SQL injection vulnerability in VM management system of wasu 6.5

From kiddie

This time, the SQL injection vulnerability of the hzhost6.5 VM management system continues to be exposed.
There are only two key points.
First, how to obtain the website administrator privilege.
Second, how to back up Trojans.

This is not a simple injection point, but a point filtered by the security function. Because the other party does not enclose the variables in single quotes, and the filter function is not completely filtered, we have the opportunity to inject them.
I also made an animation this time. Issued together. Hope to make everyone happy "! Haha...
The vulnerability exists in the hzhosthzhost_mastercontrolot2_mngot2_lst.asp file!

Reference:
------------------------- 13-15 rows ----------------------------
Querytype = SafeRequest ("querytype") // The saferequest function accepts data.
If chk_int (querytype) = false then // check whether it is an integer
ErrMsg = "sorry, illegal *!... "
------------------------- 37-42 rows ---------------------------
Elseif querytype = 5 then // if the type is 5. Accept qu1 data!
Qu1 = trim (SafeRequest ("qu1") // The saferequest function accepts data. It is a self-defined saferequest function!
If qu1 = "" then // cannot be blank
Call errorpage (-2, "Sorry, please select a parameter! ")
End if
Qstring = "and s_regstt =" & qu1 & "" // The Key qu1 is not surrounded by single quotes. Although saferequest is used, we can bypass it!
------------------------- 62-65 rows ---------------------------
Qu7 = trim (SafeRequest ("qu7") // The saferequest function accepts data.
If qu7 <> "then
Qstring2 = "and u_nme =" & qu7 & "" // It is enclosed by single quotes. This is surrounded, so it becomes a dead point !!
End if
-------------------------- 117 rows -----------------------------
Query = "select * from v_ot2lst where (s_unme =" & session ("usrname") & "or u_fatstr like %," & session ("usrname") & ", %) "& qstring & qstring2 &" order by "& orderstring
// The query is lost here!
Let's take a look at the saferequest () function.
Reference:
------------------ Incs/config. asp -------------------------
Function SafeRequest (ParaName)
Dim ParaValue
ParaValue = Request (ParaName) // obtain data
If IsNumeric (ParaValue) then // if it is a number
SafeRequest = ParaValue // that is not filtered, direct value assignment
Exit Function
Else
ParaValuetemp = lcase (ParaValue) // if it is not a number, convert all received data to lowercase.
Tempvalue = "select | insert | delete from | count (| drop table | update | truncate | asc (| mid (| char (| xp_mongoshell | exec master | net localgroup administrators | net user | or | and | % 20 from"
// Define the characters to be filtered!
The filtering method is incorrect... No filter */% /--/;
In addition, all the filters are select + space. We can repeat it with select % 09 or select.
Temps = split (tempvalue, "|") // convert to a one-dimensional array
For mycount = 0 to ubound (temps) // cyclically reading data in the group
If Instr (ParaValuetemp, temps (mycount)> 0 then // determines whether the data submitted by the user contains invalid characters.
Call errorpage (-2, "Illegal Request !!! ") // If yes, a prompt is displayed !!
Response. end
End if
Next
SafeRequest = ParaValue
End if
End function
-------------------------------------