Web Site Management System injection vulnerability and repair

 

FROM http://www.st999.cn/blog

 

In the past two days, I met an enterprise management system named wanbo several times. Today I downloaded it and looked at it. I found an injection vulnerability. What I was depressed about was that I had to do it manually, there is no way to use tools. Because I have found one, so I am not interested in it.

 

This injection vulnerability occurs in the html/MemberLogin. asp file. The NoSqlHack. Asp file in the Include file is not called either. Haha, we can use it.

 

MemberLogin. asp source code is as follows:

 

<% @ LANGUAGE = "VBSCRIPT" CODEPAGE = "65001" %>

<% Option Explicit %>

<% Response. Charset = "UTF-8" %>

<! -- # Include file = "../Include/Const. asp" -->

<! -- # Include file = "../Include/ConnSiteData. asp" -->

<! -- # Include file = "../Include/Md5.asp" -->

<%

If request. QueryString ("Action") = "Out" then

Session. contents. remove "MemName"

Session. contents. remove "GroupID"

Session. contents. remove "GroupLevel"

Session. contents. remove "MemLogin"

Response. redirect Cstr (request. ServerVariables ("HTTP_REFERER "))

Response. end

End if

 

Public ErrMsg (3)

ErrMsg (0) = "· incorrect login name. Please return. "

ErrMsg (1) = "· incorrect logon password. Please return. "

ErrMsg (2) = "· the account is not in use. Please return. "

Www.2cto.com

Dim LoginName, LoginPassword, VerifyCode, MemName, Password, GroupID, GroupName, Working, rs, SQL

LoginName = trim (request. form ("LoginName "))

LoginPassword = Md5 (request. form ("LoginPassword "))

Set rs = server. createobject ("adodb. recordset ")

SQL = "select * from NwebCn_Members where MemName = '" & LoginName &"'"

Rs. open SQL, conn, 1, 3

If rs. bof and rs. eof then

WriteMsg (ErrMsg (0 ))

Response. end

Else

MemName = rs ("MemName ")

Password = rs ("Password ")

GroupID = rs ("GroupID ")

GroupName = rs ("GroupName ")

Working = rs ("Working ")

End if

 

If LoginPassword <> Password then

WriteMsg (ErrMsg (1 ))

Response. end

End if

 

If not Working then

WriteMsg (ErrMsg (2 ))

Response. end

End if

 

If UCase (LoginName) = UCase (MemName) and LoginPassword = Password then

Rs ("LastLoginTime") = now ()

Rs ("LastLoginIP") = Request. ServerVariables ("Remote_Addr ")

Rs ("LoginTimes") = rs ("LoginTimes") + 1

Rs. update

Rs. close

Set rs = nothing

Session ("MemName") = MemName

Session ("GroupID") = GroupID

'============

Set rs = server. createobject ("adodb. recordset ")

SQL = "select * from NwebCn_MemGroup where GroupID = '" & GroupID &"'"

Rs. open SQL, conn, 1, 1

Session ("GroupLevel") = rs ("GroupLevel ")

Rs. close

Set rs = nothing

'============

Session ("MemLogin") = "Succeed"

Session. timeout = 60

Response. redirect Cstr (request. ServerVariables ("HTTP_REFERER "))

Response. end

End if

%>

 

As you can see, LoginName is not filtered and directly substituted into the query. Therefore, this injection is generated, which means the method is a little troublesome. I tried it and I couldn't use the tool, so I was depressed.

 

 

For example, wzasdf 'and exists (select * from [nwebcn_admin]) and '1' = '1

 

Really depressing manual, this JB rotten hole...

 

Www.2cto.com fixed: LoginName Filtering