Analysis time: 2008-7-7 1 of 4: 38-18: a 0 0 Vulnerability release:Awolf small C Affected versions: QCDN_NEWS Version 4.13 other version not see Vulnerability file: UserReg. asp Note:Use this article to do illegal acts with the author himself independent
Recently to the company to find the entire Station system,a friend recommended this system,I by the analysis. The discovery of the”hole”a lot,enough to subvert this system. A. The registration filter is not strict In the file userreg. asp this file: code from 4 to 1 1, Line 7, where the given part of the code:
[Copy to clipboard] [ - ]CODE: if Request("RegSetp") = 2 then if Trim(Request. Form("username")) = "" then Errmsg = "<li>please enter a username." FoundErr = true else username = Qcdn. checkStr(Trim(Request. Form("username"))) .................. Omitted some code similar to............................ if rs. eof and rs. bof then Sql="Insertinto article_User(username,[password],email,question,answer,qq,msn,male,birth,bloodtype,realname,country,province,city,phone,[address],postcode,job,edu,school,Intime)values('"& username &"','"& password &"','"& amp; e_mail &"','"& question &"','"& answer &"','"& qq &"','"& msn &"',"& male &",'"& birth &"','"& amp; bloodtype &"','"& realname &"','"& amp; country &"','"& province &"','"& amp; city &"','"& phone &"','"& address &"',"& postcode &",'"& job &"','"& edu &"','"& amp; school &"',Now())" conn. execute(sql) Obviously here directly from the registration form to obtain a user name, simply use qcdn. checkstr()function to filter, go to continue Tracking to the common. asp,see how he's filtering, the code is as follows:
Public function checkStr(str) if isnull(str) then checkStr = "" exit function end if checkStr=replace(str,"'",""") 'see no, just put single quotes filtered into double quotes end function Other content such as a password box, etc. are such a simple filter, then it can be directly inserted into the deformation of the word horse as long as there is no single quote can, and believe you know what to do. See my insert effects
Secondly, look at the database, it is asp, then the submission is successful it is ok. The Shell is thus obtained. II. Front Desk registration backend cross-site In fact, this should be above the content almost,is not the same as,we registered The is cross-site code user,all know that he is only the filter in single quotes,then our statement can be written like this <script>alert(/Awolf Test XSS/)</script> So that you can successfully registered,and then to the background look. Success:
Look at the back-end database backup can be modeled on the Black X2008 in the second period Xu party<<new cloud cross-site vulnerability is the use of>>a text description of the method,I would like to be perfect,here is not to crap out...two ways to get webshell. Haven't finished reading.... To continue to ing...may also catch up on! The latest official version,seems to be N years without updating,also don't know how to inform the official,I hope that friends do not use this Chapter to do illegal things. Otherwise the consequences conceited! Master.