Guanlong technology enterprise website management system v9.2cookie injection vulnerability and repair

Today, I am busy for a day. Please try again.

Guanlong technology enterprise website management system v9.2cookie Injection Vulnerability

Vulnerability files: Shownews. asp, ProductShow. asp, DownloadShow1.asp, MovieShow. asp

Problem code:

Anti-injection system: Check_ SQL .asp

<%

Dim Query_Badword, Form_Badword, I, Err_Message, Err_Web, name

'-- Define some headers ------------------------

Err_Message = 1' Processing Method: 1 = prompt message, 2 = redirect page, 3 = Prompt before redirect

Err_Web = "Err. Asp" 'page to be switched when an error occurs

Query_Badword = "'between and between select values update against chr limit delete limit % 20from limit; between insert into mid limit master. distinct set limit chr (37) Limit ="

'Invalid get parameters are defined in this part, and the interval is set to "interval ".

Form_Badword = "'signature % signature & signature * signature # signature (Signature) Signature =" 'in this section, illegal post parameters are defined, and the "signature" interval is used.

'-- Define the end of a Part ------------------------
'
On Error Resume Next

'-- Filter the get query value.

If request. QueryString <> "then
Chk_badword = split (Query_Badword, "Baidu ")
For each Query_Name IN Request. QueryString
For I = 0 to ubound (Chk_badword)
If Instr (LCase (request. QueryString (Query_Name), Chk_badword (I) <> 0 Then
Select Case Err_Message
Case "1 ″
Response. Write "<Script Language = JavaScript> alert ('parameter passing error! The value of the parameter "& name &" contains an invalid string! Do not include invalid characters such as: and update delete; insert mid master in the parameter! '); Window. close (); </Script>"
Case "2 ″
Response. Write "<Script Language = JavaScript> location. href = '" & Err_Web & "' </Script>"
Case "3 ″
Response. Write "<Script Language = JavaScript> alert ('parameter passing error! The value of the parameter "& name &" contains an invalid string! Do not include invalid characters such as: and update delete; insert mid master in the parameter! '); Location. href =' "& Err_Web &" '; </Script>"
End Select
Response. End
End If
NEXT
NEXT
End if

'-- Filter the single value of the post table.

If request. form <> "then
Chk_badword = split (Form_Badword, "Baidu ")
For each name IN Request. Form
For I = 0 to ubound (Chk_badword)
If Instr (LCase (request. form (name), Chk_badword (I) <> 0 Then
Select Case Err_Message
Case "1 ″
Response. Write "<Script Language = JavaScript> alert ('error! The value of Form "& name &" contains an invalid string! Do not contain invalid characters such as % & * # () in the form! '); Window. close (); </Script>"
Case "2 ″
Response. Write "<Script Language = JavaScript> location. href = '" & Err_Web & "' </Script>"
Case "3 ″
Response. Write "<Script Language = JavaScript> alert ('error! The value of the parameter "& name &" contains an invalid string! Do not contain invalid characters such as % & * # () in the form! '); Location. href =' "& Err_Web &" '; </Script>"
End Select
Response. End
End If
NEXT
NEXT
End if
%>

We can see that only request. QueryString and request. form are filtered, and request. cookies are not filtered,

The four File Vulnerability codes are exactly the same. Here, we use ProductShow. asp as an example;

------------------ The preceding code is omitted ------------------- <%
ShowSmallClassType = ShowSmallClassType_Article
Dim ID
ID = trim (request ("ID") // The error is that the request does not specify an object, resulting in cookie injection, which breaks through the Anti-Injection System

If ID = "" then
Response. Redirect ("Product. asp") // if the value of the id parameter is null, the system jumps to the Product. asp page,
End if

SQL = "select * from Product where ID =" & ID & "" // id for database query
Set rs = Server. CreateObject ("ADODB. Recordset ")
Rs. open SQL, conn, 1, 3
If rs. bof and rs. eof then
Response. write "<SCRIPT language = JavaScript> alert ('This product cannot be found! ');"
Response. write "javascript: history. go (-1) </SCRIPT>"
Else indexes lt; br/> rs ("Hits") = rs ("Hits") + 1
Rs. update
%>

The vulnerability can be exploited to inject cookies, or use the js plug-in greenbrowser to inject cookies. Here, I didn't install greenbrowser, so I used injection as an example,

Local test: