Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
myhack58佚名MYHACK58:62200717397
HistoryOct 26, 2007 - 12:00 a.m.

Analysis of Ronin article system V2. 3-vulnerability warning-the black bar safety net

2007-10-2600:00:00
佚名
www.myhack58.com
10
JSON

|

Author: ice of origin
Description: articles have been published in hackers manual 0 7 year 1 1 period, reproduced please specify the source of!

Own just to learn ASP, Hey, no one taught, really cool! It does not, see for yourself a few books, and non-security on each issue analysis of ASP articles, code are see‘understand’, so the heart itch, immediately went to the Baidu uncle where to go! A Ronin articles system V2. 3 It! Slowly look up!

Since there is no experience, so you see the first black box test! Local open look, Oh, the interface is also nice! As shown in Figure 1.

!

Casually point of the article and see, huh, turned out to be of this form: read. asp? id=1 2 0, then so what, direct later added an and 1=1 try,as shown in Figure 2.

!

Wow, to jump directly to the official website go for it! What’s going on? It seems there is something in the monitor url data from it. This time no choice, only to bite the bullet and go look at the code. So here,the key code is as follows:
<!–# include file=“Inc/Config. asp” - >
<%
dim sql
dim rs
dim SortName,SortID,AsSortName,AsSortID
if Request. QueryString(“ID”)=“” then
response. write “no choice related articles”
response. end
end if

set rs=server. createobject(“adodb. recordset”)
sql=“update “&amp; GuTablePrefix&”_Article set ArticleReadNum=ArticleReadNum+1 where ArticleID=”&Request. QueryString(“ID”)
rs. open sql,conn,1,3
sql=“select SortID,AsSortID,ArticleTitle,ArticleWriter,ArticleWriterContact,ArticleFrom,ArticleFromURL,ArticleContent,ArticleCommend,ArticleShow,ArticleReadNum,ArticleDate from “&amp; GuTablePrefix&”_Article where ArticleID=”&Request. QueryString(“ID”)
rs. open sql,conn,1,1
if rs. eof and rs. bof then
response. write “not found in the related article”
response. end
else
ArticleTitle=rs(“ArticleTitle”)
LKeys=rs(“ArticleTitle”)
SortID=rs(“SortID”)
AsSortID=rs(“AsSortID”)
ArticleWriter=rs(“ArticleWriter”)
ArticleWriterContact=rs(“ArticleWriterContact”)
ArticleFrom=rs(“ArticleFrom”)
ArticleFromURL=rs(“ArticleFromURL”)
ArticleCommend=rs(“ArticleCommend”)
ArticleReadNum=rs(“ArticleReadNum”)
ArticleDate=rs(“ArticleDate”)
ArticleContent=rs(“ArticleContent”)

set rsC=server. createobject(“adodb. recordset”)
sql=“select SortName from “&amp; GuTablePrefix&”_Sort where SortID=”&SortID
rsC. open sql,conn,1,1
SortName=rsC(“SortName”)
rsC. close
set rsS=server. createobject(“adodb. recordset”)
sql=“select AsSortName from “&amp; GuTablePrefix&”_AsSort where AsSortID=”&amp; AsSortID
rsS. open sql,conn,1,1
AsSortName=rsS(“AsSortName”)
rsS. close
end if
rs. close
%>

Obviously, here only determines the id is not empty it directly into the Data Update, supposedly by us, is organic can take, the only problem is the one that contains the file(here we should thank God no monthly classmates, I thought the files inside without a problem, did not think the problem lies in this file). So we came to here:
<!-- #include file=“conn. asp” - >
<!-- #include file=“Function. asp” - >
<%
dim WebName,this is a background,WebMKeyWords,WebMDescription
dim GuTablePrefix,LRECNUserNameD,LRECNUserGradeD
dim SM_SServer,SM_SUsername,SM_SPassword,RM_Subject,RM_SendEmail,RM_SendName,RM_Body
dim RArticleDate,RArticleUserName,RArticleAddIP,RArticleReadNum
dim MessageQQ,SearchIP,ReadExplain
WebName=“Ronin articles”
This is a background=“<http://www.lre.cn/article/&gt;
WWebMKeyWords=“Ronin articles”
WebMDescription=“Ronin articles”
GuTablePrefix=“LRE_CN”
LRECNUserNameD=session(“LRECNUserNameSe”)
LRECNUserGradeD=session(“LRECNUGUserGrade”)
SM_SServer=“mail. lre. cn”
SM_SUsername=“[email protected]
SM_SPassword=“sendmail”
RM_Subject=“”
RM_SendEmail=“”
RM_SendName=“”
RM_Body=“1”
ArticleWriter=“unknown”
ArticleWriterC
ArticleFrom=“network”
ArticleFromURL=“”
RArticleDate=“0”
RArticleUserName=“0”
RArticleAddIP=“0”
RArticleReadNum=“0”
MessageQQ=“http://wpa.qq.com/msgrd?V=1&Site=WWW&Menu=yes&Uin=”
SearchIP=“<http://www.ip.cn/ip.php?q&gt;=
ReadExplain=“”
'Username:peonun
'DateTime:2006-9-14 0 0:0 0:2 0
%>
<!-- #include file=“…/SQL. asp” - >

