http://www.yk33.com/Search.ASP? KeyWord = "& Request. QueryString (" KeyWord ") &" & Page = "& Request. QueryString (" Page ")&"")

End If

PageCodes = PageCode

PageCode = ReplaceTest ("/" "class =" "select", "", PageCodes)

PageCodes = PageCode

PageCode = ReplaceTest ("<div id =" "wrap" "> (. | )*? </Html> "," ", PageCodes)

PageCodes = PageCode

PageCode = ReplaceTest ("/Photo", "http://www.yk33.com/Photo", PageCodes)

PageCodes = PageCode

PageCode = ReplaceTest ("/images", "http://www.yk33.com/images", PageCodes)

PageCodes = PageCode

PageCode = ReplaceTest ("/Channel", "Channel. asp? Dir =/Channel ", PageCodes)

PageCodes = PageCode

PageCode = ReplaceTest ("/Content", "Content. asp? Dir =/Content ", PageCodes)

PageCodes = PageCode

PageCode = ReplaceTest ("http://www.yk33.com/", "" & SiteUrl & "", PageCodes)

PageCodes = PageCode

PageCode = ReplaceTest ("http://www.yk33.com", "" & SiteUrl & "", PageCodes)

PageCodes = PageCode

PageCode = ReplaceTest ("YK33 online QVOD movie", "" & SiteName & "", PageCodes)

PageCodes = PageCode

PageCode = ReplaceTest ("/JS/Ads", "ad", PageCodes)

PageCodes = PageCode

PageCode = ReplaceTest ("post", "get", PageCodes)

PageCodes = PageCode

PageCode = ReplaceTest ("/search. asp", "search. asp? Dir =/search. asp ", PageCodes)

PageCodes = PageCode

PageCode = ReplaceTest ("/Search. ASP? ","? ", PageCodes)

PageCodes = PageCode

PageCode = ReplaceTest ("/allmap.html", "allmap. asp? Dir =/allmap.html ", PageCodes)

PageCodes = PageCode

PageCode = ReplaceTest ("<a href = ""? KeyWord (. | )*? </Form> </li> "," <script src = ad/so. JS> </script> </form> </li> ", PageCodes)

PageCodes = PageCode

PageCode = ReplaceTest (")

Response. Write (PageCode)

%>

<! -- # Include File = "hot. asp" -->

Including config. asp

Then let's see how the regular function is written:

Function RegExpTest (patrn, strng)

Dim regEx, Matchs, Matches, RetStr

Set regEx = New RegExp

RegEx. Pattern = patrn

RegEx. IgnoreCase = True

RegEx. Global = True

Set Matches = regEx. Execute (strng)

For Each Matchs in Matches

RetStr = RetStr & Matchs. Value & "|"

Next

RegExpTest = RetStr

End Function

In concert with search. asp .. It is easy to know that they use regular expressions to filter some characters ..

However, there is a sentence:

PageCode = GetHttpPage ("http://www.yk33.com/Search.ASP? KeyWord = "& Request. QueryString (" KeyWord ") &" & Page = "& Request. QueryString (" Page ")&"")

Directly expose the search results in the url.

That is to say, if the filter is not good, we can construct a statement to let it execute the statement.

Then our statement can trigger something. For example. Xss ~

Directly construct <script> alert ("hack you! By Link ") </script> ..

I am so depressed .. Why should I use regular expressions to filter SQL statements like select ~

What xss can do is not covered in the article. Hey, ask the 4c00h Daniel ~