SiteServer 3.4. 4 latest SQL injection 0day-vulnerability warning-the black bar safety net

2011-10-28T00:00:00
ID MYHACK58:62201132167
Type myhack58
Reporter 佚名
Modified 2011-10-28T00:00:00

Description

In these days to see a station when found this CMS, the online publication of some of the vulnerability, no specific version,

But in My in 3. 4. 4 on the actual test when found to be invalid, specifically for this purpose go to the official website a copy of the latest edition,

Looked at it and found some very funny questions. Introduction siteserver:this test version is:

SiteServer series products latest version: 3.4.4 full version (2 0 1 1 year 7 month 1 8 day release)

Download: http://www.siteserver.cn/download客户案例 to: http://www.siteserver.cn/customer

Also Baidu a bit and found that the number of customers or less.

Vulnerability Description: The problem is in the UserCenter. Pages. DLL in the Register, the registration process logic has a problem,

As follows: the program first put the user name into the database query, if the user name is not repeated, into the second step;

  1. Then in the remote detection of the user name if it contains illegal characters, if not, the process proceeds to a third step;

  2. The registration of new users into the database. Since in the first step, the program does not perform any processing it into

Database query, then you can xxoo.

Khttp://127.0.0.1/UserCenter/register. aspx user name fill in the following statement, and other places properly filled.

1 2 3');insert into bairong_Administrator([UserName],[Password],[PasswordFormat],[PasswordSalt]) values('blue','VffSUZcBPo4=','Encrypted','i7jq4LwC25wKDoqHErBWaw==');insert into bairong_AdministratorsInRoles values('Administrator','blue');insert into bairong_AdministratorsInRoles values('RegisteredUser','blue');insert into bairong_AdministratorsInRoles values('ConsoleAdministrator','blue');--

Submitted after registration to the library insert a user name: blue password: lanhai super user.

Default background address: http://127.0.0.1/siteserver the background to the webshell: webshell or directly mention the right to a

Eyes of the beholder wise see wisdom of the living, each home has the home method, I probably looked, there are 3 kinds of method

Site management-on display functions-template management-on the Add single page template-direct generate aspx

Second, the members of the rights-of added user-on user name is: 1. asp

http://127.0.0.1/usercenter/ 用 刚才 添加 的 1.asp 去 登陆 to go in after uploading a personal avatar,

Using IIS6 parsing vulnerabilities have webshell ps: the background to add the user does not verify whether it contains illegal characters

System Tools-on the utility-of the machine parameters of the view can see the database type, name, WEB path System-Tools-on

Database tool-for the SQL statement to query this function to do good, directly is equivalent to a Query Analyzer, what echo,

Can backup have webshell, or the use of the sqlserver configuration improper direct XXOO in.

Wrap-up: the

xxoo finished, remember to http://127.0.0.1/UserCenter/register. aspx

Then 1 2 3');delete bairong_Administrator where UserName='blue';–for the user name to be registered,

Do cleaner work. Finally, I hope siteserver see after timely repair, this article only as a technical study, do not for illegal purposes.

BY:TOOLS