Old Tree blossomed A JavaScript function

Many website Systems execute some functions in the client (javascript), and the server does not have the corresponding verification, thus being used illegally. This article is a case where improper use of js functions leads to the collapse of the website and the entire server.
Front-end vulnerability Mining
In the latest security test, a website bypass scan of www.xxx.com/Utility/UploadFile/FileList.asp
 
 
 


Figure 1
It seems to be an old hole n years ago. 1. Use the iis parsing vulnerability to create a directory named asp.
Upload the image Trojan, but the website patch is installed... but the editor is very powerful. You can find other places to use and habitually view the source code. Seeing a piece of Javascript, it's tricky to be visually tested.
<Tr onMouseOver = "menumouseover (this)" onMouseOut = "menumouseout (this)">
<Td> <input name = "selFolder" type = "checkbox" id = "selFolder" value = "D: \ website9 \ www.2cto.com \ UpFile \ 1" ">
<A href = "javascript: transferFolder ('/UpFile/1');">
1 </a>
This is the js source code of the folder in Figure 1. The absolute path may be useful, and then a powerful js function transferFolder () is displayed (), after testing this function, click the folder js in the editor to send the browser folder to the server, and then the asp server returns the list of files in the returned folder to browse the file.
// Change the current folder
Function transferFolder (f)
{
Document. formList. fder. value = f
Document. formList. submit ();
}
Look at the transferFolder function source code. Each HTML Document loaded into the browser becomes a Document object, so that we can access all the elements in the HTML page from the script. Assign the passed folder to Document. formList to operate the formList form, formList, and fder. Why?
<Form margin-bottom: 0; overflow: auto; "name =" formList "method =" post "action =" ">
<Input name = "rootFder" type = "hidden" id = "rootFder" value = "/UpFile">
<Input name = "fder" type = "hidden" id = "fder" value = "/UpFile">
Whether the fromList is a file browsing form fder or a folder to be browsed, which is assigned by the transferFolder function to test whether this function can be passed into any Browser Server folder. Because code needs to be changed frequently, changed to an Opera browser. The original transferFolder parameter is as follows.
 
TransferFolder ('/UpFile/1 ');
 
Pass in transferFolder ('/Utility/uploadfile'); (this directory exists absolutely ),
Violent clicks ..... Tragedy !!! There is no such thing. If you are unwilling to do so, continue the visual test.
 
<Input name = "rootFder" type = "hidden" id = "rootFder" value = "/UpFile">
<Input name = "fder" type = "hidden" id = "fder" value = "/UpFile">
RootFder is the root directory, while fder is the current directory, which needs to be manually modified. Then, change/UpFile to/Utility.
 
 
Figure 2
Rewrite
 
Figure 3
Click again, and a miraculous appearance
 



Figure 4
4￥ # * & ￥ #@! * Cool !!!, This function is really a ghost, and the next step is the expansion result.
JS function exploitation
 
 
Figure 5
As shown in figure 5, the editor can be renamed. The transferFolder function can be used to traverse the entire website directory file. If you have the permission, you can download the files on the server (with the permission to rename the files ), find out the directory structure of this set of programs. If the database access directly downloads data files, go to the background and check whether SQL server can use MySQL 1433 !!!!
In order to find out the directory structure of the system, we will soon take the webshell and seven of other websites of the system.
 
Figure 6
Find the configuration in System \ Config. asp
 
Figure 7
 
As shown in figure 7, I am very pleased to go back to the security monitoring site and find Config. asp through the transferFolder () function.
 

 
Figure 8
 
8. Change to txt for direct access .......................
 
Figure 9

Character comes .... 9. God sa !!!!! The next step is the legendary port 1433 Elevation of Privilege, with no bright spots ....
Postscript
This program has multiple fatal vulnerabilities, including the fck editor and old vulnerabilities, as well as the lack of authentication on the js function server in this article, which causes any files on the server to be downloaded and viewed (some have no permissions ), there are a lot of online users. In addition to SQL, editor, and other server-side code security, our program also needs to focus on front-end languages like javascript, because users can view and modify front-end source code at will, this is even more dangerous !!!
My ability is limited, and there will inevitably be some leaks in this article, so I may laugh at the home of the great party and look at haihan...
 

Author: Yaseng www. yaseng. me