Arbitrary user login, SQL injection, and GetShell vulnerability source code analysis of a General website management system

Arbitrary user login, SQL injection, and GetShell vulnerability source code analysis of a General website management system

This system is not open-source and is mostly used by colleges and universities. Let's take a look at the source code.

0x01 vulnerability analysis:

Arbitrary User Login vulnerability:

First, let's take a look at the user/reg. asp file of the user registration process at the front end.
 

<% Dim action, UserIDaction = Trim (Request ("action") if action = "savereg" thendim usr, pwd, code, cname, AuditStatedim strSql, objRsusr = RSQL (Request. form ("usr") pwd = MD5 (Request. form ("pwd1") cname = RSQL (Request. form ("cname") code = Request. form ("Code") 'if arrSite (23) = "0" then' AuditState = 0 'else' AuditState = 1' end ifIf CStr (code) <> CStr (Session (Const_Cache & "_ Code") thenResponse. write ("<script> alert ('the verification code is incorrect. Try again! '); History. back (); </script> ") Response. endEnd IfstrSql = "select * from base_user where UserName = '" & usr & "'" set objrs1_conn.exe cute (strSql) if not objRs. eof and not objRs. bof thenResponse. write ("<script> alert ('user already exists. Please change the user! '); History. back (); </script> ") Response. endelsestrSql = "insert into base_user (RoleID, UserName, [PassWord], Cname, IsEnable) values (6, '" & usr & "', '" & pwd &"', '"& cname &"', 0) "conn.exe cute (strSql) Response. write ("<script> alert ('user registration successful! '); Location. href =' ../index. asp '; </script> ") end ifend if %>

After the user registration is successful, insert the user information into the "base_user" table.

Here, the user role roleid is written to death. Here is 6, and some are 5.



Next let's take a look at the background login file \ Admin \ login. asp
 

<! -- # Include file = "Conn. asp" --> <! -- # Include file = "Config. asp" --> <! -- # Include file = "../Inc/MD5.asp" --> <! -- # Include file = "Function. asp "--> <% Select Case Request (" Action ") Case" LoginCheck "Call LoginCheck () Case" LoginOut "Call LoginOut () Case ElseCall Lt_login_Main () End SelectSub LoginCheck () dim A_PWD, PassWord, UserName, Lt_Code, SqlStr, RSLt_Code = trim (Request. form (Const_Cache & "Code") If CStr (Lt_Code) <> CStr (Session (Const_Cache & "_ Code") thenResponse. write ("<script> alert ('the verification code is incorrect. Try again! '); History. back (); </script> ") Response. endEnd IfA_PWD = MD5 (Request. form ("PassWord") UserName = RSQL (Request. form ("UserName") PassWord = RSQL (Request. form ("PassWord") Set RS = Server. createObject ("ADODB. recordSet ") SqlStr =" select * from base_user where UserName = '"& UserName &"' "RS. open SqlStr, Conn, 1, 3IF Rs. eof And Rs. bof Thenexe ("insert into Base_log (Logtype, LogUser, Logcontent, LogIP, LogTime) VALU ES ('logon log', '"& UserName &"', 'background Logon Failed, incorrect management account! ',' "& Getip () &" ',' "& now &" ') ") Response. write ("<script> alert ('logon failed: \ n you have entered an incorrect management account. Please enter it again! '); History. back (); </script> ") Response. endElseIF Rs ("PassWord") = A_PWD ThenIF Rs ("IsEnable") = 1 Thenexe ("insert into Base_log (Logtype, LogUser, Logcontent, LogIP, LogTime) VALUES ('login log', '"& UserName &"', 'background Logon Failed, account locked by the administrator! ',' "& Getip () &" ',' "& now &" ') ") Response. write ("<script> alert ('logon failed: \ n your account has been locked by the Administrator. Please contact your system administrator! '); History. back (); </script> ") Response. endElseexe ("UPDATE Base_User SET Lastlogin = '" & now & "', Loginip = '" & GetIP ()&"', loginNum = LoginNum + 1 where username = '"& UserName &"' ") exe (" insert into Base_log (Logtype, LogUser, Logcontent, LogIP, LogTime) VALUES ('login log', '"& rs (" UserName ") &"', 'background login successful ',' "& getip ()&"', '"& now &"') ") Response. cookies (Const_Cache) ("AdminID") = Rs ("UserID") Session. timeout = 30End IFElseexe ("INSERT IN TO Base_log (Logtype, LogUser, Logcontent, LogIP, LogTime) VALUES ('login log', '"& UserName &"', 'background Login Failed, incorrect password ', '"& getip () &"', '"& now &"') ") Response. write ("<script> alert ('logon failed: \ n you entered the wrong password. Please enter it again! '); History. back (); </script> ") Response. EndEnd IFRs. Close: Set Rs = NothingResponse. Redirect (" index. asp ") End IFEnd Sub

Here, background login also directly extracts user information from the base_user table for comparison.

