ACTCMS is a fully open source program, there are UTF-8 and GB2132 two encoded version, supports ACCESS and MSSQL two databases.
Two days ago in the Group Chat when listening to the group of friends have to say met a ACTCMS system, you and ACTCMS more ripped in a few words, when idle no matter you search the Internet under ACTCMS of vulnerability information. Search results for before version the To is burst with the injection vulnerability, but of the latest of the 3. 0 version seems not, so by going to the official website down to a 3. 0 version down, holding the purpose of learning the system to start the vulnerability of the excavation.
Get the program to the local set up after the first thing on the background looking for to get the shell way, and then look at the front of the injection. System background login authentication place to do well, learn from action and easy way to add the authentication code and the authentication code and the authentication code of the switch are written directly in the configuration file. This estimate is in the previous version of the proof of the injected and background cookie spoofing login vulnerability and the author only plus.
But in the background management system, there are some weaknesses, mainly for the acquisition webshell method, a brief look at the background of the system function, find made webshell is not what difficult thing, and the method is also more than one, I just testing the most simple of a method, in a system configuration which together with the asp upload type, then directly Upload a webshell to. For upload type settings for the entire system of which there are two, one is the site basic settings which the file upload type, this is mainly background to add articles when uploaded, the other one is the user group permissions settings in the file upload type, this is for front Desk users to post articles time to upload pictures with.
Find back get the shell way after the next is to look at the reception program of the implantation, because for the ASP website system vulnerability of mining first still have to consider the injection. But the author of the program in the variable concerns are still very strict, read a good long time in the code I didn't find the unfiltered variables, seeing the reception dynamic Program page get me to read, but, on going close to the end of time let I somewhere found a no filtering of the variables, and directly substituted into the SQL statement, we look at the code!
Vulnerability is one ofSQL injection
Vulnerability code analysis:
sub DelFriend() Dim TG_ID:TG_ID =Request("ID") IF TG_ID = "" Then response. Write "please selected friends" response. End End IF TG_ID = Split(TG_ID,",") For I = LBound(TG_ID) To UBound(TG_ID) Conn. execute("Delete from Friend_ACT where U="& amp; UserHS. UserID &" and ID = "& TG_ID(i)&"") Next set conn=nothing response. Redirect("?") end sub
This function is in/user/Friend. asp file, a function is used to delete the buddy, system with a user interactive function, the member and members can add each other as friends, you can also delete friends.
From the above code, as can be seen, TG_ID variable value directly using the request to obtain, and not doing any filtering it into the SQL statement, such vulnerability variable life. Now a lot of experienced programmers, most often in delete records when the similar problem.
For this vulnerability the use of certain limitations, may be injection vulnerability principle is relatively clear of friends may find that, for the ACCESS database to this vulnerability there is no use, because in the vulnerability generated by the SQL statement, not query the database records, but the Delete, the page does not output any SQL statement to get the content. And regardless of whether the SQL statement is correct, and ultimately executed after the page is redirected to a Friend. asp?, the That is the returned page is the same, so we can not according to the page the situation to determine the SQL statement execution results.
However, if the site is using the MSSQL database, then this vulnerability would be useful, and we all know that in the injection in MSSQL can be configured of a statement than the ACCESS of the waist much more powerful, so for this injection point should be ACTCMS 3.0 SQL edition the 0day, the following I to SQL edition as an example, specifically using the way.
For the SQL version of to say, many of my friends first thought should be is directly added to the database a administrator account or change the administrator password, but the site background system login when need a authentication code and the authentication code is not from the injection point. So even with the admin account password, log on the background of the chance also need to look at the character.
The Database Management account password is also possible, however, to note here, plus management of the SQL statement a little bit special, because in the code The ID value after the acquisition there is a period of processing code: TG_ID = Split(TG_ID,","), his role is to get to the values, comma separated into a plurality of values, and then use the loop a DELETE in the database the corresponding record. For example, when the user wants to bulk delete of his friends, sent over the only is 1,2,3,4,5,6，then the program you are going to delete the ID of 1, 2, 3, 4, 5 and 6 of the record, rather than to delete the ID equal to 1,2,3,4,5,6 recording, here we would like to database to insert the records need to use the following statement: Friend. asp? A=Del&ID=1;insert into Admin_Act (Admin_Name) values ('enjoyhack');update Admin_Act set PassWord='225cdc811adfe8d4' where Admin_Name='enjoyhack';update Admin_Act set SuperTF=1 where Admin_Name='enjoyhack', the insertion management in the background to log error, but the validation is passed, direct access to the admin/f. the asp page can be.
The above mentioned is the use of the injection point added to the management account of the method, but because of the management background landing when the need to provide the authentication code and the authentication code is written directly in the configuration file, we light the use of the injection point cannot be obtained, so add the Administrator's method is not very practical, here to provide you with a more suitable approach is the use of the injection point to update the user's group privileges: configuration data, add a asp file upload type, and front Desk users to publish articles directly Upload a webshell to.