A news management system Upload Vulnerability

Information Source: Tosec Information Security Team
Vulnerability page: manage/yns_upload.asp
Brief description: The upload page is not verified, resulting in the Construction of ss_iid value to directly upload asp high-risk files

The news management system described here generates static HTML files with powerful functions. It is difficult to find out the problem of directly analyzing the surface (accessed by anonymous users, because you only see static pages, how can you analyze them?

Let's take a look at how we can analyze a news management system vulnerability!

First, we will download its source code. On the surface, the structure is very simple. Here we will go directly to the thinking of vulnerability analysis. As an asp management system, we naturally look for its upload points and dynamic points (because all of them have generated static points, so we need to re-construct them here), but I still habitually flipped through the background, several uploaded files in upload are found.

Let's take a look at the source code. I'm glad that I didn't add some certification (my friend gave me 3.xxxat the beginning, and the latest version may have been added)

However, we cannot open it directly, as shown below:

<%
Dim mm_ssiid // defines the mm_ssid Parameter
If request. QueryString ("ss_iid") <> "" then // if the returned ss_iid is null
Mm_ssiid = request. QueryString ("ss_iid") // assign the returned ss_iid value to mm_ssid
Else
Response. Write ("required parameter is blank") // The preceding statements are connected and executed together. After execution, a prompt is displayed here.
The following statement automatically ends when response. End () // is null.
End if // otherwise, other statements in the code will be executed.

<%
* ** Pure ASP File Upload 2.1.7
Dim GP_uploadAction, UploadQueryString
PureUploadSetup
.......
%>

If there is no parameter, we will naturally be prompted "the required parameter is blank", without verification, so we can construct an ss_iid because it returns this value, after uploading a small page, you can test it and upload an ASP file to complete our task, after the upload, you can directly view the source code to see the upload address upload/xxxxxxxxxxxxxxx. asp: the uploaded file result is renamed. Of course, we can omit the dynamic page structure next to it. If it reaches the goal, it will not be useless, I hope this article will help you better analyze website vulnerabilities.