Six QL injection vulnerabilities in a general campus website construction system
Different injection points are identified by parameters:
First: "tid" parameter Injection
http://www.h1906.net/dpma/FWeb/WorkRoomWeb/Web/TeacherSourceDetail.aspx?SFID=2825&tid=3210010059 http://www.whwzyx.net/dpma/FWeb/WorkRoomWeb/Web/TeacherCourse.aspx?tid=3180010017http://www.whwzyx.net/dpma/FWeb/WorkRoomWeb/Web/Index.aspx?TID=3180010017 http://www.whwzyx.net/dpma/FWeb/WorkRoomWeb/Web/TeacherAlbums_New.aspx?tid=3180010017http://www.whwzyx.net/dpma/FWeb/WorkRoomWeb/Web/TeacherBlog.aspx?tid=3180010017http://www.whwzyx.net/dpma/FWeb/WorkRoomWeb/Web/TeacherBlogDetail.aspx?tid=http://www.whwzyx.net/dpma/FWeb/WorkRoomWeb/Web/TeacherPhotosDetail.aspx?tid=3180010017&Album_ID=1051http://www.whwzyx.net/dpma/FWeb/WorkRoomWeb/Web/TeacherSourceDetail.aspx?SFID=1882&tid=3180010017http://222.92.102.61/dpma/FWeb/WorkRoomWeb/Web/Index.aspx?TID=3240010089http://www.ohedu.cn/dpma/FWeb/WorkRoomWeb/Web/Index.aspx?tid=1050180233http://www.ohedu.cn/dpma/FWeb/WorkRoomWeb/Web/TeacherBlogDetail.aspx?tid=1050270067&diaryId=271107
Second, "KindSetID" parameter injection:
Http://www.whwzyx.net/DPMA/FWeb/SPEWeb/Web/SPENews.aspx? KindSetID = 10003 & sid = 318001
http://www.whwzyx.net/DPMA/FWeb/SPEWeb/Web/SPENewsList.aspx?KindSetID=1000310&sid=318001 http://www.whwzyx.net/DPMA/FWeb/SPEWeb/Web/SPEVideoVideos.aspx?KindSetID=30002&sid=318001http://www.whwzyx.net/DPMA/FWeb/SPEWeb/Web/SPERecommandNews.aspx?KindSetID=10003&sid=318001 http://www.whwzyx.net/DPMA/FWeb/SPEWeb/Web/SPEPhoto_Page.aspx?KindSetID=0&sid=318001http://222.92.102.61/dpma/FWeb/SPEWeb/Web/SPENews.aspx?KindSetID=10000&sid=324001http://222.92.102.61/dpma/FWeb/SPEWeb/Web/SPEVideoPage.aspx?KindSetID=30001&VideoID=1020&sid=324001 http://222.92.102.61/dpma/FWeb/SPEWeb/Web/SPEVideoVideos.aspx?KindSetID=30001&sid=324001 KindSetID=30001 http://222.92.102.61/dpma/FWeb/SPEWeb/Web/SPERecommandNews.aspx?KindSetID=10000&sid=324001 http://iqxxx.net/dpma/FWeb/SPEWeb/Web/SPENewsList.aspx?KindSetID=1000314&sid=315001
Third: "KindID" parameter Injection
Http://www.h1906.net/dpma/FWeb/SchoolWeb/Web/TeacherArticle.aspx? KindID = 1007_1001_1010 & sid = 321001
http://www.whwzyx.net/DPMA/FWeb/SchoolWeb/Web/TeacherArticle.aspx?KindID=1007_1001_1000&sid=318001 http://www.h1906.net/dpma/FWeb/SchoolWeb/Web/TeacherSource.aspx?KindID=1003_1001_1017&sid=321001 http://www.h1906.net/dpma/FWeb/SchoolWeb/Web/TeacherSource.aspx?KindID=1003_1001_1017&sid=321001 http://www.whwzyx.net/DPMA/FWeb/SchoolWeb/Web/TeacherSource.aspx?KindID=1003_1001_1009&User_Type=1&sid=318001 