Analysis of Ronin article system V2. 3-vulnerability warning-the black bar safety net

2007-10-26T00:00:00
ID MYHACK58:62200717397
Type myhack58
Reporter 佚名
Modified 2007-10-26T00:00:00

Description

|

Author: ice of origin Description: articles have been published in hackers manual 0 7 year 1 1 period, reproduced please specify the source of!

Own just to learn ASP, Hey, no one taught, really cool! It does not, see for yourself a few books, and non-security on each issue analysis of ASP articles, code are see‘understand’, so the heart itch, immediately went to the Baidu uncle where to go! A Ronin articles system V2. 3 It! Slowly look up!

Since there is no experience, so you see the first black box test! Local open look, Oh, the interface is also nice! As shown in Figure 1.

!

Casually point of the article and see, huh, turned out to be of this form: read. asp? id=1 2 0, then so what, direct later added an and 1=1 try,as shown in Figure 2.

!

Wow, to jump directly to the official website go for it! What's going on? It seems there is something in the monitor url data from it. This time no choice, only to bite the bullet and go look at the code. So here,the key code is as follows: <!--# include file="Inc/Config. asp" - > <% dim sql dim rs dim SortName,SortID,AsSortName,AsSortID if Request. QueryString("ID")="" then response. write "no choice related articles" response. end end if

set rs=server. createobject("adodb. recordset") sql="update "&amp; GuTablePrefix&"_Article set ArticleReadNum=ArticleReadNum+1 where ArticleID="&Request. QueryString("ID") rs. open sql,conn,1,3 sql="select SortID,AsSortID,ArticleTitle,ArticleWriter,ArticleWriterContact,ArticleFrom,ArticleFromURL,ArticleContent,ArticleCommend,ArticleShow,ArticleReadNum,ArticleDate from "&amp; GuTablePrefix&"_Article where ArticleID="&Request. QueryString("ID") rs. open sql,conn,1,1 if rs. eof and rs. bof then response. write "not found in the related article" response. end else ArticleTitle=rs("ArticleTitle") LKeys=rs("ArticleTitle") SortID=rs("SortID") AsSortID=rs("AsSortID") ArticleWriter=rs("ArticleWriter") ArticleWriterContact=rs("ArticleWriterContact") ArticleFrom=rs("ArticleFrom") ArticleFromURL=rs("ArticleFromURL") ArticleCommend=rs("ArticleCommend") ArticleReadNum=rs("ArticleReadNum") ArticleDate=rs("ArticleDate") ArticleContent=rs("ArticleContent")

set rsC=server. createobject("adodb. recordset") sql="select SortName from "&amp; GuTablePrefix&"_Sort where SortID="&SortID rsC. open sql,conn,1,1 SortName=rsC("SortName") rsC. close set rsS=server. createobject("adodb. recordset") sql="select AsSortName from "&amp; GuTablePrefix&"_AsSort where AsSortID="&amp; AsSortID rsS. open sql,conn,1,1 AsSortName=rsS("AsSortName") rsS. close end if rs. close %>

Obviously, here only determines the id is not empty it directly into the Data Update, supposedly by us, is organic can take, the only problem is the one that contains the file(here we should thank God no monthly classmates, I thought the files inside without a problem, did not think the problem lies in this file). So we came to here: <!-- #include file="conn. asp" - > <!-- #include file="Function. asp" - > <% dim WebName,this is a background,WebMKeyWords,WebMDescription dim GuTablePrefix,LRECNUserNameD,LRECNUserGradeD dim SM_SServer,SM_SUsername,SM_SPassword,RM_Subject,RM_SendEmail,RM_SendName,RM_Body dim RArticleDate,RArticleUserName,RArticleAddIP,RArticleReadNum dim MessageQQ,SearchIP,ReadExplain WebName="Ronin articles" This is a background="<http://www.lre.cn/article/>" WWebMKeyWords="Ronin articles" WebMDescription="Ronin articles" GuTablePrefix="LRE_CN" LRECNUserNameD=session("LRECNUserNameSe") LRECNUserGradeD=session("LRECNUGUserGrade") SM_SServer="mail. lre. cn" SM_SUsername="article@lre.cn" SM_SPassword="sendmail" RM_Subject="" RM_SendEmail="" RM_SendName="" RM_Body="1" ArticleWriter="unknown" ArticleWriterC ArticleFrom="network" ArticleFromURL="" RArticleDate="0" RArticleUserName="0" RArticleAddIP="0" RArticleReadNum="0" MessageQQ="http://wpa.qq.com/msgrd?V=1&Site=WWW&Menu=yes&Uin=" SearchIP="<http://www.ip.cn/ip.php?q>=" ReadExplain="" 'Username:peonun 'DateTime:2006-9-14 0 0:0 0:2 0 %> <!-- #include file="../SQL. asp" - >

