711 Security Analysis of the Talent website management system V2.1

 

Text/figure cn _ judge (Summer)
==========================================
 
In the autumn of September, the weather was really comfortable. While enjoying the wonderful time, I had a PC hanging out on the internet and accidentally found a "711 talent website management system V2.1" Web program, there are "Talent job", "enterprise recruitment", "commissioned recruitment", "Senior Talent", "part-time channel", "Talent information" and other topics, although not very powerful, but some useful functions are available. Recently I am looking for such a program to help my friends build websites. By the way, I will check its security performance.
Set up IIS locally, drag the program into the virtual directory, and it looks pretty elegant. Then, of course, read the code to find the vulnerability.

Viewnews. asp Injection Vulnerability
When I read viewnews. asp. When you see the following code, it is found that the program only determines whether the variable obtained by the request is null, but does not perform other judgment and filtering. Obviously, an injection vulnerability is generated.

<%
If request ("id") = "" then
// Obtain the variable id and determine whether it is null
Response. write "<SCRIPT language = JavaScript> alert (Sorry, invalid operation !); "
Response. write "javascript: window. close (); </SCRIPT>"
Response. end
End if
Set rs = server. createobject ("adodb. recordset ")
Sql1 = "update companynews set click = click + 1 where id =" & request ("id ")
Rs. open sql1, conn, 1, 1
Sql2 = "select * from companynews where id =" & request ("id ")
// Put it into the database for execution
Rs. open sql2, conn, 1, 1
%>

Company. asp Injection Vulnerability
And viewnews. asp code is similar, but it only adds a single quotation mark filtering function, but this is irrelevant to us. Similarly, the injection vulnerability is generated (I am confused, since the Administrator knows how to filter single quotes, why not filter other dangerous characters ?).

<%
Uid = replace (trim (Request ("uid ")),"","")
// Obtain the uid value of the variable and filter out the character "'"
Id = request ("id ")
If request ("uid") = "" then
// If the submitted variable is empty, execute the following statement.
Response. write "<SCRIPT language = JavaScript> alert (Sorry, invalid operation !); "
Response. write "javascript: window. close (); </SCRIPT>"
Response. end
End if
Set rs = server. createobject ("adodb. recordset ")
SQL = "select * from company where id =" & uid &""
Rs. open SQL, conn, 1, 1
// Put it into the database for execution
%>

Person. asp, job. asp Injection Vulnerability
Person. asp, job. I will not write asp code. It is of the same nature as the above vulnerability files. It does not strictly check and filter the submitted variable names, resulting in an injection vulnerability. You can test the principle by yourself. Refer to previous articles.

Bypass intrusion
The following is to test the background functions. When I enter the background using the default path, I find that a large part of the background functions are incomplete. I need to pay a fee to get the full-featured background code, as shown in 1.
 
Figure 1
I am so depressed. I am a poor man! There is no way to go to the official website to see if there is any hope. On the official site, I tested several files with injection vulnerabilities that I just found and found that the official website uses a general anti-injection system, and the default address of the database has been modified. After all, it is an official website and you are too lazy to perform large-scale scanning. Open the domain and check it. We found 27 sites on the VM, as shown in figure 2.
 
Figure 2
This is a must. When I saw 10th sites one by one, I found that a website was Mobile 2006 and habitually added/database/PowerEasy2006.mdb to the address. I did not expect a cute download prompt box to pop up, after obtaining the password in the database, go straight to the backend. The method is simple. For details, refer to previous magazines. Modify the download topic upload address in the background to xx. asp. Then, post an article on the front-end about the download, disguise the ASP Trojan as a RAR file for upload, and view the published article to obtain the complete path, such as/xx. asp/123456.rar. it may be because my personal character is relatively high. The server is Windows. the format of asp is parsed, so that the first Shell on the server is obtained. I thought this would allow me to bypass the directory of the target website and download the complete source code, I didn't expect the directory permissions set by the Administrator to be abnormal and cannot jump to the directory. WebShell has nothing to do with elevation of permission. When I was about to give up, I thought of another method of Session spoofing.

Session spoofing enters the background to obtain the complete source code
To obtain the source code of the target website, if the directory permission is strictly set, Shell must be in the root directory of the target website to have the permission to access it, besides, because the website and target website must be on a server, we can use the Shell mentioned above to perform Session spoofing. During my tests, I found that this program has a database backup area available in the background. The main problem now is how to obtain the background permissions of the target website. Open admin/chkadmin. asp. The key code is as follows.
......
Rs. Open "select * from admin where admin =" & admin & "and password =" & password & "", conn, 1, 1
// If the entered account and password are correct, execute the following statement:
If not (rs. bof and rs. eof) then
If password = rs ("password") then
Session ("82940admin23") = trim (rs ("admin "))
// Continue executing the Session Statement
Session ("flag") = int (rs ("flag "))
Rs. Close
......

It is easy to understand what the Session is. Use the Shell mentioned above to create a. asp and write the following content.

<%
Session ("82940admin23") = "admin"
Response. Redirect "http://www.xxx.com/admin/index.asp"
%>

When we access a. asp, we can directly jump to the background of the target website, which is easy to implement. Is it simple? Of course, the following is to back up Shell in the directory of the target website, post an article, upload a disguised image, and then back up it directly, similar to the familiar mobile network backup, I will not elaborate on it, as shown in 3. After the backup is successful, Shell is successfully obtained, and the complete code is returned, as shown in figure 4.
 
Figure 3
 
Figure 4

Summary
The prevention of injection is mainly to carefully filter and check submitted variables. In fact, it is a good choice to choose a complete anti-injection system. Rename the admin/database_menager.asp page of the back-end backup database, and change it back when necessary. After all, the backup is not performed every day.