In this way, the common users registered at the front-end can log on to the admin at the backend.

However, there are restrictions on roleid. Although normal users log on to the background, they do not have the permission to use the functions. There are no functional modules and blank pages.

The permission Control for background operations is controlled through the admin/checkuserpopedom. asp file.
 

<!--#include file="conn.asp"--><!--#include file="Config.asp"--><!--#include file="Function.asp"--><!--#include file="../Inc/Lt_Main.Cls.asp"--><% Dim AdminUserID,AdminRoleID,objRs,AdminUser,Ltset Lt=new Lt_MainAdminUserID=request.Cookies(Const_Cache)("AdminID")if AdminUserID<>"" thenset objRs=conn.execute("SELECT * FROM Base_User WHERE Userid="&AdminUserID)if not objRs.eof and not objRs.bof then   AdminUser=objRs("UserName")   AdminRoleID=objRs("RoleID")else   response.Redirect "login.asp"   response.endend ifelseresponse.Redirect "login.asp"response.endend if

The following figure shows that the AdminRoleID is retrieved from the base_user table based on the AdminUserID.

The AdminRoleID here is the judgment standard of the background function module.

This AdminRoleID is used to determine whether the user has the permission to operate the background response function module.



But here we can see
 

AdminUserID=request.Cookies(Const_Cache)("AdminID")

AdminUserID is obtained directly from the cookie, and the user is fully controllable.

Therefore, users registered at the front-end can log on to the backend by modifying the AdminID in the COOKIE to the administrator ID, 0 or 1, causing any user login vulnerability.



0x02 SQL Injection Vulnerability

In addition, the AdminUserID is not processed, resulting in the SQL injection vulnerability.



0x03 GetShell

GetShell must be implemented in the IIS environment.

File admin/templetedit. asp. You can add a template or modify the original template.
 

Function save () Dim Content, FileFSOContent = request ("content") Path = request ("Path") If lcase (Right (Path, 4 )) <> "html" And lcase (Right (Path, 3) <> "htm" Then Call Lt. alert ("the file name extension must be html or htm", "") Set FileFSO = Server. createObject ("ADODB. stream ") With FileFSO. type = 2. mode = 3. open. charset = "UTF-8 ". position = FileFSO. size. writeText Content. saveToFile Server. mapPath (Path), 2. closeEnd WithSet FileFSO = Nothin GResponse. Write ("<script> parent. frame. cols =" "180, *" "; </script>") Call Lt. Alert ("template modification successful! "," TempLate. asp "): Exit FunctionEnd Function Addsave () Dim Content, FileFSO, File, PhysicalPath, fsContent = request (" content ") File = request (" File ") path = request ("Path") If lcase (Right (File, 4) <> "html" And lcase (Right (File, 3 )) <> "htm" Then Call Lt. alert ("the file name extension must be html or htm", "") Set fs = Server. createObject ("scripting. filesystemobject ") PhysicalPath = Server. mappath (Path & File) if fs. fileExists Ath) = False Then Set FileFSO = Server. createObject ("ADODB. stream ") With FileFSO. type = 2. mode = 3. open. charset = "UTF-8 ". position = FileFSO. size. writeText Content. saveToFile Server. mapPath (Path & File), 2. closeEnd WithSet FileFSO = NothingResponse. write ("<script> parent. frame. cols = "" 180, * ""; </script> ") Call Lt. alert ("template added successfully! "," TempLate. asp "): Exit Function Else Call Lt. Alert (" the file name already exists. Please use another name! "," ") End If End Function

The Code shows that when saving the file, the main last four digits are html, or the last three digits are htm, and the file content is not processed.

In the iis context, you can change the name of the stored file to 111111.asp;.html,111111.asp;.htm.

File Content is a trojan or webshell content

Solution:

Filter