Two SQL injection and Permission Bypass methods for Yida CMS enterprise website construction system

Yida CMS enterprise website creation system vulnerability 0dayIn injection:Related code :........................ omit a part ....................................

id=request("id"):id1=Split(id,", "):delid=replace(request("id"),"'","")        set rs = server.createobject("adodb.recordset")        sql="DELETE from shuaiweb_buycart where id in ("&delid&")"        rs.open sql,dbok,3,2        rs.close

 

Process the shopping cart on the settlement page. Related Pages: buy_settlement.asp ....................................... ............................... search box code: related code:

Function tSearch () yidacms_l = request ("l") yidacms_n = request ("n ") yidacms_y = request ("yidacms_search ")........................ omit a part .................................... if yidacms_language = "zh" thenset rs = server. createobject ("adodb. recordset ") if yidacms_l = "news" then SQL = "select * from [shuaiweb_news] where (partition like '%" & yidacms_n & "%' or shuaiweb_newsContent like '%" & yidacms_n & "% ') an D yida_language = 'ch' order by id desc "elseif yidacms_l =" products "then SQL =" select * from [shuaiweb_products] where (shuaiweb_productsname like '% "& yidacms_n &" %' or shuaiweb_productscontent like '% "& yidacms_n &" %' or shuaiweb_productsbprice like '% "& yidacms_n &" %' or shuaiweb_productsmodel like '% "& yidacms_n &" % ') and yida_language = 'ch' order by id desc "elseif yidacms_l =" photo "then SQL =" se Lect * from [shuaiweb_photo] where (shuaiweb_photoname like '% "& yidacms_n &" %') and yida_language = 'ch' order by id desc "end ifrs. open SQL, dbok, 1, 1 elseset rs = server. createobject ("adodb. recordset ") if yidacms_l =" news "then SQL =" select * from [shuaiweb_news] where (shuaiweb_newstitle like '% "& yidacms_n &" % ') or (shuaiweb_newsContent like '% "& yidacms_n &" %') order by id desc "elseif yidacms_l =" p Roducts "then SQL =" select * from [shuaiweb_products] where (shuaiweb_productsname like '% "& yidacms_n &" %') or (shuaiweb_productscontent like '% "& yidacms_n &" % ') or (shuaiweb_productsbprice like '% "& yidacms_n &" %') or (shuaiweb_productsmodel like '% "& yidacms_n &" % ') order by id desc "elseif yidacms_l =" photo "then SQL =" select * from [shuaiweb_photo] where shuaiweb_photoname like '% "& yidacms_n &" %' orde R by id desc "end ifrs. open SQL, dbok, 1, 1end if rs. bof and rs. eof then tSearch = tSearch &" no records! "& Vbcrlf Else tSearch = tSearch &" <table width = '000000' border = '0' align = 'left' cellpadding = '5' cellspacing = '0'> "& vbcrlfdo while not rs. eof

 

Related Pages: search. asp users Member registration logic error/Permission Bypass code: response. write "<script language = javascript> alert ('registration successful! \ N "& mailtz &" '); location. replace ('index. asp '); </script> "elseif yidacms_jmailuserreg = 2 then if shuaiweb_usercontrol = 1 then // This is the key, as long as shuaiweb_usercontrol is not 1, you can change it to 2 to bypass ~! Response. write "<script language = javascript> alert ('registration successful! However, your account must be reviewed by the Administrator for normal use. '); Location. replace ('index. asp '); </script> "session (" shuaiweb_useremail ") = empty else response. write "<script language = javascript> alert ('registration successful! '); Location. replace ('index. asp '); </script> "end if Description: You can use the Firefox plug-in to modify the shuaiweb_usercontrol value on the registration page ~! ----------------------------------------------------------------------------------------------- SQL Injection problem code: Order page: related code:

If request ("yidacms") = "buydel" Then set rs = server. createobject ("adodb. recordset ") user_id3 = request (" id ") // here user_id3 SQL =" select * from shuaiweb_buy WHERE id = "& user_id3 &" "// entered! ~! Rs. open SQL, dbok, 1, 1, if rs ("shuaiweb_reading") = 1 then response. write "<script language = javascript> alert ('shipped orders cannot be deleted! '); History. go (-1); </script> "response. end else if (request ("id") <> "") then id = request ("id") set rs = server. createobject ("adodb. recordset ") user_id4 = request (" id ") // same SQL =" DELETE * FROM shuaiweb_buy WHERE id = "& user_id4 &" rs. open SQL, dbok, 3, 2 rs. update rs. close set rs = nothing response. write "<script language = javascript> alert ('deleted successfully! '); Location. replace ('user _ buy. asp'); </script> "End If end if

 

The supervisor did not test this SQL injection. Because there was no product in the local build, the order could not be placed, so I couldn't get it because of the trouble ~! This vulnerability is also difficult to exploit. No ~! The above two problems all occur on the user. asp page ~!