Century-web news management system V2. 0 Upload vulnerability-vulnerability warning-the black bar safety net

ID MYHACK58:6220068032
Type myhack58
Reporter 佚名
Modified 2006-03-16T00:00:00


This is the Black base original, 本人邮箱lucky_feng@hotmail.com the. If you think writing is nonsense, need to reprint, please indicate the author is fengskier, the copyright belongs to the hacker base. Thank you.

A few days ago wrote an article the server to the Processor, the look you want, from receiving spam to the invasion of, and then fhod boss pointing that these are old ideas-the old ideas in. All of a sudden feel a bit useless to. A year ago I was using these techniques, a year later I still use these techniques, is different, so the chickens less and less. More than a year past, I have nothing to long, sorry for myself Ah. Want to own From now on BE in black group to learn a lot. Don't berate yourself, into the chase.

I found this exploit when the beginning of the year, this loophole help me take down this area of almost all government agencies servers, and this area almost all of the primary and secondary server, because this area of the business units of the sites are the same company do, and the code is the same jacket. Later, an accidental opportunity, the vulnerability and help me take down another city of the Information Office of the server, I don't know the information to do security what's the difference? In fact, this vulnerability is very old upload vulnerability, master do not laugh.

1: The discovery process The company's web site actually doing well, but he used a century-web news management system web template in this set of code is very. Century-web news management system this code is foreground-generated htm, but don't know why this company write their own asp to call the database on the home page to display news. Since he put the site changed completely like their own code, so a start I do not know that this is a century-Network News management system, so it is still the same old ideas, from the injection start. And 1 = 1 and and 1 = 2 the page is different, some of the pictures I do not catch up, because nbsi now I'm not, I'm the press before the invasion of ideas to write, I'm sorry, is injected into it, the results came out turned out to be sql, although I have a good PC, but also can not waste to break md5. Then I query a couple of tables, discovered inside a field to write the code name“century easy Network News“, it is this set of code and sql version?, the And then from the network and download century easy Network News system 2. 0 upgrade version also has this vulnerability, the only acess. See the admin directory under the upfile. asp, look at the source code. <% dim upload,file,formName,formPath,iCount,filename,fileExt set upload=new upload_5xSoft "the establishment of the upload object formPath=upload. form("filepath") "In the directory after the(/) if right(formPath,1)<>"/" then formPath=formPath&"/" response. write "<BODY bgColor=menu topmargin=1 5 leftmargin=1 5 ><br>" iCount=0 for each formName in upload. file "lists all the uploaded files set file=upload. file(formName) "generate a file object if file. filesize<1 0 0 then response. write "<FIELDSET align=center><LEGEND align=center>file upload error occurred </LEGEND><br>please choose your file to upload [ <a href=# onclick=history. go(-1)>re-upload</a> ]</fieldset>" response. end end if if file. filesize>2 0 0 0 0 0 then response. write "<FIELDSET align=center><LEGEND align=center>file upload error occurred </LEGEND><br>the file size exceeds the limit 200K [ <a href=# onclick=history. go(-1)>re-upload</a> ]</fieldset>" response. end end if fileExt=lcase(right(file. filename,4)) if fileEXT<>". gif" and fileEXT<>". jpg" and fileEXT<>". png" & fileEXT<>". bmp" then response. write "<FIELDSET align=center><LEGEND align=center>file upload error occurred</LEGEND><br>File format is not valid [ <a href=# onclick=history. go(-1)>re-upload</a> ]</fieldset>" response. end end if randomize ranNum=int(9 0 0 0 0*rnd)+1 0 0 0 0 filename=formpath&year(now)&month(now)&day(now)&hour(now)&minute(now)&second(now)&fileExt filename=formPath&year(now)&month(now)&day(now)&hour(now)&minute(now)&second(now)&file. FileName if file. FileSize>0 then "if FileSize > 0 Description there is a file data file. SaveAs Server. mappath(FileName) "to save the file iCount=iCount+1 end if set file=nothing next set upload=nothing "delete this object Htmend iCount&" file upload finished!" sub HtmEnd(Msg) set upload=nothing response. write "<center><FIELDSET align=center><LEGEND align=center><font color=red>file uploaded successfully </font></LEGEND><br>[ <a href=# onclick=""Addpic('"&filename&"')"">Click here to add to the editor</a> ]</fieldset>" response. end end sub %> Actually I also look not to understand, just I've seen the security focus is moving online pass vulnerability analysis of the articles, http://www.xfocus.net/articles/200405/700.html moving network upload component and this upfile. asp almost exactly the same, so needless to say, with Guilin veterans of the upload tool. then upload the tool as if Very Little, the path yourself to see it clearly, and then successfully get a webshell in.

2: vulnerability to patch Method one: upfile. asp changed the others guess the name. Just temporary solutions to the way. Method two: movement network as repair. Reference Action Network 7. 0 sp2 and above. Method three: session validation. This security point, but I don't know how to fix, just probably know the principle, because I also dish.)

3: this vulnerability if in google or baidu search words, basically no, because this code is not very popular, and a lot has changed website information. Everyone after the invasion when you can see what is not, and the century-web news management system's default interface or icons similar to get to the second information to the Office's server is to feel familiar, and be able to use the best course, not the words, it is when this article is a news.

Well, finished, hope everyone pointing, don't tell me it was previously published by this vulnerability! Ps:now there is no Chinese system use, so many software is not used, then of course can not catch the figure shows the effect. Don't know who can give a 3 3 8 9 broiler to me. I'll pay you back, do not do damage, because my broiler the book did not take. Or help me test it out grab a few pictures. Yesterday to no*made a short message, and then I waited a bit went back, and now I'm online, he's not depressed, but thank him. There are individuals I also give him texting, but he is not yet back. Hey, hurry back to the SMS Oh, and whirring of.