Smart youdao professional travel system v1.6.5 vulnerability and repair

 

######################################## ####################################

# Title: Smart youdao professional travel system v1.6.5 Vulnerability

# Time: 2011-10-30

# Team: makebugs

# Author: Fate http://t.qq.com/MakeBug http://hi.baidu.com/micropoor

######################################## ####################################

Injection:

 

'\ Inc \ incsql. asp

<%

Dim SQL _leaching, SQL _leach_0, SQL _DATA, SQL _Get, SQL _Post

SQL _leaching = "', and, exec, insert, select, delete, update, count, *, %, chr, mid, master, truncate, char, declare"

SQL _leach_0 = split (SQL _leaching ,",")

 

If Request. QueryString <> "Then

For Each SQL _Get In Request. QueryString

For SQL _Data = 0 To Ubound (SQL _leach_0)

& Apos;

 

If Request. Form <> "" Then

For Each SQL _Post In Request. Form

For SQL _Data = 0 To Ubound (SQL _leach_0)

If instr (Request. Form (SQL _Post), SQL _leach_0 (SQL _DATA)> 0 Then

Response. Write ("err ")

& Apos;

%>

Filtering Problems, but in some cases:

<%

Id = ReplaceBadChar (replace (trim (request ("id"), "'", "")' Note ID

SQL = "select * from car where id =" & id &""

Set rs = server. CreateObject ("ADODB. recordset ")

Rs. open SQL, conn, 1, 1

If rs. eof and rs. bof then

& Apos;

End if

%>

There are also no filtered pages. For example:

<%

Dim id

Id = checkStr (request. QueryString ("id ")&"")

Dim objhttp, strrequest, xmldoc, bok

Set objHTTP = Server. CreateObject ("MSXML2.XMLHTTP ")

StrRequest = "sceneryId =" & id &""

Shell:

 

Smart youdao professional travel system 1.1 -- v1.6.5 has the same problems:

Http://www.bkjia.com/admin/do/admin_uploadfile.asp? Id = 1 & dir = ../..

Http://www.bkjia.com/admin/do/Admin_Style.asp

Http://www.bkjia.com/admin/do/data. asp

 

Other information:

 

Default Database: \ wklksdata \ bbcctour. asp can insert a sentence

 

Upload problem: \ inc \ Upfile_Photo.asp

 

Www.2cto.com fix: Filter and upload fix