In June on the black defense to see "dynamic network 7.1 loopholes found in the world," a paper, said admin_postings.asp file
There is an injection vulnerability, but the prerequisite is to have the super owner or front desk administrator privileges. I think of the previous discovery of the 7.x version of the network has a foreground privilege elevation loophole, just can be combined to use. This foreground privilege elevation vulnerability is valid for both access and SQL versions of 7.x. Let's use the 7.0 SP2 SQL version to explain the exploit.
Vulnerability Analysis
We know that the dynamic network is through the GroupID to determine the current user's group, and then through the group's information to judge the user's permissions. How did it get this groupid? Let's take a look at the Login verification section:
About 525 lines of login.asp.
Rem ========== Forum Login function =========
Rem Judge User Login
Function Chkuserlogin (Username,password,mobile,usercookies,ctype)
You can see that the dynamic network will be the user's information first with "| | |" Three vertical bars are connected, as a string passed to Imyuserinfo, and then imyuserinfo by "| | |" Separated into an array of strings. When the user password is validated correctly, the value of the 20th element of the array: Imyuserinfo (19) is assigned to the GroupID. See, GroupID is just the value of the 20th element of the array, and if the value of Imyuserinfo (19) is 1, the net will assume that the user who is now logged in is the front desk administrator.
In the dv_clsmain.asp file in the INC directory there is also a section of code that authenticates the user to detect the user's permissions after the user updates the information.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.