Why can only hzhost be injected in domain name management?

Source: Internet
Author: User
Tags in domain mysql login

Source: forks

For example, ftp management. Mssql management and other places cannot be injected. Some may be strange. I took a shell and saw the source code. So let's analyze and analyze it for you today ..
D:/hzhost/hzhost_conpanel/domain/login. asp is injected with login. asp.
Let's see how his code is written.

Reference:
Code snippet.
<%
'Session. timeout = 20
Ifok = 0 // If ifok = 0, the system is under maintenance and cannot be logged on.
D_dimethyl = trim (request. form ("domainname") // The username is obtained directly from the form. Remove only spaces. This vulnerability occurs.
D_pss = trim (request. form ("domainpass "))
Session ("xinnetdomainpwd") = ""
D_pssin = d_pss
Dnme = d_dimethyl
Chk_usrpss d_pss, "Domain Name password", 4,16 // here is a check. The chk_usrpss function detects the character length. The minimum value is 4 bits and the maximum value is 16 bits. Otherwise, an error is reported!
D_pssmd5 = md5 (d_pss)
SubstrContent = "entryclass: sys2_mng" & Vend
SubstrContent = substrContent & "entrytype: getincode" & Vend
SubstrContent = substrContent & "entryuser:" & entryuser & Vend
SubstrContent = substrContent & "entrypass:" & entrypass & Vend
SubstrContent = substrContent & "pnlmod: getincode" & Vend
SubstrContent = substrContent & "agentname:" & agentname & Vend
SubstrContent = substrContent & "keywords:" & d_pss & Vend
SubstrContent = substrContent & "." & Vend
Wstr = hzsocket (substrContent)
D_pssincode = wstr
Query = "select * from dmelst where d_dimethyl = '" & d_dimethyl & "'" // the query is started directly in the SQL statement. This vulnerability is generated!
Rs. Open query, conn, 3, 1
If rs. RecordCount <> 1 then
Rs. close
Let's look at the mysql login page code. Location: D:/hzhost/hzhost_conpanel/mssql/login. asp

Reference:
<%
'Session. timeout = 20
Ifok = 0 // If ifok = 0, the system is under maintenance and cannot be logged on.
Sq_nme = trim (request. form ("mssqlname") // we can see. The same is true without filtering.
Sq_pss = trim (request. form ("mssqlpass") // The password is not filtered.
Chk_usrpss sq_nme, "Database Name", // pay attention to this line. This line is added. The SQL injection vulnerability is filtered out.
Chk_usrpss sq_pss, "Database Password", 4, 16
SubstrContent = "entryclass: sys2_mng" & Vend
SubstrContent = substrContent & "entrytype: getincode" & Vend
SubstrContent = substrContent & "entryuser:" & entryuser & Vend
SubstrContent = substrContent & "entrypass:" & entrypass & Vend
SubstrContent = substrContent & "pnlmod: getincode" & Vend
SubstrContent = substrContent & "agentname:" & agentname & Vend
SubstrContent = substrContent & "keywords:" & sq_pss & Vend
SubstrContent = substrContent & "." & Vend
Wstr = hzsocket (substrContent)

Sq_pss = md5 (wstr)
Query = "select * from v_sqllst where sq_nme = '" & sq_nme & "'" //
Conn. open constr
Rs. Open query, conn, 3, 1
If rs. RecordCount <> 1 then
Call errorpage ("sorry, illegal logon. Please return! (106 )")
Else
Db_sq_pss = trim (rs ("sq_pss "))
Sqid = rs ("sq_id ")
Sq_prd = ucase (trim (rs ("sq_prd ")))
Sq_sst = rs ("sq_sst ")
End if
Rs. close
There are also mysql/login. asp, mail/login. asp, and so on. The Code is the same. Read the code. This row stops SQL injection.

Reference:
Chk_usrpss sq_nme, "Database Name", 4,20
Let's take a look at how chk_usrpss is written. It is in D: hzhosthzhost_masterincsconfig.asp!

Reference:
'''''''''''''''''''''''''''''''''''''''' ''' User name and password check // author's comment. We can clearly understand the role of this function.
Function Chk_usrpss (Str, strname, lenmin, lenmax) 'minimum lenmin table length and maximum lenmax table length
B = ""
C = true
If str = "" then
Session ("errmsg") = "sorry," & strname & "cannot be blank! "
Response. redirect "/mst_error.asp? Errorid = 511"
Response. end
End if
If len (str) <lenmin then
Session ("errmsg") = "sorry," & strname & "should be longer than" & lenmin! "
Response. redirect "/mst_error.asp? Errorid = 511"
Response. end
End if
If len (str)> lenmax then
Session ("errmsg") = "sorry," & strname & "length should be less than" & lenmax! "
Response. redirect "/mst_error.asp? Errorid = 511"
Response. end
End if
// Before that, only the length and size of characters are checked.
BString = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 _"
For I = 1 to len (str)
B = mid (str, I, 1)
If instr (bstring, B) <= 0 then
C = false
Exit
End if
Next
If c = false then
Session ("errmsg") = "sorry," & strname & "does not comply with the specifications! "
Response. redirect "/mst_error.asp? Errorid = 511"
Response. end
End if
// Here is the key. He actually restricted the characters we entered to "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789. Otherwise, an error occurs.
The nme value is not detected in domain/login. asp. So we can take the injection. On other pages, chk_usrpss is used to detect the nme value. So. All the characters beyond the bString value are restricted characters. This isolates the injection vulnerability.
End function
Thus. I have to sigh. Only the following line of code is missing. This will lead to the collapse of the entire server.

Reference:
Chk_usrpss d_dimethyl, "Domain Name", 4, 16
Therefore, there must be no slack in programming. Expected hzhost

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.