YuQaIFS V1.0 vulnerability 0day and repair

Release date: 2011-01.25
Author: f4tb0y

Affected Version: YuQaIFS V1.0
 

Vulnerability Type: design defect
Vulnerability Description: YuQaIFS_Save.asp directly writes the submitted data to the database without filtering.
Some vulnerability codes Select Case Send_id

 

Case "send" Set rs = Server. createObject ("ADODB. recordset ") SQL =" Select * from YuQaIFS_Feedback "Rs. open SQL, conn, 1, 3 Rs. addnew Rs ("Feedback_Title") = Request ("Feedback_Title") Rs ("Feedback_Type") = Request ("Feedback_Type") Rs ("Feedback_Name") = Request ("Feedback_Name ") rs ("Feedback_Mail") = Request ("Feedback_Mail") Rs ("Feedback_From") = Request ("Feedback_From") Rs ("Feedback_Address") = Request ("Feedback_Address ") rs ("Feedback_Phone") = Request ("Feedback_Phone") Rs ("Feedback_Info") = Request ("Feedback_Info") Rs ("Feedback_zt") = 0 Rs ("Feedback_datetime ") = now () Rs ("Feedback_ip") = Request. serverVariables ("REMOTE_ADDR") Rs ("Feedback_fs") = "Send" Rs. update Rs. close Set rs = Nothing Session ("Send") = 1 as for the database link file, YuQaIFS_Conn.asp under the root directory

Connect to YuQaIFS_DataBase.asp in the YuQaIFS_Data directory or add a j

For details, refer to the file code database YuQaIFS_Conn.asp.

<% Set conn = Server. createObject ("ADODB. connection ") dbpath = Server. mapPath ("YuQaIFS_Data/YuQaIFS_DataBasej.asp") conn. open "DRIVER = {Microsoft Access Driver (*. mdb)}; DBQ = "& dbpath %> usage:
Information (except for the email address.11@11.comIn this way, a single sentence can be written.
Then use the kitchen knife to linkWww.xxx.com/xx/YuQaIFS_Data/YuQaIFS_DataBase.aspYou can get Webshell.
You can download the database with the webshell command, and crack the md5 command to win the admin command.
It is said that many database surprises have already been won ..

Log on to asp ">Www.xxx.com/xx/YuQaIFS_Admin/YuQaIFS_Admin_login.aspThe background interface is shown as follows:
 

 

Fix: Filter