Jetpack storm-Vulnerability Analysis of jetpack website management system. net V2.0

Article/figure Cschi last we introduced how to crack CMS3.21 at, and recently we have been idle to the official website of Jetta (Www.just4.cn), And we found that we have used ASP.net and released version 2.0. Since it is in the same line, continue to analyze this version. I don't think it's enough. I have a lot of doubts when I check whether there are vulnerabilities for the moment. I only use NotePad to open the "member/member_reg.aspx" file, the strict Regular Expression makes it hard to doubt whether Jetta has set up an issue in CMS3.21 at, as shown in 1. You need to know that the zero point CMS3.21 is cracked because of a regular expression defect. Figure 1 shows that there is no "free lunch" in the world, but who makes us all poor? We have to continue our lives, and we have to talk about security. Well, let's get down to the point. Let's take a closer look at it before enjoying the jetpai. net V2.0 dinner. By the way, we are also familiar with. net. DetectionSet IIS to 127.0.0.1. For Windows 2003, You need to manually "allow" ("Disable" by default) ASP.net, 2 in "Web Service extension", and then register the test user, 3. Figure 2 Figure 3 jetpi. net V2.0 should not make low-level errors. Normal Page Link detection is ignored and WinSockExpert is directly used to listen to test user logon, as shown in figure 4. Apparently, the client. net V2.0 uses Session to authenticate users. It seems that cookies are useless. Figure 4 the logon page is detected based on the zero point blasting method (the detailed process is omitted), and the result returns without success. Try again by submitting external registration, and save the registration page (Member/Member_Reg.aspx) as an html file, and change "action =" "to" action = "http: // 127.0.0.1/Member/Member_Reg.aspx "", and delete the event "onclick =" return CheckRegisterMember (); "from the" register now "button ();"", then register the "test and 1 = 1" user, yeah? Registration successful !? 5. Figure 5 test "test and 1 = 2" again. You can also register successfully and log on normally! The visible and condition does not work! View the JT_Member table of the database and find that the single quotes are written, as shown in figure 6. It can be concluded that the single quotes in the user name have been replaced with double quotes and become characters in the user name at registration. Figure 6 since single quotes can be written, let's try cross-site scripting. Register "<Script> alert (/CSS/) </Script>" and refresh the homepage! 7. As for how to use it in depth, I will not discuss it here. I believe everyone is familiar with it. If we register "<Script>" (or other tags), it will directly affect the page framework of the home page. What if we directly mount the trojan? The problem should be serious. There is no need for injection, no cracking, and no need to enter the background. Registering a user is enough to be "black" and drop the Jetta! Figure 7Conclusion:The jetpi. net V2.0 registration page has a vulnerability. You can submit registration externally, but the single quotation marks in the user name are replaced with double quotation marks, making single quotation marks a character in the user name! We will continue to browse the page. During a vote, Jetta only allows one user (by default) to vote once. This limit is imposed when we use "test and 1 = 1" to log on, while "test and 1 = 2" is not restricted after logon! OK! The visible and condition is valid-injection is very likely to exist! The following is a detailed analysis.AnalysisJetpi. net V2.0 is compiled based on ASP.net and compiled into DLL (in the bin directory). Therefore, it must be decompiled. The tools we use include Reflector and Reflector. FileDisassembler. dll. After running Reflector, select View> Add-Ins to Add Reflector. fileDisassembler. dll files, open the five DLL files in the bin directory in sequence, and decompile them with "Tools-> File discycler! 8. Figure 8 Figure 9 the following code analyzes the voting page file VoteResult. aspx. <% @ Register Assembly = "JustCmsKenel" Namespace = "Just. CmsKenel. WebControls" TagPrefix = "Just" %>//1stLine of code.Register indicates that you want to reference a custom control. Assembly specifies the nameassembly, Namespace specifies the Namespace, and Tagprefix specifies the alias. This line specifies the class in the Just. CmsKenel. WebControls control (alias: "Just") in the Assembly JustCmsKenel (that is, the JustCmsKenel. DLL file) to be referenced ....... <Just: JcVoteInfo runat = "server" SkinName = "Default">//19thLine of code.This line indicates referencing the JcVoteInfo class in the "Just" namespace. Based on the above Code, open the "binJustCmsKenel_SourceJust.CmsKenel.WebControlsJcVoteInfo.cs" file (decompile with Reflector *. after the DLL file, the Source code is stored in the "* _ Source" directory by default). From the OnLoad event on the page, we can know that when the VoteThemeID submitted by the form is not empty, JcVoteThemeRecord will be called. vote method, as shown in figure 10. Use DreamWeaver to find "JcVoteThemeRecord", open the "binJustCmsKenel_SourceJust.CmsKenel.DAL.VoteJcVoteThemeRecord.cs" file, and find the code for the number of votes limit (line 174th) In the Vote Method. Figure 10 Figure 11 the complete SQL statement is as follows. The iVoteThemeID value is obtained by the JcVoteThemeRecord. GetCurrentThemeID method and cannot be used! The value of JcMemberRecord. GetLoginInfo (). MemberID should be the user name we are currently logged on to. Therefore, it is certainly not filtered out! Select count (*) from JT_VoteCollection Where ThemeID = "+ iVoteThemeID. toString () + "and MemberID =" + JcMemberRecord. getLoginInfo (). memberID + "" For GetLoginInfo (). how does MemberID be obtained? The analysis is complicated. We only need to know that this variable is not filtered when it is obtained! Despite the use of the Session to verify the user, the API does not process and directly reference illegal characters in the Session variable. This is very similar to Cookie injection. The difference is that Cookies can be modified and sessions cannot be modified, but we can use the constructed SQL statement as the user name for registration, so that we can not use the SQL statement in Session after login? Analyze all calls to GetLoginInfo (). the SQL statement of the MemberID variable (as shown in 12, sorted by "Files"). We can ignore Admin and hidden feature pages (many features of Jetta 2.0 have not yet been made public, such as applying for a job in member_Member_Job.cs, shopping Mall Member_PayCenter.cs, Test Center Member_Exam.cs, etc.). After a registered member logs on, the interface is still very simple. The two functions in "My Account" cannot be used normally! OnlyMy short messages"(Member_PM.cs),"Personal data modification"(Member_Member_Info.cs) and" Article contribution management "(Member_Article.cs ). Figure 12 ExploitationUse 1: Member center (Member/Member_Main.aspx), which involves statement 13 (JustCmsNt_Source \ _ Member_Main.cs, Row 32 ). Figure 13 method: because the "count (*)" mathematical function is used, the SQL statement does not return NULL. If the union statement is constructed, the Order by statement must be used, however, GetLoginInfo (). there are still statements behind MemberID, and Access does not support comments. In the end, you have to give up because you cannot sort them. For example, construct the following union statement: select count (*) from JT_PM Where er ER =