Recently, I was hit by a mental disorder. So I was invited to the mental hospital to work as a part-time researcher. What did I study? Hey, of course it's being studied! It's not good to be studied every day, and I haven't written a Blog for a long time, so today I have to study something.
The research object is QcNews. This is an ASP + Access document system. The latest version is 1.5.2.23.7.0 in last February, it seems that the author has not updated for a long time.
I accidentally discovered a few holes. It is estimated that some people have already discovered the holes. Wow, big brother, you are not right. If I find the vulnerabilities, I have to do it myself, I released it for you.
It is estimated that the vulnerability patch has come out when this article is released. If you are using this system, install the patch.
In the official exe file, the default installation mode includes a browser plug-in.
1. Any member login/Data Modification Vulnerability
The system only judges the user by using the username value of cookies. See the Code:
If Request. Cookies ("qcdn") ("user_name") = "" then
But we can forge cookies, so now we can log on to any front-end account. Similarly, the information modified by the front-end user is determined based on the cookie username. We can also modify the information of anyone.
2. SQL Injection Vulnerability
The first part is the user comment, that is, the remarkList. asp file. Unid directly introduces SQL statements without filtering dangerous characters, and can be injected directly with tools. If the condition is true, there will be comments. If the condition is false, there will be no comments, so you have to find an article with a comment for injection.
The second place is a bit concealed, which is in the "Recommended friend" of each article (SendMail. asp file ). It cannot be injected directly here, but its Unid will be placed in the hidden domain of the page. When you fill in a friend's mailbox and submit it, The Unid will be included in the SQL statement, and no dangerous characters will be filtered. If the condition is true, "email sending failed" will pop up (because I have not installed JMail), and an error will be reported on the false condition page.
This SQL injection vulnerability may cause leakage of the background user name and its MD5 encryption password. If the password is not complex, the intruders will soon break through.
3. Any background account password Modification Vulnerability in common background accounts
Let's take a look at the key code of admin_EditPass.asp:
If request ("method") = 1 then
Unid = Request. Form ("Unid ")
If Trim (Request. Form ("username") = "" then
Errmsg = "<li> enter the user name. "
FoundErr = true
Else
Username = Qcdn. checkStr (Trim (Request. Form ("username ")))
End if
If Trim (Request. Form ("pass1") = "" or Trim (Request. Form ("pass2") = "" then
Errmsg = Errmsg + "<li> enter the password and confirm the password. "
FoundErr = true
Elseif Trim (Request. Form ("pass1") <> Trim (Request. Form ("pass2") then
Errmsg = Errmsg + "<li> the entered password is inconsistent with the Confirmed password. "
FoundErr = true
Else
Password = Qcdn. checkStr (Trim (Request. Form ("pass1 ")))
Password = md5 (password, 16)
End if
If FoundErr then
Call Qcdn. Err_List (Errmsg, 1)
Response. end
End if
SQL = "Update article_admin set username =" & username & ", [password] =" & password & "where id =" & Unid
Conn.exe cute (SQL)
Response. write ("<script> alert (" "modified successfully" "); location. href =" "admin_EditPass.asp" "; </script> ")
Response. end
End if
Note that the SQL statement "" Update article_admin set username = "& username &", [password] = "& password &" where id = "& Unid ", unid, username, and password are all submitted through the form and are not verified, so we only need to know the background user id, and then change the password to modify the unid in the hidden domain, you can change the password.
4. Arbitrary website file deletion vulnerability in background accounts
The "Upload File Management" function is available in the background to delete uploaded files. Observe the URL in the form of http: // localhost/QcNews/admin_picmang.asp? Action=del&filename=2003123162475.jpg
FileName is the name of the file to be deleted. The file is in the Upfiles folder. Try to construct FileName to jump out of this directory. The author also considered this issue, so there is such a piece of judgment code:
If left (trim (arrFileName (I), 3) <> "../" and left (trim (arrFileName (I), 1) <> "/" then
Although filtering out a directory, we can construct a situation similar to http: // localhost/QcNews/admin_picmang.asp? Action = Del & FileName = lake2/.../index. asp URL to delete any file.
5. The background normal account directly obtains the Administrator Privilege Vulnerability
The background of this system has three types of accounts with different permissions: Administrator, inspector, and auditor. The Administrator has all the permissions. The Inspector can only send posts, and the reviewer reviews the posts. However, the author's biggest negligence is that the Access Clerk and the reviewer have the same permissions as the administrator.
Although normal accounts do not see links to other management functions, we can directly enter the file address in the browser to implement the corresponding functions to manage them like an administrator. For example, to back up the database, I log on to the system as a recorder, and then enter asp "> http: // localhost/QcNews/admin_backupdata.asp in the browser. How can I back up the database. Other functions are also supported.
6. Background Database Backup Vulnerability
Well, from SQL injection to the background, we can use database backup to get webshell.
Change asp to gif, and then upload and Back Up Files. However, when uploading images, the system will first check whether the file is in the image format. You cannot simply change asp to gif. What should I do?
You must remember the asp method that copies the ASP code to the end of an image file.
Due to the limited free time for research, I barely found these bugs, but it is enough to threaten the use of large websites, of course, the purpose of writing this article is not to teach everyone to go to the Black station, but to make our network safer ......
If you want to contact me, please come to the mental hospital and call 120 to contact President Hu. ^_^