One penetration to a station AND the so-called 0-day of a system

The target site is www.2cto.com, an independent server. There are two sites on the server, one main site, one blog, and one bbs. The Blog uses 0 blogs. It is estimated that the attempt to identify the vulnerability is unsuccessful. So start from the main site.

The main site is mostly static pages and users can be registered. Scan the directory. There is nothing suspicious. So register a user first, and check the user's background. There is a place to upload.

After selecting an image and uploading it, we found that it was named randomly and didn't pass parameters such as filepath. Currently, few CMS upload vulnerabilities exist. Google uploads the file name and parameters of the page, and found that it uses the creative CMS.

Search for the version and find it is 3.1. This is easy to do. I will read the code next time to see what I can dig for 0-day.

Read the uploaded code and find a vulnerability that exposes the management directory:

In User/upload. asp, row 126:

As long as you have the upload permission, right-click the upload page to view the source file and find the management directory before admin_files.asp. This problem also exists in the target site. Although admin_files.asp is deleted, we still have other methods to access it.

The Code of creative CMS is integrated with some Dvbbs classes and then modified. The code is well written. All numeric variables are converted using clng or cint, but once the code is huge, it is inevitable that there will be leakage. After some efforts, I found some.

Inc/Cl_Function_Guest.asp,

Obviously, only check whether there is a "," in the delid, and the query is carried in.

Register a user and access GuestBook/Index. asp? Action = write, sign for a message, and return to GuestBook/Index. asp? Action = user. There is a delete on it. Copy the URL, for example, GuestBook/Index. asp? Action = del & guestid = 1, followed by "," and "'". An error occurred.

Typical in injection.

Unfortunately, the permissions in the guestbook directory of the target site are completely forbidden and asp cannot be executed. You can only find another path.

In User \ reg. asp,

The Username variable is filtered by two layers. Unfortunately, the most important thing is that the single quotation marks are not filtered.

Enter the following information when registering a new user:

An error occurred while clicking "register:

Unfortunately, the target site should be configured with a single quotation mark. It doesn't matter. We still have a solution.

In User \ User_ChkInfo.asp:

Title is included in the query without any filtering. Vulnerability generation. Note that the User_ChkInfo.asp file is closed once it is opened. In this case, you only need to disable the browser javascript.

Submit User/User_ChkInfo.asp? ChannelID = 1 & TitleName = ', error.

The tragedy is that the target site has completed the vulnerability. You can only continue.

In User \ User_InfoDel.asp:

InfoID is queried without any filtering. Unfortunately, this page can be accessed only by members with certain permissions. Generally, newly registered members do not have permission to access the page, so they will not be tested directly.

It seems useless to read so much code. Is it true that the target station is so impeccable? None. Next, this is what is truly fatal.

In User \ User_UserCz.asp:

There is no filtering at all. It is important that this file also exists on the target site. This file checks the reference and displays the error message if it is directly entered. In fact, this is very easy. You do not need to forge any referer. Enter the following code in the address bar:

Javascript: document. write ("<a href = 'HTTP: // www.xxx.com/User/User_UserCz.asp'> aaa </a> ")

Click Connect on the page.

After entering User_Usercz.asp, click "recharge card recharge". Enter a single quotation mark for the card number, enter a single quotation mark for the password, enter the verification code, and submit it. An error occurred.

After some hard work, the target is MSSQL and DB_owner permissions. Because error information is blocked, manual blind injection is too tired. I have to enter the verification code once again, so I will not continue.

If you have patience, this station can be taken down completely. Because there is a background and MSSQL, you can simply Update the Administrator's password and almost announce the solution. There are too many methods to use SHELL in the background, because database recovery, custom pages, and direct execution of SQL statements (this is a second kill for access and IIS6.0 .) So we will not repeat it.