Expose 88red to generate HTM static pages enterprise website system vulnerabilities page 1/2
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞
Author: Xiao (xsser) @ [0. s.t]
This article has been published in the hacker manual, issue 4th, reprinted please indicate the source, or in hyperlink to indicate: http://blog.0kee.com/xiaoshuai small blog
I haven't been to as300's for a long time. I'm sorry for the traffic on this release site, and I'm sorry for the strong requirements of so many readers in the hacker Manual (don't throw eggs! Throw money !), Well, since the cows are blowing up, I have to risk my life. Code Well, I thought it was great when I downloaded it. The system was great and he blew it bigger than me. Let's see what he said: 88red: the HTM static page generation system V3.0 was developed and officially launched. It integrates website maps, enterprise news centers, enterprise products, search, customer messages, downloads, and voting systems, it basically covers the basic functions required by a CEN site. Its static page generation function provides the greatest help for the majority of Enterprise websites to Optimize search engine Seo. The system has designed new artists to be closer to the enterprise website. We speak with facts. 1. Unfiltered Message Board opened the Directory and found Conn. ASP, config. ASP and other files, let's take a look, first look at config. there is nothing special in ASP, Conn. ASP is fault tolerant (that is, preventing brute-force databases). No problem? Of course, let's take a look at conn. asp:
<% On error resume next dim conn dim connstr dim dB DB = "Data/qiyedata. asa "set conn = server. createobject ("ADODB. connection ") connstr =" provider = Microsoft. jet. oledb.4.0; Data Source = "& server. mappath (db) Conn. open connstr %>
Shunteng touch... What is it? I have touched the database or the ASA. I first thought of a sentence, a sentence? What can be connected with a sentence? How can we store the data into the database? Users, messages, releases, and other places, I have read that the root directory is static. Do you think about HTML injection? I am waiting for this idea. I will go and check my messages. The messages are static. Alas! Okay. Continue... There is a file named savegb. asp in the root directory. If you want to know that it is the file that saves the message, check its filtering. The piece is as follows:
Alas! There is no prevention or filtering for the file header conn. asp, which leads to two results: 1st. directly write a sentence to get the shell. 2nd. XSS attacks! First, let's look at the first method: write a sentence (there is no interference in the premise database), 1
Then, click "Submit" to input a sentence to the ASA database. I am a small tornado, and the files in the ASA format are not parsed, so I switched to ASP, but the principle is the same. Let's look at Figure 2.
In this way, we can successfully insert a sentence into the database, and then raise the right or something. 2nd. Let's take a look at XSS. The XSS should immediately think of any way to get webshells, such as using the Administrator's session to perform operations or something, and getting webshells across sites, which was written by a cool, let's look at the background. The background verification is okay. At least our omnipotent key is no longer omnipotent. The snippets are as follows:
If you don't want to watch it, you will be overwhelmed by the single quotation marks. One of our solutions is to enter the background. Let's continue to look at the code and sort out the ideas for your convenience. Loose message filtering --- a sentence into the database --- à XSS --- à background verification is good, can not go to-à find the configuration file header to view. 2. Use vulnerability 1 shunteng to touch webshell. We use the default password to go in and check the background. We can test the white box and check that webshell is a good tester. Well, you can skip the nonsense and edit the tip carefully, let's look at figure 3.
This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or
reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or
complaint, to email@example.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
and provide relevant evidence. A staff member will contact you within 5 working days.