Analysis on the latest version of the Gobei article system 0Day

Bored on the internet, who knows that a website has been hacked. Taking a closer look at this website, I was shocked. The website that was infected with Trojans turned out to be www.gaobei.com, the official website of the Gobei article system. Even the official website has been suspended. Is there a legendary 0-day presence? So I immediately installed the latest version of the gobe article system for testing.
Set up the system locally and check whether there are obvious injection points. No injection points were found after the detection using the D injection tool and mingkids' Domain3.5. It seems that we should start with the code! Part of the code of the NewsInfo. asp file is as follows:
<%
ID = CheckStr (Request. QueryString ("ID "))
If isInt (ID) = False OR Not IsNumeric (ID) Then
Response. Redirect "news. asp"
Response. End ()
End If
Set rs = server. createobject ("adodb. recordset ")
Rs. Open "Select * From news where id =" & id, conn, 3,3
If rs. bof and rs. eof then
Response. Redirect ("News. asp ")
End if
%>.

The Code shows that the variable id is filtered by the checkstr function and then filtered by the isnumber function before database query, the checkstr function filters out many common injection characters, which is difficult to bypass and does not bypass isnumber even if checkstr is bypassed! Then I read the code of several files, which is also very strict, and the injection path is interrupted.
Since the idea of injection is interrupted, let's try uploading another idea. Open the upload. asp file and find that it contains the check. asp file in the include folder. It seems that it has been verified. View the check. asp file and find that the verification code is as follows:
 
RandNum = Session ("CheckCode ")
GaobeiManageSession = "20041006213" & RandNum cannot be changed
GaobeiManageAdminID = "GaobeiManageAdminID" & RandNum cannot be changed
GaobeiManageUser = "GaobeiManageUser" & RandNum cannot be changed
GaobeiManageKey = "GaobeiManageKey" & RandNum cannot be changed
---------- Check username and password ---------
Function Checkin (s)
S = trim (s)
S = replace (s, "", "& nbsp ;")
S = replace (s, "", "& #39 ;")
S = replace (s, "," & quot ;")
S = replace (s, "<", "& lt ;")
S = replace (s, ">", "& gt ;")
Checkin = s
End function
----------- Check the junior administrator ---------
Function CheckAdmin1
If Session (GaobeiManageSession) <> true then response. redirect "Admin_Login.asp"
End function
-------------- Check the intermediate administrator -----------
Function CheckAdmin2
If Session (GaobeiManageSession) <> true then response. redirect "Admin_Login.asp"
If Session (GaobeiManageSession) <> true or (session (GaobeiManageKey) <> "check" and session (GaobeiManageKey) <> "super") then response. redirect "Admin_Default.asp? Err = your permissions are insufficient !! "
End function
---------- Check the senior administrator ----------
Function CheckAdmin3
If Session (GaobeiManageSession) <> true then response. redirect "Admin_Login.asp"
If Session (GaobeiManageSession) <> true or session (GaobeiManageKey) <> "super" then response. redirect "Admin_Default.asp? Err = you have enough permissions !! "
End function
---------- Error output -----------
Sub error ()

This Code uses session for verification. It seems that it cannot be bypassed. Open the upload_class.asp file and find that it also contains the include/check. asp file. After some searching, we found that the Upfile_Photo.asp file does not contain the include/check. asp file. I carefully read the code and found the Upload Vulnerability.
 
Const MaxFileSize = 200 size limit of uploaded files
Const SaveUpFilesPath = "UploadFile/Product"
Const UpFileType = "gif | jpg | bmp | png | swf | doc | rar" Supported file types
.... Omitted ....
Sub upload_0 () indicates the upload class without components in the environment.
.... Omitted ....
PhotoUrlID = Clng (trim (upload. form ("PhotoUrlID ")))
If PhotoUrlID> 0 then
SavePath = SaveUpFilesPath directory for storing uploaded files
Else
SavePath = SaveUpFilesPath directory for storing uploaded files
End if
If right (SavePath, 1) <> "/" then SavePath = SavePath & "/" add (/) after the Directory (/)
For each formName in upload. file: Lists All uploaded files.
Set ofile = upload. file (formName) to generate a file object
OFileSize = ofile. filesize
If oFileSize <100 then
Msg = "select the file you want to upload first! "
FoundErr = True
Else
Select case PhotoUrlID
Case 0
If oFileSize> (max filesize * 1024) then
Msg = "the file size exceeds the limit. You can only upload" & CStr (MaxFileSize) & "K files! "
FoundErr = true
End if
Case 1
If oFileSize> (10000*1024) then
Msg = "the file size has exceeded the limit. The maximum size is 10 MB! "
FoundErr = true
End if
End select
End if

FileExt = lcase (ofile. FileExt)
ArrUpFileType = split (UpFileType, "| ")
For I = 0 to ubound (arrUpFileType)
If fileEXT = trim (arrUpFileType (I) then
EnableUpload = true
Exit
End if
Next
If fileEXT = "asp" or fileEXT = "asa" or fileEXT = "aspx" then
EnableUpload = false
End if
If EnableUpload = false then
Msg = "this file type cannot be uploaded! Only the following file types can be uploaded: "& UpFileType
FoundErr = true
End if

As you can see, this code only filters the first uploaded file. Isn't this a typical power upload vulnerability? Open tomboy Domain3.5, go to the upload module, select "Power Upload Vulnerability", select the upfile_softpic.asp File Upload Vulnerability, enter the Upfile_Photo.asp file address, and click upload, as shown in 1.

Figure 1 now we are in practice. Fill in the power upload vulnerability in Domain3.5 Http://www.gaobei.com/upfile_softpic.aspClick "Upload" and the pony will fly to the server, as shown in figure 2. Figure 2 finally, I will make a summary. In practice, we can also download/Editor/Datas/SouthidcEditor. mdb database. After the password is cracked, log on to/Editor/admin_login.asp. This is the ewebeditor system.