KindID=1003_1001_1009 http://www.whwzyx.net/DPMA/FWeb/SPEWeb/Web/SPEVideoPage.aspx?KindSetID=30001&VideoID=1032&sid=318001 http://www.whwzyx.net/DPMA/FWeb/SchoolWeb/Web/TeacherSource.aspx?KindID=1008_1001_1009&sid=318001 http://www.ohedu.cn/dpma/FWeb/SchoolWeb/Web/TeacherArticle.aspx?KindID=1004_1001_1420&sid=105027http://www.ohedu.cn/dpma/FWeb/SchoolWeb/Web/TeacherSource.aspx?KindID=1008_1001_1416&sid=105027 http://yanxiu.ksedu.cn/dpma/FWeb/SchoolWeb/Web/TeacherArticle.aspx?KindID=1003_1001_1170&sid=101003http://iqxxx.net/dpma/FWeb/SPEWeb/Web/SPENews.aspx?KindSetID=10000&sid=315001http://iqxxx.net/dpma/FWeb/SchoolWeb/Web/TeacherSource.aspx?KindID=1008_1001_1007&sid=315001
Fourth, "ALBUMID" parameter Injection
Http://www.whwzyx.net/DPMA/FWeb/SPEWeb/Web/SPEPhoto_Photos.aspx? KindSetID = 2000013 & ALBUMID = 1023 & sid = 318001
http://www.whwzyx.net/DPMA/FWeb/SPEWeb/Web/SPEPhoto_Photos.aspx?KindSetID=0&ALBUMID=1023http://www.fstc.pdedu.sh.cn/dpma/FWeb/SPEWeb/web3/SPEPhoto_Photos.aspx?KindSetID=20000&ALBUMID=1013&sid=330001http://www.whwzyx.net/dpma/FWeb/SPEWeb/Web/SPEPhoto_Photos.aspx?KindSetID=&ALBUMID=1018&sid=318001http://www.gxqx.cn/DPMA/FWeb/SPEWeb/Web/SPEPhoto_Photos.aspx?KindSetID=20003&ALBUMID=1171&sid=315001
Fifth, "VideoID" parameter injection:
Http://www.whwzyx.net/DPMA/FWeb/SPEWeb/Web/SPEVideoPage.aspx? KindSetID = 30001 & VideoID = 1032 & sid = 318001
http://222.92.102.61/dpma/FWeb/SPEWeb/Web/SPEVideoPage.aspx?KindSetID=30001&VideoID=1020&sid=324001http://www.whwzyx.net/dpma/FWeb/SPEWeb/Web/SPEVideoPage.aspx?KindSetID=30003&VideoID=1031&sid=318001http://www.iqxxx.net/DPMA/FWeb/SPEWeb/Web/SPEVideoPage.aspx?KindSetID=30003&VideoID=1015&sid=315001http://222.92.102.61/dpma/FWeb/SPEWeb/Web/SPEVideoPage.aspx?KindSetID=30001&VideoID=1003&sid=324001
Section 6: "sid" parameter injection:
http://www.whwzyx.net/DPMA/FWeb/SchoolWeb/Web/AnnounAndNews.aspx?Type_Anews=2&sid=318001http://www.whwzyx.net/DPMA/FWeb/SchoolWeb/Web/AnnounAndNewsDetail.aspx?Type_Anews=2&TaID=1002&sid=318001 http://222.92.102.61/dpma/FWeb/SchoolWeb/Web/AnnounAndNews.aspx?Type_Anews=2&sid=324001http://www.ohedu.cn/dpma/FWeb/SchoolWeb/Web/AnnounAndNews.aspx?Type_Anews=2&sid=105027http://yanxiu.ksedu.cn/dpma/FWeb/SchoolWeb/Web/AnnounAndNews.aspx?Type_Anews=2&sid=101003
I just picked a few tests:
SQL1: tid parameter injection proof:
SQL2: proof of KindSetID parameter injection:
SQL3: proof of KindID parameter injection:
SQL4: ALBUMID parameter injection proof:
SQL5: VideoID parameter injection proof:
SQL6: sid parameter injection proof:
Solution:
Enhanced Filtering