Zhi Rui Software Website management system V1.0.0 Vulnerability

This article can communicate with the author here: http://bbs.2cto.com/read.php? Tid = 93957

Code By Link & Lince

Web Site:Www.link0day.cn

Hacker Team:WwW.2cto.comReprinted, please describe the source and respect the author. Thank you.

I haven't published any articles recently. Many people came to criticize me last night.

I did not write anything recently. This vulnerability has been known for a long time. I 've always been lazy writing articles, and now I'm a little excited. I hope you don't want to do anything bad. I already told them that we should soon get out of v2.0 and wait for the host to help the key to fl traffic. Today, we need to pay of the traffic. he does .. Hey, this guy is in love and I am tired.

Looking at the analysis without talking nonsense:

There are many files in the system that contain anti-injection files Nsql. asp to see how they are written:

<%
Dim SQL _inj, SQL _Get, SQL _Data, SQL _Post
SQL _inj = split (DataNsql, "| ")
If Request. QueryString <> "Then
For Each SQL _Get In Request. QueryString
For SQL _Data = 0 To Ubound (SQL _inj)
If instr (Request. QueryString (SQL _Get), SQL _Inj (SQL _DATA)> 0 Then
Response. Write "<Script Language = javascript> alert (Note: Do not submit illegal requests! Http: // Www.ZhiRui.net); history. back (-1) </Script>"
Response. end ()
End if
Next
Next
End If
If Request. Form <> "" Then
For Each SQL _Post In Request. Form
For SQL _Data = 0 To Ubound (SQL _inj)
If instr (Request. Form (SQL _Post), SQL _Inj (SQL _DATA)> 0 Then
Response. Write "<Script Language = javascript> alert (Note: Do not submit illegal requests! Http: // Www.ZhiRui.net); history. back (-1) </Script>"
Response. end ()
End if
Next
Next
End if
%>

Gpc, which only filters gp (get and post)

If other files are written as request. form or Request. QueryString, you cannot use cookies for injection.

However, this system has files that are directly written as request (). Therefore, Cookie injection exists. You can perform the test by yourself.

Here are a few other tips for xss to hear the boss say that xss can trigger seesion spoofing. If so, the whole system is a chicken rib.

Check the function. Asp has the following write:

Form Filtering
Function checkstr (ISTR)
DIM ISTR_FORM, SQL _KILL, SQL _KILL_1, SQL _KILL_2, ISTR_KILL
If istr = "" THEN EXIT FUNCTION
ISTR = LCase (ISTR)
ISTR_FORM = ISTR
SQL _KILL = "and | exec | insert | select | delete | update | count | chr | mid | master | truncate | char | declare | set | from | ="
SQL _KILL_1 = SPLIT (SQL _KILL, "| ")
For each SQL _KILL_2 IN SQL _KILL_1
ISTR = REPLACE (ISTR, SQL _KILL_2 ,"")
NEXT
CHECKSTR = ISTR
ISTR_KILL = REPLACE (ISTR_FORM, ISTR ,"")
If istr <> ISTR_FORM THEN
RESPONSE. WRITE ""
RESPONSE. END
END IF
END FUNCTION

I really don't understand whether form filtering is more important than cross-site character filtering. This is not the case, so directly constructing statements in some files can trigger cross-site

<Script> alert ("fuck by Link") </script>

If xss can trigger seesion spoofing, the system will be the same as the chicken ribs, and there is no need to combine the seesion spoofing conditions.

Someone called me in my blog and said that seesion is difficult to use, so I am wondering if it is difficult to use it. Why don't you just make up for other people's character explosion? In this case, I set it up. If you get the shell of the non-target station while you are not paying attention to it, but the directory permission is abnormal, you can't skip it, but you cannot escalate the permission, you can't think about using session. cheat to win the main site .. Ah, depressed

Back to the topic here, xss can trigger seesion spoofing because many files are written like this:

<%
Dim UserName, UserID
UserName = session ("zhi_rui_v_MemName ")
UserID = session ("zhi_rui_v_userID ")
If UserName = "" or UserID = "" then
Response. Redirect "UserLogin. asp"
Response. End ()
End if
%>

This is what is in upload. asp. If it is spoofed in, the file can be uploaded.

Here, we only determine whether the seesion is null .. When the webmaster asked me a better solution, I thought of a very powerful method that would make the average person unable to enter. This method was discovered when I analyzed the bsht article system. Next time, I will analyze it again. lazy typed the article.