lply(v2. 0)vulnerability analysis-vulnerability warning-the black bar safety net

2010-03-03T00:00:00
ID MYHACK58:62201026304
Type myhack58
Reporter 佚名
Modified 2010-03-03T00:00:00

Description

Article author:wwqwwq

After you download the code, and looked, and there set the code style is very rigorous, somewhat object-oriented flavor.

First look at the database directory, open the databases Directory, database format for the asa,this is the back to insert the phrase Trojan horse is buried under a hint. Modify for the mdb format, after looked, has anti-download table, the content of<%loop<%,fortunately the seniors have come up with the closed method, the closed format is<%'<%loop<% %>. Next look at the backend log at the filtration is complete, the key code is as follows:

if trim(request. form("admin_log"))="ok" then achk=admin_chk() if achk then login_username=username2 call admin_event("successful login management background.", 0,0) call format_redirect("admin. asp") else login_username=username2 call admin_event("login admin backend failed.", 0,0) response. write "<script language=javascript>alert(""Login failed!\ n\n please re-login......""); history. back(1);</script>" end if

else call admin_login()

end if

Wherein admin_log this variable value is determined by a type of hidden text box is submitted, the default is ok,from the code can be seen admin_chk()function is to verify the key, then look admin_chk()function:

function admin_chk() admin_chk=false dim username,password,founderr,rs,sql,id,power,hidden,passwords,logins username=code_admin("username",1,2 0) password=code_admin("password",1,2 0) passwords=trim(request. form("passwords")) logins=trim(request. form("logins")) username2=username founderr="" admin_chk=false if admin_passwords<>"" then if var_null(passwords)="" then exit function if rk_md5(passwords,"short")<>admin_passwords then exit function end if' if val_chk("admin")=false then exit function if symbol_name(username)=false or symbol_ok(password)=false then exit function if founderr="" then password=rk_md5(password,"short") sql="select top 1 popedom from user_data where username='"&username&"' and password='"&password&"' and power='"&amp; format_power2(1,1)&"' and hidden=1" set rs=Rekoe. exec(sql,1) if rs. eof then rs. close exit function end if if logins="yes" then response. cookies(Rekoe. web_cookies)("login_username")=username response. cookies(Rekoe. web_cookies)("login_password")=rk_encrypt(password) response. cookies(Rekoe. web_cookies)("iscookies")="yes" response. cookies(Rekoe. web_cookies). the expires=date+3 6 5 end if session(session_for&"admin")="Rekoe_admin" session(session_for&"admines")=username session(session_for&"popedom")=rs("popedom") rs. close end if admin_chk=true

end function

code_admin function code is as follows:

function code_admin(strers,at,acut) dim strer strer=trim(strers) select case int(at) case 1 strer=trim(request. form(strer)) case 2 strer=trim(request. querystring(strer)) end select if isnull(strer) or strer="" then code_admin="" exit function end if strer=replace(strer,"'","""") if int(acut)>0 then strer=left(strer,acut) code_admin=strer

end function

From code_admin function, we can see that the filter by form submission' and a space, and the length of the degree obtained in the 2 0 or less, so it seems nothing use value. As can be seen in the login is successful, the server set a session value. Then we'll continue to see in the background are a session authentication, after some review, found that each background file there is this code:<!-- #include file="inc/admin_onlogin. asp" - >, this file contains the session verification function.

Following by the background specially the front Desk, to have parameters submitted several pages to analyze, the first is the news_list. asp, which has a key function cid_sid (), the code is as follows:

sub cid_sid() cid=trim(request. querystring("c_id")) sid=trim(request. querystring("s_id")) if not(isnumeric(cid)) then if len(cid)>0 and instr(cid,"&s_id=")>0 then cid=replace(cid,"&s_id=",",") sid=mid(cid,instr(cid,",")+1,len(cid)) cid=mid(cid,1,instr(cid,",")-1) else cid=0 end if end if if not(isnumeric(cid)) or len(cid)>5 then cid=0 if not(isnumeric(sid)) or len(sid)>5 then sid=0 cid=cint(cid) sid=cint(sid)

end sub

Oh, the filter is completely, no hope.

There is also a page list. asp,also with the function of filtering, nothing.

The next vulnerability becomes appeared, in the online orders and website message two modules a big problem.

With online orders as an example., message module and this exploit:

In the orders. asp to this page to enter just use the client script to filter out some dangerous characters, and a server-side script just to determine it is empty, and becomes inserted into the database. But after I found out the programmer was afraid to do so because this function Rekoe. chk () from: REKOE is an object)

function post_chk() dim server_v1,server_v2 server_v1=request. servervariables("http_referer") server_v2=request. servervariables("server_name") if server_v1<>"" then 'mid(server_v1,8,len(server_v2))=server_v2 server_v2="http://"&amp; server_v2 if left(server_v1,len(server_v2))=server_v2 then post_chk=true exit function end if end if post_chk=false end function function chk() chk=false if trim(request. form("chk"))="yes" then chk=post_chk() end if end function

But it's okay we can fake the referer to bypass this to prevent outside submission of the verification.

Well now that can bypass these validation plug Horse, the next step is to insert the horse's problem. I put the database into mdb format, in gb_data table segment in the Insert:┼pay offs number 畣 whole 爠 Hwan enemy 瑳∨∣┩anger┼'(containing'number,then in orders this table segment in the Insert:┠>on the line.