Baigo CMS 1.1.1 the login box injection analysis to use-vulnerability warning-the black bar safety net

2010-09-17T00:00:00
ID MYHACK58:62201027879
Type myhack58
Reporter 佚名
Modified 2010-09-17T00:00:00

Description

baigo CMS is the use of ASP + Access developed a website content management system. As long as the use of Windows Server system or a support ASP + Access server can be installed deployment, including the virtual host to. baigo CMS is also an open source, free website content management system. baigo commitment to the system permanently free to use, and to permanently stop the upgrade service.

Vulnerability analysis:

0x02

File: admin\logon. asp

<!--# include file="../baigo_inc/config. asp" - > <!--# include file="inc/config_admin. asp" - > <!--# include file="../baigo_inc/md5. asp" - > <!--# include file="../baigo_inc/sql_char_query. asp" - > <!--# include file="../baigo_inc/sql_char_form. asp" - > <% ......... Omitted admin_user_name = trim(request. form("admin_user_name")) admin_user_pass = trim(request. form("admin_user_pass")) sql = "select top 1 admin_user_pass,admin_user_class from admin_user_info where admin_user_name='" & amp; admin_user_name & "'" rs_admin. open sql,conn_admin,1,1,1 ......... Omitted %>

Look at the filter code File:/baigo_inc/sql_char_query. asp

<% SQL_bad_str = "' and exec insert select delete update count * % chr mid master truncate char declare" SQL_bad_arr = split(SQL_bad_str,"") If Request. QueryString <> empty Then For Each SQL_Query_iii In The Request. QueryString For SQL_bad_iii = 0 To Ubound(SQL_bad_arr) if InStr(Request. QueryString(SQL_Query_iii), SQL_bad_arr(SQL_bad_iii)) > 0 Then Response. Write "illegal URL <font color=""red"">" & amp; SQL_bad_arr(SQL_bad_iii) & "</font>" Response. end end If Next Next End If %>

Filtered' and exec insert select delete update count * % chr mid master truncate char declare, the filter of the many injection of the keywords, but really security? As we can see above the filter keyword is all lowercase, but SQL is case insensitive, we can use uppercase characters to bypass, space can also be used%0 9 the tab character to bypass. 0x03 Local erection IIS we carried out injection test

!