Changzhou real estate network commercial edition has SQL Injection

 H4ckx7's Blog

Http://hi.baidu.com/h4ckx7

I can't tell where the vulnerability files are generated, because there are too many files. After reading the call, I found that the file simply filters out any characters and does not use any anti-injection. I really don't know how the programmer wrote it. It's a tragedy! Select a file h_open.asp to view the code!

<! -- # Include file = "conn. asp" -->
<% Response. buffer = false

Dim h

H = request. QueryString ("id ")

Set rs = server. createobject ("adodb. recordset ")
SQL = "select * from house where id =" & h
Rs. open SQL, conn, 1, 3

Rs ("fw_lls") = rs ("fw_lls") + 1
Rs. update

Response. redirect "h_house.asp? Id = "& h
%>

Don't laugh. SQL = "select * from house where id is called directly without any precaution! Conn, asp

<%
Dim dbpath, conn, startime, db, rs, rs1, rs2, rs3, rs4, rs5, rs6, rs7, rs8, Hangzhou, fw_city, fw_quyu, fw_dizhi, fw_jiaotong,

Fw_leixing, fw_jiegou, fw_louceng, fw_mianji, fw_zhuangxiu, fw_jiage, fw_lxdh, fw_OICQ, fw_lxname, fw_fbri,

Fw_guoqi, fw_qtsm, fw_peitao, pud, pwd, pwd2, uname, xb, sfz, email, tel, tishi, tsda
Db = "data/fclyw. asp" Modify the database path or name here
Set conn = Server. CreateObject ("ADODB. Connection ")
Dbpath = "Provider = Microsoft. Jet. OLEDB.4.0; Data Source =" & Server. MapPath (db)
Conn. Open dbpath
%>
No anti-injection is enabled,

The Default background path is admin/login. asp. You can find a place to upload images in image management. You can get the shell by capturing packets and then submitting the NC file.