Source: forks
For example, ftp management. Mssql management and other places cannot be injected. Some may be strange. I took a shell and saw the source code. So let's analyze and analyze it for you today ..
D:/hzhost/hzhost_conpanel/domain/login. asp is injected with login. asp.
Let's see how his code is written.
Reference:
Code snippet.
<%
'Session. timeout = 20
Ifok = 0 // If ifok = 0, the system is under maintenance and cannot be logged on.
D_dimethyl = trim (request. form ("domainname") // The username is obtained directly from the form. Remove only spaces. This vulnerability occurs.
D_pss = trim (request. form ("domainpass "))
Session ("xinnetdomainpwd") = ""
D_pssin = d_pss
Dnme = d_dimethyl
Chk_usrpss d_pss, "Domain Name password", 4,16 // here is a check. The chk_usrpss function detects the character length. The minimum value is 4 bits and the maximum value is 16 bits. Otherwise, an error is reported!
D_pssmd5 = md5 (d_pss)
SubstrContent = "entryclass: sys2_mng" & Vend
SubstrContent = substrContent & "entrytype: getincode" & Vend
SubstrContent = substrContent & "entryuser:" & entryuser & Vend
SubstrContent = substrContent & "entrypass:" & entrypass & Vend
SubstrContent = substrContent & "pnlmod: getincode" & Vend
SubstrContent = substrContent & "agentname:" & agentname & Vend
SubstrContent = substrContent & "keywords:" & d_pss & Vend
SubstrContent = substrContent & "." & Vend
Wstr = hzsocket (substrContent)
D_pssincode = wstr
Query = "select * from dmelst where d_dimethyl = '" & d_dimethyl & "'" // the query is started directly in the SQL statement. This vulnerability is generated!
Rs. Open query, conn, 3, 1
If rs. RecordCount <> 1 then
Rs. close
Let's look at the mysql login page code. Location: D:/hzhost/hzhost_conpanel/mssql/login. asp
Reference:
<%
'Session. timeout = 20
Ifok = 0 // If ifok = 0, the system is under maintenance and cannot be logged on.
Sq_nme = trim (request. form ("mssqlname") // we can see. The same is true without filtering.
Sq_pss = trim (request. form ("mssqlpass") // The password is not filtered.
Chk_usrpss sq_nme, "Database Name", // pay attention to this line. This line is added. The SQL injection vulnerability is filtered out.
Chk_usrpss sq_pss, "Database Password", 4, 16
SubstrContent = "entryclass: sys2_mng" & Vend
SubstrContent = substrContent & "entrytype: getincode" & Vend
SubstrContent = substrContent & "entryuser:" & entryuser & Vend
SubstrContent = substrContent & "entrypass:" & entrypass & Vend
SubstrContent = substrContent & "pnlmod: getincode" & Vend
SubstrContent = substrContent & "agentname:" & agentname & Vend
SubstrContent = substrContent & "keywords:" & sq_pss & Vend
SubstrContent = substrContent & "." & Vend
Wstr = hzsocket (substrContent)
Sq_pss = md5 (wstr)
Query = "select * from v_sqllst where sq_nme = '" & sq_nme & "'" //
Conn. open constr
Rs. Open query, conn, 3, 1
If rs. RecordCount <> 1 then
Call errorpage ("sorry, illegal logon. Please return! (106 )")
Else
Db_sq_pss = trim (rs ("sq_pss "))
Sqid = rs ("sq_id ")
Sq_prd = ucase (trim (rs ("sq_prd ")))
Sq_sst = rs ("sq_sst ")
End if
Rs. close
There are also mysql/login. asp, mail/login. asp, and so on. The Code is the same. Read the code. This row stops SQL injection.
Reference:
Chk_usrpss sq_nme, "Database Name", 4,20
Let's take a look at how chk_usrpss is written. It is in D: hzhosthzhost_masterincsconfig.asp!
Reference:
'''''''''''''''''''''''''''''''''''''''' ''' User name and password check // author's comment. We can clearly understand the role of this function.
Function Chk_usrpss (Str, strname, lenmin, lenmax) 'minimum lenmin table length and maximum lenmax table length
B = ""
C = true
If str = "" then
Session ("errmsg") = "sorry," & strname & "cannot be blank! "
Response. redirect "/mst_error.asp? Errorid = 511"
Response. end
End if
If len (str) <lenmin then
Session ("errmsg") = "sorry," & strname & "should be longer than" & lenmin! "
Response. redirect "/mst_error.asp? Errorid = 511"
Response. end
End if
If len (str)> lenmax then
Session ("errmsg") = "sorry," & strname & "length should be less than" & lenmax! "
Response. redirect "/mst_error.asp? Errorid = 511"
Response. end
End if
// Before that, only the length and size of characters are checked.
BString = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 _"
For I = 1 to len (str)
B = mid (str, I, 1)
If instr (bstring, B) <= 0 then
C = false
Exit
End if
Next
If c = false then
Session ("errmsg") = "sorry," & strname & "does not comply with the specifications! "
Response. redirect "/mst_error.asp? Errorid = 511"
Response. end
End if
// Here is the key. He actually restricted the characters we entered to "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789. Otherwise, an error occurs.
The nme value is not detected in domain/login. asp. So we can take the injection. On other pages, chk_usrpss is used to detect the nme value. So. All the characters beyond the bString value are restricted characters. This isolates the injection vulnerability.
End function
Thus. I have to sigh. Only the following line of code is missing. This will lead to the collapse of the entire server.
Reference:
Chk_usrpss d_dimethyl, "Domain Name", 4, 16
Therefore, there must be no slack in programming. Expected hzhost