Qingchuang Article System Security Analysis

Recently, I was hit by a mental disorder. So I was invited to the mental hospital to work as a part-time researcher. What did I study? Hey, of course it's being studied! It's not good to be studied every day, and I haven't written a Blog for a long time, so today I have to study something.

The research object is QcNews. This is an ASP + Access document system. The latest version is 1.5.2.23.7.0 in last February, it seems that the author has not updated for a long time.

I accidentally discovered a few holes. It is estimated that some people have already discovered the holes. Wow, big brother, you are not right. If I find the vulnerabilities, I have to do it myself, I released it for you.

It is estimated that the vulnerability patch has come out when this article is released. If you are using this system, install the patch.

In the official exe file, the default installation mode includes a browser plug-in.

1. Any member login/Data Modification Vulnerability

The system only judges the user by using the username value of cookies. See the Code:

If Request. Cookies ("qcdn") ("user_name") = "" then

 

But we can forge cookies, so now we can log on to any front-end account. Similarly, the information modified by the front-end user is determined based on the cookie username. We can also modify the information of anyone.

2. SQL Injection Vulnerability

The first part is the user comment, that is, the remarkList. asp file. Unid directly introduces SQL statements without filtering dangerous characters, and can be injected directly with tools. If the condition is true, there will be comments. If the condition is false, there will be no comments, so you have to find an article with a comment for injection.

The second place is a bit concealed, which is in the "Recommended friend" of each article (SendMail. asp file ). It cannot be injected directly here, but its Unid will be placed in the hidden domain of the page. When you fill in a friend's mailbox and submit it, The Unid will be included in the SQL statement, and no dangerous characters will be filtered. If the condition is true, "email sending failed" will pop up (because I have not installed JMail), and an error will be reported on the false condition page.

This SQL injection vulnerability may cause leakage of the background user name and its MD5 encryption password. If the password is not complex, the intruders will soon break through.

3. Any background account password Modification Vulnerability in common background accounts

Let's take a look at the key code of admin_EditPass.asp:

If request ("method") = 1 then

Unid = Request. Form ("Unid ")

If Trim (Request. Form ("username") = "" then

Errmsg = "<li> enter the user name. "

FoundErr = true

Else

Username = Qcdn. checkStr (Trim (Request. Form ("username ")))

End if

If Trim (Request. Form ("pass1") = "" or Trim (Request. Form ("pass2") = "" then

Errmsg = Errmsg + "<li> enter the password and confirm the password. "

FoundErr = true

Elseif Trim (Request. Form ("pass1") <> Trim (Request. Form ("pass2") then

Errmsg = Errmsg + "<li> the entered password is inconsistent with the Confirmed password. "

FoundErr = true

Else

Password = Qcdn. checkStr (Trim (Request. Form ("pass1 ")))

Password = md5 (password, 16)

End if

If FoundErr then

Call Qcdn. Err_List (Errmsg, 1)

Response. end

End if

SQL = "Update article_admin set username =" & username & ", [password] =" & password & "where id =" & Unid

Conn.exe cute (SQL)

Response. write ("<script> alert (" "modified successfully" "); location. href =" "admin_EditPass.asp" "; </script> ")

Response. end

End if

 

Note that the SQL statement "" Update article_admin set username = "& username &", [password] = "& password &" where id = "& Unid ", unid, username, and password are all submitted through the form and are not verified, so we only need to know the background user id, and then change the password to modify the unid in the hidden domain, you can change the password.

4. Arbitrary website file deletion vulnerability in background accounts

The "Upload File Management" function is available in the background to delete uploaded files. Observe the URL in the form of http: // localhost/QcNews/admin_picmang.asp? Action=del&filename=2003123162475.jpg

FileName is the name of the file to be deleted. The file is in the Upfiles folder. Try to construct FileName to jump out of this directory. The author also considered this issue, so there is such a piece of judgment code:

If left (trim (arrFileName (I), 3) <> "../" and left (trim (arrFileName (I), 1) <> "/" then

 

Although filtering out a directory, we can construct a situation similar to http: // localhost/QcNews/admin_picmang.asp? Action = Del & FileName = lake2/.../index. asp URL to delete any file.

5. The background normal account directly obtains the Administrator Privilege Vulnerability

The background of this system has three types of accounts with different permissions: Administrator, inspector, and auditor. The Administrator has all the permissions. The Inspector can only send posts, and the reviewer reviews the posts. However, the author's biggest negligence is that the Access Clerk and the reviewer have the same permissions as the administrator.

Although normal accounts do not see links to other management functions, we can directly enter the file address in the browser to implement the corresponding functions to manage them like an administrator. For example, to back up the database, I log on to the system as a recorder, and then enter asp "> http: // localhost/QcNews/admin_backupdata.asp in the browser. How can I back up the database. Other functions are also supported.

6. Background Database Backup Vulnerability

Well, from SQL injection to the background, we can use database backup to get webshell.

Change asp to gif, and then upload and Back Up Files. However, when uploading images, the system will first check whether the file is in the image format. You cannot simply change asp to gif. What should I do?

You must remember the asp method that copies the ASP code to the end of an image file.

 

Due to the limited free time for research, I barely found these bugs, but it is enough to threaten the use of large websites, of course, the purpose of writing this article is not to teach everyone to go to the Black station, but to make our network safer ......

If you want to contact me, please come to the mental hospital and call 120 to contact President Hu. ^_^