80 after CMS V4 chicken-upload vulnerability-vulnerability warning-the black bar safety net

ID MYHACK58:62201131616
Type myhack58
Reporter 佚名
Modified 2011-08-18T00:00:00


By: asmall A

Official web site:http://www. reaft. com/

Cms 下载 地址 :http://www.reaft.com/html/1/200.html

The interface to do good, search a little as though with very few people, start.

First look at the directory UpLoad.html file upload, the invokes the is UpLoad. asp.


UpLoad. asp:

<!--# include file="UpLoad_Class. vbs. asp" - > <!--# include file="request. asp" - > <!--# include file="conn. asp" - > <! DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>file upload</title> <link href="styles/iframe. css" rel="stylesheet" type="text/css" /> <script src="scripts/admin.js"></script> </head>

<body> <div class="iframeBody"> <% dim upload set upload = new AnUpLoad upload.Exe = "*" upload. MaxSize = 4 * 1 0 2 4 * 1 0 2 4 '4M upload. GetData() if upload. ErrorID>0 then response. Write upload. Description else postMess("images/operate_02.jpg") dim savpath develop this program specifically = "/upload/"&year(date())&"/"&month(date())&"/" for each f in upload. files(-1) dim file set file = upload. files(f) if not(file is nothing) then if file. saveToFile(develop this program specifically,0,true) then postMess("images/operate_01.jpg") postValue = postValue&""&develop this program specifically&file. filename&"|" response. write ("<script>window. parent. document. getElementById("""&postName&"""). value="""&amp; postValue&""";</script>") end if end if set file = nothing next end if set upload = nothing %> </div> </body> </html>

Then look at: UpLoad_Class. vbs. asp.

UpLoad_Class. vbs. asp:

<!--# include file="admin. asp" - > <% '========================================================= 'Class name: AnUpLoad(Al Ain without components upload class) '========================================================= C omit N lines of code Public Function GetWH() 'This function code reference network On Error Resume Next mvarExtend = lcase(mvarExtend) if instr("|jpg|jpeg|bmp|png|gif|asa|","|" & amp; mvarExtend & "|")<=0 then exit function Dim m_binItem Set m_binItem =server. CreateObject("ADODB. Stream") m_binItem. Mode = 3 m_binItem. Type = 1 m_binItem. Open Dim Info Set Info = server. CreateObject("ADODB. Recordset") Info. Fields. Append "value", 2 0 5, -1 Info. Open Info. AddNew Info("value"). AppendChunk (mvarValue) m_binItem. Write (Info("value")) Info("value"). AppendChunk (Null) Info. Update Info. Close Set Info = Nothing select case lcase(mvarExtend) case "jpg","jpeg" m_binItem. Position=3 do while not m_binItem. EOS do intTemp = Ascb(m_binItem. Read(1)) loop while intTemp = 2 5 5 and not m_binItem. EOS if intTemp < 1 9 2 or intTemp > 1 9 5 then m_binItem. read(Bin2Val(m_binItem. Read(2))-2) else Exit do end if do intTemp = Ascb(m_binItem. Read(1)) loop while intTemp < 2 5 5 and not m_binItem. EOS loop m_binItem. Read(3) mvarHeight = Bin2Val(m_binItem. Read(2)) mvarWidth = Bin2Val(m_binItem. Read(2)) case "gif" if Lcase(strFext)<>"gif" then strFext="gif" m_binItem. Position=6 mvarWidth = BinVal2(m_binItem. Read(2)) mvarHeight = BinVal2(m_binItem. Read(2)) case "png" if Lcase(strFext)<>"png" then strFext="png" m_binItem. Position=1 8 mvarWidth = Bin2Val(m_binItem. Read(2)) m_binItem. Read(2) mvarHeight = Bin2Val(m_binItem. Read(2)) case "bmp" if Lcase(strFext)<>"bmp" then strFext="bmp" m_binItem. Position=1 8 mvarWidth = BinVal2(m_binItem. Read(4)) mvarHeight = BinVal2(m_binItem. Read(4)) case "asa" if Lcase(strFext)<>"asa" then strFext="asa" m_binItem. Position=1 8 mvarWidth = BinVal2(m_binItem. Read(2)) mvarHeight = BinVal2(m_binItem. Read(2)) end select m_binItem. Close If err then mException=Err. Description End If End Function

See red part, the other will not release.

Directly upload the asa to get the shell.

There is the upload may be prompted to log in, the direct forgery of the session will be adopted. (Webmasters comment: what, this? Forged a Session it???...... I had a RUB, which would be falsified, wouldn't it,,, a small A school may be misread as a cookie......)

The validation code in the admin. asp.

admin. asp:

<% if session("username")="" and session("password")="" then session("Errortxt")="login timeout, please re-login" response. Redirect("login. asp") response. end end if %>

Other do not say more!

Re-edited a bit first post, the format is wrong, please forgive me.

This should be considered a vulnerability to it, do not know if the author intentionally plus, upload extension, check there, and actually added a asa,inadvertently found.