ASP. NET code audit: ZOOMLA! CMS) vulnerability Mining

0X00SummaryCMS is based on. net compiled by a CMS, known as or military units have also adopted this CMS, more known as open source, the world's so-called "source code" down, tangled, page in addition to the aspx file, even cs and other files are basically missing. Is this called Open Source? It's not like this ...... Well, although it's not a good expert, let's take him into consideration first. It's hard to get upset with all kinds of pitfalls ......
0X01 PRE-1(LOCALDB)
Before exploiting this vulnerability, you need to know something else. If you are not interested, you can skip this step. First, we recommend a new version of mssql2012, localdb (exclusive to version 2012). In most versions of mssql, this version is the most streamlined and easy to install, so you don't have to worry about many other things, in addition, there is another problem: the old version of the database cannot recover the data backed up by the higher version of the database, for example, 2005 cannot restore the bak database file backed up by 2008.
Provide the address of mssql 2012 express:
Http://www.microsoft.com/zh-cn/download/details.aspx? Id = 35579
In addition, download the local database separately:
Http://download.microsoft.com/download/5/F/9/5F955661-5AA9-400D-ACFA-44F14311BC14/CHS/x86/SqlLocalDB.msi
The following is a simple example, or you can refer to the following link:
Http://www.kodyaz.com/sql-server-2012/sql-server-localdb-management-utility-sqllocaldb.aspx
After installation, you can use sqllocaldb.exe to manage database instance creation, enabling, and disabling.
For example, create a database instance: Sqllocaldb create localdb

Start the database instance: SqlLocalDB.exe start localdb. After using this command, the following prompt is displayed:
The LocalDB instance "LocalDB" has been started.
After the instance is created, view the connection parameters of the instance. It is important that the information of an MPS queue is enabled.
View the instance information: SqlLocalDB.exe info localdb. The result is as follows (remember the name of the Instance pipeline ):

Find a connection tool, such as separating the streamlined query analyzer and directly connecting to the analyzer,

In this way, you can successfully connect to the local database, but note that you can only use SQL statements for queries.
0X02 PRE-2(Object Browser)
In addition, you must first understand how to use the vs2008 Object Browser. This article mainly describes how to use the Object Browser to find the class name and method name contained in the dll. You can skip this step if you understand it. Find view-Object Browser:

After opening, select Custom component set:

Click... Button to add dll and so on:

Enter information in the search box to search:

Select a class name or method name to see which dll The method is in. This is useful for finding relevant information without source code. For example, the method is in ZoomLa. BLL. dll:
You can also use other methods. This is just an example.
0X03 SQLInjection Mining
According to the PRE-2 method, we look at manage_Config_sousuo this goods dll, find in App_Web_m5rncppr.dll, use tools such as ilspy directly to view the source code, find the corresponding class, first look Page_Load:

Protected void Page_Load (object sender, EventArgs e)
{
} There is nothing special, that is to say, there is no authentication, and so on. Which aspx file to look for has the class and dll name? The information in/manage/Config/sousuo. aspx is:
<% @ Page language = "C #" autoeventwireup = "true" inherits = "manage_Config_sousuo, app_Web_m5rncppr "enableEventValidation =" false "viewStateEncryptionMode =" Never "%> includes the class name and dll name. So we can conclude that we are looking at this page.
View the click method:
If (this. TextBox1.Text = "")
{
Function. WriteErrMsg ("Enter the content to search", "/manage/Config/sousuo. aspx ");
}
String shorttext = "declare @ str varchar (100) set @ str = '" + this. textBox1.Text + "'Clare @ s varchar (8000) declare tb cursor local for select s = 'if exists (select 1 from ['+ B. name + '] where [' +. name + '] like ''%' + @ str + '%'') print ''[' + B. name + ']. ['+. name + '] ''' from syscolumns a join sysobjects B on. id = B. id where B. xtype = 'U' and. status> = 0 and. xusertype in (175,239,231,167) open tb fetch next from tb into @ s while @ fetch_status = 0 begin exec (@ s) fetch next from tb into @ s end close tb deallocate tb ";
This. conn. InfoMessage + = new SqlInfoMessageEventHandler (this.info );
This. conn. Open ();
New SqlCommand (plain text, this. conn)
{
CommandType = CommandType. Text
}. ExecuteNonQuery (); TextBox1.Text is the text box itself to be searched, and plain text is the concatenated string, which has obvious injection problems. As for how to inject declare, you can simply study declare.

