Ce-Admin news publishing system vulnerability analysis-vulnerability warning-the black bar safety net

2007-02-06T00:00:00
ID MYHACK58:62200714108
Type myhack58
Reporter 佚名
Modified 2007-02-06T00:00:00

Description

The news publishing system is currently mainly used for a picture news release, due to the generated html, the browsing speed is very fast, resulting in a more modified version, currently found in at least 4 modified version, the user group of the majority, although modified, but still there are security risks: Ce-Admin the original version of the download address: http://down.chinaz.com/s/15868.asp J111 layout sheet program download address: http://www.lwcode.com/codeinfo/1045.html 52mt layout sheet program download address: http://www.indowns.com/Soft/1/25/2005/200512265441.html lc520 layout sheet program download address: http://www.soucode.com/Software/Catalog18/7102.html Play it version, the program the demo address: http://www.ebpv.com Due to the presence of security risks are the same, I'm mainly on the original version of the Program Files for vulnerability analysis, the other version is a simple introduction.

1, The original version of the vulnerability analysis

* Management directory under del. asp, save. asp source does not check vulnerability Ce-Admin version management directory for ce-admins, the j111 and lc520 version management directory are j111admins, the 52mt version for Admin_52mt, the more is modified into the Admin, can generally be through the submission of http://target/admin_login. asp, and then view the page source of the file management directory. Since del. asp and save. asp no sources to check, can lead to the attacker anonymous you can be news and news classified to delete, can also be illegal for the news to add, modify.

View del. asp delete categories function code:

!

Figure 1: Remove the classification part of the code

By submitting the following url can delete the id of 1, 5 and the name of“security”, category: news of the category name can home found, the category ID can be constructed and enumerated, is generally 1-5 0 within digital http://target/ce-admins/Del.asp?ID=15&Type=NewsClass&News_Class=security(url1)

In addition, the above-mentioned code and not the ID of legality verification, can lead to injection, but because it is not access to ID and classification name corresponding relation between, so it is difficult to the attacker to use. Through analysis, ID and the category name of the corresponding can only be through the submission of the“url1”to the confirmation, but if confirmed, this classification will be removed, and furthermore the attacker does not have permissions for the classification of the Add, so can not continue to use.

Look at the del. asp delete news function code:

!

Figure 2: Remove the news part of the code

Requires two parameters, one is the type of News one is generating the News Page a file name File_Name, type Fixed, and press the file name file_name according to the home news the URL to get, so by submitting the following url you can delete records in the database and generate the html file: http://target/ce-admins/Del.asp?File_Name=20060309131700.html&Type=News

Due to not be the source of the verification, the local structure of the form can be news add and modify, look at this part of the code:

!

Figure 3: Press the Add function part of the code

Need 4 parameters, construct the form is as follows, Post the address is: http://target/ce-dmins/save.asp?Type=add

! Figure 4: structure of the form

To specify the ID of the news changes only need to be of the above form of the post address with the following: http://target/ce-admins/save.asp?Type=edit&ID=1 1

Here the ID can be in the html news page of the source file find:

! Figure 5: news ID included in the generated html file

 * Manage directory of the save. asp causes the web path to the exposed vulnerabilities Press the batch generate, save. asp will be exposed the server path, since there is no source to check that the anonymous user just submitted the following url you can know the website web path: (b_id is the need to generate batch starting news id, e_id for the end of the id)http://target/ce-admins/Save.asp?Type=update&b_id=1&e_id=1 1 1 1 1

! Figure 6: Web sites web path is exposed

 * session spoofing vulnerability ce-admin the system administrators of the authentication by the session, the specific file to check. asp:

! Figure 7: session validation

Can be constructed containing the following asp files, Browse and then visit the ce-admins under admin_index. asp you can enter the Management page.

Mitigating factors: an attacker would first need to obtainthe web serveron the other site of the webshell permissions, the main impact of the object for the virtual host.

 * The ewebeditor editor session spoofing vulnerability Ce-Admin comes with the ewebeditor Editor, Version free version 2. 8. 0, which is a WYSIWYG Web Page Editor, the system administrator of the verification through the session, the specific file is Admin_Private. asp, the relevant code is as follows:

! Figure 8: session validation

Can be constructed containing the following asp files, Browse and then visit uploadfile under Admin_Default. asp you can enter the Management page.

