Baigo CMS 1.1.1 the login box injection analysis to use-vulnerability warning-the black bar safety net
2010-09-17T00:00:00
ID MYHACK58:62201027879 Type myhack58 Reporter 佚名 Modified 2010-09-17T00:00:00
Description
baigo CMS is the use of ASP + Access developed a website content management system. As long as the use of Windows Server system or a support ASP + Access server can be installed deployment, including the virtual host to. baigo CMS is also an open source, free website content management system. baigo commitment to the system permanently free to use, and to permanently stop the upgrade service.
Vulnerability analysis:
0x02
File: admin\logon. asp
<!--# include file="../baigo_inc/config. asp" - >
<!--# include file="inc/config_admin. asp" - >
<!--# include file="../baigo_inc/md5. asp" - >
<!--# include file="../baigo_inc/sql_char_query. asp" - >
<!--# include file="../baigo_inc/sql_char_form. asp" - >
<%
......... Omitted
admin_user_name = trim(request. form("admin_user_name"))
admin_user_pass = trim(request. form("admin_user_pass"))
sql = "select top 1 admin_user_pass,admin_user_class from admin_user_info where admin_user_name='" & amp; admin_user_name & "'"
rs_admin. open sql,conn_admin,1,1,1
......... Omitted
%>
Look at the filter code
File:/baigo_inc/sql_char_query. asp
<%
SQL_bad_str = "' and exec insert select delete update count * % chr mid master truncate char declare"
SQL_bad_arr = split(SQL_bad_str,"")
If Request. QueryString <> empty Then
For Each SQL_Query_iii In The Request. QueryString
For SQL_bad_iii = 0 To Ubound(SQL_bad_arr)
if InStr(Request. QueryString(SQL_Query_iii), SQL_bad_arr(SQL_bad_iii)) > 0 Then
Response. Write "illegal URL <font color=""red"">" & amp; SQL_bad_arr(SQL_bad_iii) & "</font>"
Response. end
end If
Next
Next
End If
%>
Filtered' and exec insert select delete update count * % chr mid master truncate char declare, the filter of the many injection of the keywords, but really security? As we can see above the filter keyword is all lowercase, but SQL is case insensitive, we can use uppercase characters to bypass, space can also be used%0 9 the tab character to bypass.
0x03
Local erection IIS we carried out injection test
!
{"type": "myhack58", "edition": 1, "title": "Baigo CMS 1.1.1 the login box injection analysis to use-vulnerability warning-the black bar safety net", "hashmap": [{"key": "bulletinFamily", "hash": "caf9b6b99962bf5c2264824231d7a40c"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "d4be9c4fc84262b4f39f89565918568f"}, {"key": "description", "hash": "5462fa74de2af007c2d264de66d5637f"}, {"key": "href", "hash": "cdf1bf0bf94da274946588b57b2c8a75"}, {"key": "modified", "hash": "437189bdfe5fe31b02a84f8ab0de1ad2"}, {"key": "objectVersion", "hash": "56765472680401499c79732468ba4340"}, {"key": "published", "hash": "437189bdfe5fe31b02a84f8ab0de1ad2"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "645396391020478112635e14b34a0f8b"}, {"key": "title", "hash": "b9bcc31f9094b36949b521934c755fdf"}, {"key": "type", "hash": "0665a8b0792e65b50ab13aef58a018dc"}], "references": [], "bulletinFamily": "info", "published": "2010-09-17T00:00:00", "lastseen": "2016-11-08T21:05:44", "history": [], "modified": "2010-09-17T00:00:00", "href": "http://www.myhack58.com/Article/html/3/62/2010/27879.htm", "hash": "d11b54503bab5b9a3601fd0aa90b138ffbc10d70017d24c4f36e0697b2b6c5fb", "viewCount": 4, "objectVersion": "1.2", "reporter": "\u4f5a\u540d", "cvss": {"vector": "NONE", "score": 0.0}, "enchantments": {"score": {"value": 0.2, "vector": "NONE", "modified": "2016-11-08T21:05:44"}, "dependencies": {"references": [], "modified": "2016-11-08T21:05:44"}, "vulnersScore": 0.2}, "cvelist": [], "id": "MYHACK58:62201027879", "description": "baigo CMS is the use of ASP + Access developed a website content management system. As long as the use of Windows Server system or a support ASP + Access server can be installed deployment, including the virtual host to. baigo CMS is also an open source, free website content management system. baigo commitment to the system permanently free to use, and to permanently stop the upgrade service. \n\nVulnerability analysis:\n\n0x02\n\nFile: admin\\logon. asp\n\n<!--# include file=\"../baigo_inc/config. asp\" - > \n<!--# include file=\"inc/config_admin. asp\" - > \n<!--# include file=\"../baigo_inc/md5. asp\" - > \n<!--# include file=\"../baigo_inc/sql_char_query. asp\" - > \n<!--# include file=\"../baigo_inc/sql_char_form. asp\" - > \n<% \n......... Omitted \nadmin_user_name = trim(request. form(\"admin_user_name\")) \nadmin_user_pass = trim(request. form(\"admin_user_pass\")) \nsql = \"select top 1 admin_user_pass,admin_user_class from admin_user_info where admin_user_name='\" & amp; admin_user_name & \"'\" \nrs_admin. open sql,conn_admin,1,1,1 \n......... Omitted \n%>\n\nLook at the filter code \nFile:/baigo_inc/sql_char_query. asp\n\n<% \nSQL_bad_str = \"' and exec insert select delete update count * % chr mid master truncate char declare\" \nSQL_bad_arr = split(SQL_bad_str,\"\") \nIf Request. QueryString <> empty Then \nFor Each SQL_Query_iii In The Request. QueryString \nFor SQL_bad_iii = 0 To Ubound(SQL_bad_arr) \nif InStr(Request. QueryString(SQL_Query_iii), SQL_bad_arr(SQL_bad_iii)) > 0 Then \nResponse. Write \"illegal URL <font color=\"\"red\"\">\" & amp; SQL_bad_arr(SQL_bad_iii) & \"</font>\" \nResponse. end \nend If \nNext \nNext \nEnd If \n%>\n\nFiltered' and exec insert select delete update count * % chr mid master truncate char declare, the filter of the many injection of the keywords, but really security? As we can see above the filter keyword is all lowercase, but SQL is case insensitive, we can use uppercase characters to bypass, space can also be used%0 9 the tab character to bypass. \n0x03 \nLocal erection IIS we carried out injection test\n\n! [](/Article/UploadPic/2010-9/201091723340272.jpg)\n"}