Note, When I look at the time, you'll see this file in the head section, not to look down, which is what the author of the carefully place, put this one file in the file last, and only cause me to appear so low-level errors. So continue to follow, look at this file in the end is how the monitor, the key code is as follows: <% Dim Fy_Url,Fy_a,Fy_x,Fy_Cs(),Fy_Cl,Fy_Ts,Fy_Zx

Fy_Cl=2 'processing way: 1=message, 2=Turn page, 3=First prompt and then turned to the specified page Fy_Zx=""&this is a background&"" 'error when turning the page, now set is to extract the URL of the website

On Error Resume Next Fy_Url=Request. ServerVariables("QUERY_STRING") 'the origin of interpretation(the same below): to obtain the passed url Fy_a=split(Fy_Url,"&") 'use split to&segmentation, and the segmentation achieved of the character exists fy_a. redim Fy_Cs(ubound(Fy_a)) 'redefine the fy_a the upper bound of the On Error Resume Next 'fault-tolerant statement for Fy_x=0 to ubound(Fy_a) Fy_Cs(Fy_x) = left(Fy_a(Fy_x),instr(Fy_a(Fy_x),"=")-1) 'defined fy_cs(fy_x) Next For Fy_x=0 to ubound(Fy_Cs) If Fy_Cs(Fy_x)"" Then If Instr(LCase(Request(Fy_Cs(Fy_x))),"'")0 or Instr(LCase(Request(Fy_Cs(Fy_x))),"&")0 or Instr(LCase(Request(Fy_Cs(Fy_x))),"=")0 or Instr(LCase(Request(Fy_Cs(Fy_x))),"(")0 or Instr(LCase(Request(Fy_Cs(Fy_x))),")")0 or Instr(LCase(Request(Fy_Cs(Fy_x))),">") 0 or Instr(LCase(Request(Fy_Cs(Fy_x))),"select")0 or Instr(LCase(Request(Fy_Cs(Fy_x))),"update")0 or Instr(LCase(Request(Fy_Cs(Fy_x))),"chr")0 or Instr(LCase(Request(Fy_Cs(Fy_x))),"delete%20from")0 or Instr(LCase(Request(Fy_Cs(Fy_x))),";")0 or Instr(LCase(Request(Fy_Cs(Fy_x))),"insert") 0 or Instr(LCase(Request(Fy_Cs(Fy_x))),"mid")0 Or Instr(LCase(Request(Fy_Cs(Fy_x))),"master.") 0 Then 'this sentence is the most critical, here first with fy_cs function coming from the url is processed, then the string is coerced to lowercase, and then use the instr function to determine the passed character if it contains', and, the =character, if any, with the select case statement to handle the Select Case Fy_Cl Case "1" Response. Write "" Case "2" Response. Write "" Case "3" Response. Write "" End Select Response. End End If End If Next %> The above fy_cl define the initial value is 2,so obviously will skip to the official website went. Here you find out why! And I see,almost all files are included by config. asp this file, if so, it seems the injection is to stand a chance! Reconciled, so keep looking, perhaps there are other holes. When I see upfile. asp, then the interest again, the key code is as follows: <html> <head> <title>Upload File</title> <meta http-equiv="Content-Type" c> <!--# include FILE="Inc/Style. asp" - > <Script Language="VBScript"> <!-- Sub SelAddress() document. form. filepath. value=document. form. DownAddress. value End Sub //--> </Script>

Haha, there is such a vulnerability, get directly in the address bar enter<http://127.0.0.1/22/upfile.asp>, as shown in Figure 3.

!

So what, the direct transfer of the horse. Did not expect the emergence of it is this result, as shown in Figure 4.

!

Is it the free version is such a treat? Hey, even the uploaded files are not written. Really is! Then turn a circle! Hey, a message! Maybe you can Cross-Station, Oh! Try, as shown in Figure 5.

!

Point determine, Hey, how didn't dialog? This is the only way to return message: a user message has been submitted complete..thanks. Is it to the administrator to see! So hurry up and run to the backstage to see go! See“User message management”,haha, there, vulnerability is generated. As shown in Figure 6.

!

Here's why success is because of the above that processing of the file and not on our submitted content is processed only for the url processing, so it produced a vulnerability. Just looking for a such a hole in my heart unhappy, and then ran to the official website to see, see it in the upload page written yet, open look, wow, also in thought to myself, now you're done, and as shown in Figure 7.

!

So what, the direct transfer of the horse,I did not expect the return of information is such that, as shown in Figure 8.

!

It seems the administrator is also not to be jealous of! So he gave up.

First write the asp analysis of the article, there is no experience, the deficiencies and then the inevitable up! What problems can to the forums and I discussed, my ID is Ice the origin of it!