A General campus of the system to the presence of multiple high-risk vulnerabilities(registration logic&getshell)-vulnerability warning-the black bar safety net

2014-11-04T00:00:00
ID MYHACK58:62201455453
Type myhack58
Reporter 佚名
Modified 2014-11-04T00:00:00

Description

About Beijing Chong star weiye software Technology Co., Ltd. development of the education system vulnerability report

1. A large cattle submitted to such a vulnerability : the versatility of the SQL injection vulnerability of 1(influence of Beijing, all kindergarten schools, etc.), a SQL injection vulnerability later testing found that the manufacturers have been completely repaired, think about the vendors too TM focus on safety, must be for him to find points of vulnerability. So there's now a masterpiece! The following vulnerability packaged submitted, not a single brush. In fact, indeed, the vendor of the customers is very extensive, look at the manufacturer's home page.

code area

Manufacturer: Beijing Chong star weiye software Technology Co., Ltd. http://www.conking.cn/

The official website part of the case.

! 01.jpg

Vulnerability to prove:

【Notice: the following test is purely white hat security testing, avoiding site visits at its peak, did not affect the site's normal run, does not get any valid data out of the vendor's security will be in the National Internet emergency center informed after the confirmation of the domain coding process. Thank you for your support and understanding.】

★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★

For example:“http://www.x***. org”as a security test.

2. Vulnerability 1: arbitrary register“Super administrator”. (Vulnerability hazard rating: high risk)

In the“register. aspx”in the registration the user may register the user's type is changed to the super Administrator, the rectification of the registration page has the username and user type is disabled, but in fact we know by certain browser features can be delete cause you can freely operate in the region.

! 02.jpg

Or at the time of registration to grab the data package, the"Register:ddIUserType"value to 1 is also can be done. The super administrator can login admin/index. aspx the background, on the background of how the operation I will not go to research.

! 03.jpg

3. Front Desk unlimited Getshell(vulnerability hazard rating: high risk: the

AjaxFileHandler. ashx absolutely no judgment document the legitimacy of the cause the user can upload any file without having to log in locally constructed form upload:

code area

<form action="http://www.*. com/AjaxFileHandler. ashx?

random=0.20770328072831035&action=upload&root=Uploads&sub=Forum&size=3 0

7 2 0 0" method="post" name="upload" enctype="multipart/form-data">

<input type="file" name="ForumEdit:fileUpload">

<input type="submit" value="upload">

</form>

Just upload an asp program

! 21150943cdd9414e96ce562f52433495f4e946be. jpg. png

[1] [2] [3] next