High Bay articles system is the latest version 0Day analysis-vulnerability warning-the black bar safety net

ID MYHACK58:62201128737
Type myhack58
Reporter 佚名
Modified 2011-01-01T00:00:00


Bored online in scurry, who is actually known found a website is to hang a horse. A closer look at the site, it scared me a big jump, is hanging horse website turned out to be the High-Bay articles system web site. www.gaobei.com. Even the official are hanging out with horses, don't have the legendary 0Day exist? So I'll be out of the High Bay article system to the latest version to test.

The local erection of the system, first see that there is no obvious injection points. Use Ah D injection tools and kid Domain3. 5 is detected after are not found in the injection point, it seems to be from the code to start with! File NewsInfo. the asp part of the code is as follows: <% ID=CheckStr(Request. QueryString("ID")) If isInt(ID)=False OR Not IsNumeric(ID) Then Response. Redirect "news. asp" Response. End() End If set rs=server. createobject("adodb. recordset") rs. Open "Select * From news where id="&id, conn,3,3 if rs. bof and rs. eof then response. Redirect("News. asp") end if %>.

From the code it can be seen, the variable id to go through a checkstr function after filtering and after the isnumber function of the filter and then to the database query work, checkstr function of the filter compared to injection of commonly used characters, to bypass still more difficult, and even if the bypass checkstr also around but isnumber it! Then I looked at several files of code, the same filter is very strict, injection of the road was interrupted. Since the injection of the idea of the interrupt, then we come to another idea-upload try. Open upload. asp file found which contains the include folder in the check. asp file, it seems is to do the validation. View the check. asp file, find the validation code is as follows:

RandNum=Session("CheckCode") GaobeiManageSession = "2 0 0 4 1 0 0 6 2 1 3"&RandNum 'can not be changed GaobeiManageAdminID = "GaobeiManageAdminID"&RandNum 'can not be changed GaobeiManageUser = "GaobeiManageUser"&RandNum 'can not be changed GaobeiManageKey = "GaobeiManageKey"&RandNum 'can not be changed '----------Check the user name and password--------- function Checkin(s) s=trim(s) s=replace(s," "," ") s=replace(s,"'","'") s=replace(s,"""",""") s=replace(s,"<","<") s=replace(s,">",">") Checkin=s end function '-----------Check the primary administrator--------- function CheckAdmin1 if Session(GaobeiManageSession)<>true then response. redirect "Admin_Login. asp" end function '--------------Check the intermediate administrator----------- function CheckAdmin2 if Session(GaobeiManageSession)<>true then response. redirect "Admin_Login. asp" if Session(GaobeiManageSession)<>true or (session(GaobeiManageKey)<>"check" and session(GaobeiManageKey)<>"super") then response. redirect "Admin_Default. asp? err=you have permission not that!!" end function '----------Check senior-level administrator---------- function CheckAdmin3 if Session(GaobeiManageSession)<>true then response. redirect "Admin_Login. asp" if Session(GaobeiManageSession)<>true or session(GaobeiManageKey)<>"super" then response. redirect "Admin_Default. asp? err=you have the permission of enough of it!!!!" end function '----------Error output----------- sub error()

This code uses the session to do the authentication, seems to be around. Then open the upload_class. asp file, found that it also contains the include/check. the asp file. After some search, finally found Upfile_Photo. asp file did not contain an include/check. the asp file. Look carefully at the following code, found there upload vulnerability.

Const MaxFileSize=2 0 0 'Upload File size limit Const SaveUpFilesPath="UploadFile/Product" 'store uploaded files in the directory Const UpFileType="gif|jpg|bmp|png|swf|doc|rar" 'allowed Upload File Types .... Omitted.... sub upload_0() 'uses of the environment without components upload class .... Omitted.... PhotoUrlID=Clng(trim(upload. form("PhotoUrlID"))) if PhotoUrlID>0 then Develop this program specifically = SaveUpFilesPath 'store uploaded files in the directory else Develop this program specifically = SaveUpFilesPath 'store uploaded files in the directory end if if right(develop this program specifically,1)<>"/" then develop this program specifically=develop this program specifically&"/" 'in the directory after the(/) for each formName in upload. file 'lists all the uploaded files set ofile=upload. file(formName) 'generate a file object oFileSize=ofile. filesize if oFileSize<1 0 0 then msg="please select your file to upload it!" FoundErr=True else select case PhotoUrlID case 0 if oFileSize>(MaxFileSize1 0 2 4) then msg="the file size exceeds the limit, the maximum can only upload" & CStr(MaxFileSize) & "K file!" FoundErr=true end if case 1 if oFileSize>(1 0 0 0 01 0 2 4) then msg="the file size exceeds the limit, the maximum can only upload 10M files!" FoundErr=true end if end select end if

fileExt=lcase(ofile. FileExt) arrUpFileType=split(UpFileType,"|") for i=0 to ubound(arrUpFileType) if fileEXT=trim(arrUpFileType(i)) then EnableUpload=true exit for end if next if fileEXT="asp" or fileEXT="asa" or fileEXT="aspx" then EnableUpload=false end if if EnableUpload=false then msg="this file type not allowed to upload!\ n\n only allow the upload of several file types:" & amp; UpFileType

[1] [2] next