Note, When I look at the time, you’ll see this file in the head section, not to look down, which is what the author of the carefully place, put this one file in the file last, and only cause me to appear so low-level errors. So continue to follow, look at this file in the end is how the monitor, the key code is as follows:
<%
Dim Fy_Url,Fy_a,Fy_x,Fy_Cs(),Fy_Cl,Fy_Ts,Fy_Zx

Fy_Cl=2 'processing way: 1=message, 2=Turn page, 3=First prompt and then turned to the specified page
Fy_Zx=“”&this is a background&“” 'error when turning the page, now set is to extract the URL of the website

On Error Resume Next
Fy_Url=Request. ServerVariables(“QUERY_STRING”) 'the origin of interpretation(the same below): to obtain the passed url
Fy_a=split(Fy_Url,“&”) 'use split to&segmentation, and the segmentation achieved of the character exists fy_a.
redim Fy_Cs(ubound(Fy_a)) 'redefine the fy_a the upper bound of the
On Error Resume Next 'fault-tolerant statement
for Fy_x=0 to ubound(Fy_a)
Fy_Cs(Fy_x) = left(Fy_a(Fy_x),instr(Fy_a(Fy_x),“=”)-1) ‘defined fy_cs(fy_x)
Next
For Fy_x=0 to ubound(Fy_Cs)
If Fy_Cs(Fy_x)“” Then
If Instr(LCase(Request(Fy_Cs(Fy_x))),"’“)0 or Instr(LCase(Request(Fy_Cs(Fy_x))),”&“)0 or Instr(LCase(Request(Fy_Cs(Fy_x))),”=“)0 or Instr(LCase(Request(Fy_Cs(Fy_x))),”(“)0 or Instr(LCase(Request(Fy_Cs(Fy_x))),”)“)0 or Instr(LCase(Request(Fy_Cs(Fy_x))),”>“) 0 or Instr(LCase(Request(Fy_Cs(Fy_x))),“select”)0 or Instr(LCase(Request(Fy_Cs(Fy_x))),“update”)0 or Instr(LCase(Request(Fy_Cs(Fy_x))),“chr”)0 or Instr(LCase(Request(Fy_Cs(Fy_x))),“delete%20from”)0 or Instr(LCase(Request(Fy_Cs(Fy_x))),”;")0 or Instr(LCase(Request(Fy_Cs(Fy_x))),“insert”) 0 or Instr(LCase(Request(Fy_Cs(Fy_x))),“mid”)0 Or Instr(LCase(Request(Fy_Cs(Fy_x))),“master.”) 0 Then ‘this sentence is the most critical, here first with fy_cs function coming from the url is processed, then the string is coerced to lowercase, and then use the instr function to determine the passed character if it contains’, and, the =character, if any, with the select case statement to handle the
Select Case Fy_Cl
Case “1”
Response. Write “”
Case “2”
Response. Write “”
Case “3”
Response. Write “”
End Select
Response. End
End If
End If
Next
%>
The above fy_cl define the initial value is 2,so obviously will skip to the official website went. Here you find out why! And I see,almost all files are included by config. asp this file, if so, it seems the injection is to stand a chance! Reconciled, so keep looking, perhaps there are other holes. When I see upfile. asp, then the interest again, the key code is as follows:
<html>
<head>
<title>Upload File</title>
<meta http-equiv=“Content-Type” c>
<!–# include FILE=“Inc/Style. asp” - >
<Script Language=“VBScript”>
<!–
Sub SelAddress()
document. form. filepath. value=document. form. DownAddress. value
End Sub
//–>
</Script>

Haha, there is such a vulnerability, get directly in the address bar enter<http://127.0.0.1/22/upfile.asp&gt;, as shown in Figure 3.

!

So what, the direct transfer of the horse. Did not expect the emergence of it is this result, as shown in Figure 4.

!

Is it the free version is such a treat? Hey, even the uploaded files are not written. Really is! Then turn a circle! Hey, a message! Maybe you can Cross-Station, Oh!
Try, as shown in Figure 5.

!

Point determine, Hey, how didn’t dialog? This is the only way to return message: a user message has been submitted complete…thanks. Is it to the administrator to see! So hurry up and run to the backstage to see go! See“User message management”,haha, there, vulnerability is generated. As shown in Figure 6.

!

Here’s why success is because of the above that processing of the file and not on our submitted content is processed only for the url processing, so it produced a vulnerability. Just looking for a such a hole in my heart unhappy, and then ran to the official website to see, see it in the upload page written yet, open look, wow, also in thought to myself, now you’re done, and as shown in Figure 7.

!

So what, the direct transfer of the horse,I did not expect the return of information is such that, as shown in Figure 8.

!

It seems the administrator is also not to be jealous of! So he gave up.

First write the asp analysis of the article, there is no experience, the deficiencies and then the inevitable up! What problems can to the forums and I discussed, my ID is Ice the origin of it!

JSON