ASP code Audit

Today brings you the code Audit of ASP program, ASP and ASPX code audit, there are many same places. Just today to hand over the task, the nearest target station subdomain use this CMS, but the version is not necessarily this, good tired.

The author of the spring and autumn contract--non-mainstream

Program Name: Free planning

: http://down.chinaz.com/soft/32891.htm

Directory:

Just open a

Like so/index.asp .

The writing is very concise ...

Contains two configuration files, what is the use of a temporary first not to say, and then look at, get the two parameters by get method, one is key, one is Topsortid, where topsortid use the IsNumeric function to determine whether it is a number, that is, we often say that the int type variable, No more than one character. I used to want to go around this function to inject. Think really young ...

No sigh, let's go on. ASP file code audit is actually much simpler than PHP, because the ASP very few framework coupled with the ASP function only a few, so through the White box audit ASP code is better to get started, but also can learn some of the posture of digging holes. Go on, I seem to see you crossing's slippers are flying towards me (ˇ?ˇ)

In the so/index.asp file, we see the last sentence:

Echo ob_get_contents (zych_templatedir& "so.asp")

So here's the question, where is this ZYCH_TEMPLATEDIR global variable defined? Of course, you can also say that this variable name is a template directory (yes, you are crossing, you are the biggest, you say yes) since this page does not define this variable, it means that the variable is a global variable, so we need to find in the include file, first look at Conn.asp bar.

The eyes of the torch we see at a glance where is this variable coming from? (yes, taken from the database), open the database and enter the Config table, we can see.

And then what? Our so/index.asp page is to pass the data to the template directory in the so.asp to display and query, so, then look at the chant.

Let's look at the key variable that was not filtered on that page just now .

Here you can see that the key variable is the variable in the page, and here the <%=key%> syntax is equivalent to request ("key"), that is, regardless of the get, post or the cookie is sent over, receive. Then look down:

The place where the red line is drawn is the only check for the key variable on this page , just check if it is empty? We'll just submit the universal single quote in the URL to try it.

/ http xxxxx /so/index.asp?key=1'

Oho, error, please do not include illegal characters in the parameters to try to inject!

I wipe the tears, see why, who is in this outfit force, stop me inject! A look, found it is this file.

and see how it's written? Do we have the possibility of bypassing?

You're good, me and me. I can't beat you. (Small series technology is limited, temporarily not point full of regular expression of talent points)

Next, only the admin directory and the user directory files are not seen.

First look at the user directory, it is also very simple.

First look at the Login.asp, the file has written:

When the login variable =ok, it receives a post to the parameter username and any value of the password, where password after the value, first through the MD5 () function for processing.

You can then see that only the values of username and password are checked for null, and then (that's the point!!!). A select query is made from an SQL statement. We all know that there is a so-called loophole called "Universal password", in fact, in my eyes, the universal password is the account login, the developer use a SELECT statement at the same time the account and password into the database query, happened username or password and did not undergo special character processing, so, We can bypass by committing ' or ' 1 ' = ' 1, which is a universal password vulnerability.

Or a chestnut, the first picture is a regular landing, the second picture is I closed the SQL statement:

OK, here's the username parameter also check single quotation marks, and then look at user/index.asp, as the CMS Member Center of the main file, we can try, there is no cookie spoofing or unauthorized access.

From the above two figures, can you see that cookie spoofing? Unauthorized access? It's not there, okay. But, everything should have a but, Member center there are multiple ultra vires, hhhhh .... Laughing at the computer ....

Let's take a look at it. Just look at the change password:

As you can see, the operation to change the password is to access User/index.asp?action=password, and then the editor ctrl+f search the password bar directly, the related operation starts in 294 lines of the file.

The No. 300 line, here tells us, change the password this operation first verifies whether the user logs in, then sends the POST request to User/index.asp?action=password&xiugai=pass, then searches the Xiugai, Discovery starts at line No. 621 of the file.

From the source map below, we can see very clearly, this is an ultra vires loophole.

If you do not know what is the authority of the loopholes, we may wish to recall this CMS change password function, what to do.

The first step: Verify whether the user login;

Step Two: Verify that the ID in the post package is of type int;

Step three: Verify that the new password for two inputs is empty and is equal;

The fourth step, according to the ID value we provide to the database to update updates.

Note: The ID here is request Oh ~ ~ So, we are completely controllable variables. So this leads to ultra vires vulnerability, this is a logical vulnerability under this classification of arbitrary password modification.

Write at the end, next time to bring you a code audit under the Amdin directory. I do not know why the articles I wrote are 2k+~3k+, but only a little reply. If crossing you have good suggestion, can put forward to let me study next ~ ~

ASP code Audit