Mitigating factors: an attacker would first need to get the server on the other site of the webshell permissions, the main impact of the object for the virtual host.

 * The ewebeditor editor admin_uploadfile. asp directory traversal and file deletion vulnerabilities The asp file is used to manage uploaded files, but can be constructed in the dir parameter directory traversal via submission http://target/uploadfile/admin_uploadfile. asp? id=1 4&dir=../../ The return results are as follows, and can be carried out non-authorized file delete operation.

! Figure 9: directory traversal

Mitigating factors: first, the need to obtain ewebeditor background permissions.

 * The ewebeditor editor upload. asp file upload vulnerability Upload by upload. asp to achieve, in addition to figure 1 1 set the extension, but also on the asp file limit:

! Figure 1 0: the asp file limit

Provided in any case are not allowed to upload asp file, but we can break through, since the app will put the asp is replaced, then we upload the file set in set allowed upload extension aaspsp file, because the program checks the extension of the asp replacement is Null, then aaspsp becomes asp, you can upload the asp file.

! Figure 1 1: Upload file extension settings

! Figure 1 2: go through the set after the asp files can be uploaded!

Of course we can also set up to allow upload asa, cer, etc. can also be asp. the dll parses the file to achieve the purpose. Mitigating factors: first, the need to obtain ewebeditor background permissions.

Note: the above ewebeditor editor of the vulnerability in the latest free version 2. 8 corrected version also exists, the commercial version does not do the test.

2, the other a modified version of the simple analysis

Other modified version of the play. Edition, directly to the database changed#$%mmpic%$#. asp(j111 version to j111mm. asp, the intention is to prevent the download, although by http://target/data/#$%mmpic%$#. asp can not download, but using flashget to download the following url you can download: http://target/data/#$%mmpic%$#. asp Here relates to url encoding issue, because the#$%is numbers and letters, the letter does not need to be encoded, if the encoding also can be identified, the coding of rules is%plus the ascii code of 1 6 hex,#$%the ascii code for 3 5 and 3 6 and 3 7, to 1 6 decimal it is the 2 3 and 2 4 and 2 5's. Thus#$%mmpic%$#url encoding#$%mmpic%$#it. url encoding is often the attackers used Phishing phishing attack, here no longer expand.

Ce-Admin the password is plaintext, so download database with access to open can get the Admin Password directly to the login Management page, and then add the news, or to construct a form to add news, in title, enter the word asp Trojan: released, http://target/data/#$%mmpic%$#. asp became the webshell, you can upload asp Trojan horse for other non-authorized activities, or even elevate privileges to obtain System Management privileges.

3, vulnerability prevention

 * del. asp and save. asp For del. asp and save. the asp source is not checked and the web pathExposed vulnerabilities, we can in this two files plus a header file:processing SSI file error

check. asp reads as follows:

!

  • session spoofing vulnerability

For session spoofing and is related to the cookie trick, relatively speaking session than a cookie more secure, and therefore we do not recommend that you switch to cookie authentication. Recommended to choose the setting more secure virtual host, and strengthen Server Security Management.

 * Directory traversal vulnerability In admin_upload. asp find sDir = Trim(Request("dir")this row is revised as follows: sDir = Replace(Trim(Request("dir")),"..", "/")

 * ewebeditor upload vulnerability You can put upload. asp file in the sAllowExt = Replace(the UCase(sAllowExt), "ASP", "")with the following:

!

Because many virtual host the Almighty host that can support asp, aspx, jsp, cgi, php, and therefore also need to take these filtered out, the above statement is to put the asp and the spare is”error”.

 * In addition, we recommend that you put the program to the default administrator account and the database file name to be modified, does not suggest that you put the database into asp to prevent the download, if it must be changed to asp, then the security of the method is as follows: The first of a new 1 txt file, the content is, and then when you need to the asp of the database file in the new 1 Table, the name of any field of any data type as an ole object, as shown:

!

Add a database record, ALT+T Select Object—>create from file-->select just the new text is inserted after the display is as follows:

!

This set of reasons is: the asp will be parsed, because the symbol is not closed, an error occurs, can be effective anti-download.