CPLS V2.5 Vulnerability

 Www.link0day.cnBy Lnk

The school was bored in class in the computer room and downloaded a system. It took several minutes to identify the vulnerability.

Vulnerability analysis without nonsense

Injection:

Conn. asp contains anti-injection.

<%
Dim conn
Dim connstr
Dim db
Db = "cpls/data. mdb"
Set conn = Server. CreateObject ("ADODB. Connection ")
Connstr = "Provider = Microsoft. Jet. OLEDB.4.0; Data Source =" & Server. MapPath (db)
If your server uses an older version of the Access driver, use the following connection method:
Connstr = "driver = {Microsoft Access Driver (*. mdb)}; dbq =" & Server. MapPath (db)
Conn. Open connstr
%>
<%
-------- ASP anti-injection code ------------------
Dim Fy_Post, Fy_Get, Fy_In, Fy_Inf, Fy_Xh, Fy_db, Fy_dbstr
Customize the string to be filtered, separated by "defense"
Fy_In = "defense; anti-and anti-exec anti-insert anti-select anti-delete anti-update anti-count anti-* anti-chr anti-mid anti-master anti-truncate anti-char anti-declare anti <anti> Anti-= anti |- defense _"
Fy_Inf = split (Fy_In, "anti-DDoS ")
If Request. Form <> "" Then
For Each Fy_Post In Request. Form

For Fy_Xh = 0 To Ubound (Fy_Inf)
If Instr (LCase (Request. Form (Fy_Post), Fy_Inf (Fy_Xh) <> 0 Then
Response. Write "<Script Language = JavaScript> alert (please do not include illegal characters in the parameter to try to inject attacks to this site); </Script>"
Response. Write "illegal operation! The following records have been recorded on this site <br>"
Response. Write "Operation IP:" & Request. ServerVariables ("REMOTE_ADDR") & "<br>"
Response. Write "operation time:" & Now & "<br>"
Response. Write "Operation page:" & Request. ServerVariables ("URL") & "<br>"
Response. Write "submission method: POST <br>"
Response. Write "Submit parameters:" & Fy_Post & "<br>"
Response. Write "submit data:" & Request. Form (Fy_Post)
Response. End
End If
Next
Next
End If
If Request. QueryString <> "Then
For Each Fy_Get In Request. QueryString
For Fy_Xh = 0 To Ubound (Fy_Inf)
If Instr (LCase (Request. QueryString (Fy_Get), Fy_Inf (Fy_Xh) <> 0 Then
Response. Write "<Script Language = JavaScript> alert (please do not include illegal characters in the parameter to try to inject attacks to this site); </Script>"
Response. Write "illegal operation! The following records have been recorded on this site <br>"
Response. Write "Operation IP:" & Request. ServerVariables ("REMOTE_ADDR") & "<br>"
Response. Write "operation time:" & Now & "<br>"
Response. Write "Operation page:" & Request. ServerVariables ("URL") & "<br>"
Response. Write "submission method: GET <br>"
Response. Write "Submit parameters:" & Fy_Get & "<br>"
Response. Write "submit data:" & Request. QueryString (Fy_Get)
Response. End
End If
Next
Next
End If
%>

No COOKIES are filtered. Then, find a file similar to request ("xx") for injection.

What we want in main. asp:

<%
Dim aa1, aa2
Aa1 = trim (Request ("a1 "))
If aa1 <> "then
Aa1 = "all"
End if


Aa2 = request ("a2 ")
Pname2 = trim (Request ("keyword "))
If pname2 <> "then
D = "and name like %" & pname2 & "%"
End if

Bid = request ("bid ")
If bid <> "" then
C = "and nbigarea =" & bid &""
End if

Sid = request ("sid ")
If sid <> "" then
C = "and nsmallarea =" & sid &""

End if

Set rs = server. createobject ("adodb. recordset ")
If session ("user") = "" then
Rs. open "select * from product where new = false" & c & "& d &" order by time desc ", conn, 1, 1
Else
Rs. open "select * from product where" & c & "" & d & "order by time desc", conn, 1, 1
End if

Then inject. Have fun ~

In fact, there is a classic vulnerability in background login:

<HTML>
<HEAD>
<TITLE> administrator background logon </TITLE>
<Style type = "text/css">
<! --
. STYLE1 {color: # 0066CC}
-->
</Style>
</Head>
<Body>
<%
Dim SQL, rs, Error
If Request. QueryString ("action") = "login" then

SQL = "select top 1 * from LxTel_sys"
Set rs = Server. CreateObject ("ADODB. Recordset ")
If not IsObject (conn) then
LinkData
End if
Rs. open SQL, conn, 1, 1
Application (BBSInfo & "sysinfo") = rs. GetRows (-1)
Rs. close

Dim UserName, PassWord
UserName = trim (Request. Form ("UserName "))
PassWord = trim (Request. Form ("PassWord "))
SQL = "select * from admin where admin_name =" & UserName &""
Set rs = Server. CreateObject ("ADODB. Recordset ")
Rs. open SQL, conn, 1, 3
If rs. BOF and rs. EOF then
Error = "<li> the Administrator is not found or the password is incorrect </li>"
Else

If rs ("admin_pass") = MD5 (PassWord) then
Rs ("loginnum") = rs ("loginnum") + 1
Rs ("lastlogintime") = now ()
Rs ("loginfnum") = 0
Rs. update
Session ("admin_name") = username
Session ("admin_pass") = password
Response. Redirect "index. asp"
Else
Rs ("loginfnum") = rs ("loginfnum") + 1
Rs ("loginftime") = now ()
Rs. update
Error = "<li> the Administrator is not found.