However, this SQL injection is not the most critical issue. The following vulnerability is a threat.
0X04Unverified database backup and database download
Simply put, a non-administrator can back up the database at will and directly download it ......
Okay. Let's just briefly describe the process:
You can see another page_load method in manage_Config_BackupRestore:
Protected void Page_Load (object sender, EventArgs e)
{
If (! Base. IsPostBack)
{
This. DatabasePath. Text = DateTime. Now. ToString ("MMdd") + "ZoomlaCMS ";
}
String [] array = SqlHelper. ConnectionString. ToString (). Split (new char []
{
';'
});
String [] array2 = array;
For (int I = 0; I <array2.Length; I ++)
{
String text = array2 [I];
If (text. ToLower (). Contains ("initial catwer "))
{
This. database = text. Split (new char []
{
'='
}) [1];
}
}
If (! Base. IsPostBack)
{
This. Bind ();
}
} As can be seen from the code above, no restrictions are imposed whether the page is opened for the first time or when data has been submitted to the page? Restrict unauthorized users to perform operations. Well, another key method is the click method of the button click event:
Protected void Backup_Click (object sender, EventArgs e)
{
String text = HttpContext. Current. Request. PhysicalApplicationPath + "/temp ";
If (! Directory. Exists (text ))
{
Directory. CreateDirectory (text );
}
String strSql = string. Concat (new string []
{
"Backup database ",
This. database,
"To disk = '",
Text,
"/",
This. DatabasePath. Text,
". Bak 'with init"
});
If (! SqlHelper. ExecuteSql (strSql ))
{
Function. WriteSuccessMsg ("<li> Database Backup succeeded </li>", "/manage/Config/BackupRestore. aspx ");
}
} The above operation is simply to back up the data to the temp folder under the website directory. There is no access control !!
Well, in this case, let's test it on the official website:

A small backup:

It will also be automatically compressed for you to download, which is good. The whole database is on hand.
However, there were a lot of problems encountered when restoring the database, not when an error occurred during installation or when something could not be found, so the above localdb went wrong, but there were still some problems, next, I will also provide you with an operation process to restore the database, so that you will not need to do too much complicated things in future tests.
For more information, see the following link:
Http://www.bkjia.com/database/201306/217865.html
The first step is to restore the database. After the database is connected, perform the following operations:
USE master
RESTORE FILELISTONLY
From disk = 'C: \ 1. Bak'
GO
You can query the logicalname, which is important. You can splice the two information into the command. The command executed in step 2 is as follows:
USE master
RESTORE DATABASE DB
From disk = 'C: \ 1. Bak'
With move 'zoomlapub 'TO 'C: \ DB. mdf ',
MOVE 'zoomlapub _ log' TO 'C: \ db_log.ldf ',
STATS = 10, REPLACE
After performing this step, GO restores a database. Directly use this database for the following query:
Select * from zl_manager results are not sent.
0X05 SHELL
Log on to the background and choose "template management"> "create template" to directly write the aspx file.
0X06When MD5 cannot be cracked successfully?
The admin password in the official website background is not cracked in iis5 currently. What should I do if this happens? Cannot log on?
Let's look at the following code:
Public void CheckIsLogin ()
{
String managePath = B _Admin.GetManagePath ();
If (HttpContext. Current. Request. Cookies ["ManageState"] = null)
{
HttpContext. Current. Response. Redirect ("~ /"+ ManagePath +"/Login. aspx ");
Return;
}
String loginName = HttpContext. Current. Request. Cookies ["ManageState"] ["LoginName"];
If (! String. IsNullOrEmpty (loginName ))
{
LoginName = StringHelper. Base64StringDecode (loginName );
}
String password = HttpContext. Current. Request. Cookies ["ManageState"] ["Password"];
If (this. GetLoginAdmin (loginName, password). IsNull)
{
HttpContext. Current. Response. Redirect ("~ /"+ ManagePath +"/Login. aspx ");
}
} I will provide a piece of cookie test data:
Bd1__firstime = 1043514000222; ASP. NET_SessionId = s51a23555nie5tqx2ln3lxub; hasshown = 1; ASP. NET_SessionId = 13gv3o45g44arjfbv50errzd; ManageState = ManageId = 1 & LoginName = YWRtaW4 = & TrueName = YWRtaW4 = & Password = Role & Role = 1 & randNum = 8105349550; userState = LoginName = YWRtaW4 = & Password = 7fef6171469e80d32c0559f88b377245; ASPX = 8788addf2ceec7e4b2971ae436cb82e7 others analyzed by themselves.
0X07Conclusion
Previously, I also mentioned in another document that asp.net has different mechanisms than php, so we can generate common vulnerabilities. For example, the above SQL injection, database backup, and other issues are also common issues, as well as shell, do not need to do analysis to know where the problem is generated.
The latest version of CMS is CMS2 X1.0 (the vendors on the official website are very powerful). The above problems are found in several newer versions. It is estimated that there will be more and more problems during the update process, obviously, the manufacturers do not pay special attention to security issues. They are known as open-source, but they are not really open-source. They are just a guise. Of course they can decompile them out.
Currently, the vendor has fixed the problem of pants removal, but SQL injection is not fixed yet.