I have been hit hard recently and am in a trance, so I was invited to a mental hospital to do part-time research. What are Is I studying? Hehe, of course it was studied by others! I feel very unhappy to be studied every day, and I haven’t written a blog for a long time, so today I have to study something.
The research object was looking for Qingchuang Network Article System (QcNews), which is an ASP + Access article system. Its latest version is 1.5.2.23.7.0 released in February last year. Haha, it seems that the author has not updated it for a long time.
I accidentally discovered a few holes, and someone probably discovered them a long time ago. Wow, brother, that's wrong for you. If you find a loophole and don't publish it, you have to play by yourself. That's not good. I'll post it for you.
It is estimated that the vulnerability patch has already been released by this article. Friends who use this system should go and patch it.
Also: The default installation mode in the official exe is equipped with a browser plug-in, which is not a good idea.
1. Any member login/data modification vulnerability
The system only judges the username value of cookies, see the code:
if ("qcdn")("user_name")="" then
Haha, but we can fake cookies, so now we can log in with any front desk account. Similarly, when modifying information in front desk users, we can also make a judgment based on the username of cookies, and we can also modify anyone's information at will.
2. SQL injection vulnerability
The first place is where the user comments are, which is this file. Unid Without filtering dangerous characters, it is directly brought into the SQL statement and can be injected directly with tools. When the condition is true, there will be comments, and if it is false, there will be no comments, so you have to find an article with comments for injection.
The second place is a bit hidden, and it is in the "recommended friends" of each article (file). You cannot inject directly here, but its Unid will be placed in the hidden domain of the page. When you fill in the friend's email address, Unid will be brought into the SQL statement, and there is no dangerous characters filtering. If the condition is true, the "mail send failed" will pop up (because I did not install JMail), and the fake condition page will report an error.
This SQL injection vulnerability will cause the background username and its MD5 encrypted password to leak. If the password is not very complicated, the intruder will quickly break it.
3. Vulnerability to modify passwords of any backend account in the normal backend account
Let's first look at the key code of admin_EditPass.asp:
if request("method") = 1 then
Unid = ("Unid")
if Trim(("username")) = "" then
Errmsg = "<li>Please enter the username."
FoundErr = true
else
username = (Trim(("username")))
end if
if Trim(("pass1")) = "" or Trim(("pass2")) = "" then
Errmsg = Errmsg + "<li>Please enter your password and confirm your password."
FoundErr = true
elseif Trim(("pass1"))<>Trim(("pass2")) then
Errmsg = Errmsg + "<li>The entered password does not match the confirmation password."
FoundErr = true
else
password = (Trim(("pass1")))
password = md5(password,16)
end if
if FoundErr then
Call Qcdn.Err_List(Errmsg,1)
end if
sql = "Update article_admin set username = '"& username &"',[password] = '"& password &"' where id = " & Unid
(sql)
("<script>alert(""Modification was successful"");=""admin_EditPass.asp""";</script>")
end if
Note that the SQL statement ""Update article_admin set username = '"& username &"',[password] = '"& password &"' where id = " & Unid, username, and password are all submitted through the form, and none of them are verified. So as long as we know the id of the backend user, and then change the password to modify the unid in the hidden domain, we can modify his password.
4. Vulnerability of the website when deleting any file in the backend account
There is a "upload file management" function in the background, which can delete uploaded files. Observe its URL, the form is: http://localhost/QcNews/admin_picmang.asp?Action=Del&FileName=
FileName is the file name to be deleted, the file is in the Upfiles folder. Try to construct FileName to jump out of this directory. The author also considered this issue, so there is a judgment code like this:
if left(trim(arrFileName(i)),3)<>"../" and left(trim(arrFileName(i)),1)<>"/" then
Although filtering out of the directory, we can construct a URL similar to http://localhost/QcNews/admin_picmang.asp?Action=Del&FileName=lake2/../../ to delete any file.
5. The vulnerability of directly obtaining administrator permissions for ordinary backend accounts
The backend of this system has 3 different permissions: administrator, entry, and auditor. The administrator has all permissions, the entry officer can only post and the auditor reviews the post. However, the author's biggest negligence is that the entry and auditor have the same authority as the administrator.
Although ordinary accounts cannot see links to other management functions, we can directly enter the file address that implements the corresponding functions in the browser and manage it like an administrator. For example, to backup the database, I log in to the system as an entry clerk, and then directly enter http://localhost/QcNews/admin_backupdata.asp in the browser. Haha, how about it? You can back up the database. The same goes for other functions.
6. Backend database backup vulnerability
Well, from SQL injection to the background, we can now use database backup to get webshell.
It’s still the same rule, change asp to gif, and then upload and backup. However, when uploading pictures, the system will first check whether the file is in the image format. Simply changing asp to gif is not possible. what to do?
You must still remember the ASP method that copies the asp code to the end of an image file. Haha, just pass on such an image and back it up.
Because I was researched by others, I barely found these bugs, but it is enough to pose a threat to the use of large websites. Of course, the purpose of my article is not to teach everyone to hack the website, but to hope that our network is safer...
If you have anything to communicate with me, come to the mental hospital to chat. Call 120 and find Chairman Hu^_^
The research object was looking for Qingchuang Network Article System (QcNews), which is an ASP + Access article system. Its latest version is 1.5.2.23.7.0 released in February last year. Haha, it seems that the author has not updated it for a long time.
I accidentally discovered a few holes, and someone probably discovered them a long time ago. Wow, brother, that's wrong for you. If you find a loophole and don't publish it, you have to play by yourself. That's not good. I'll post it for you.
It is estimated that the vulnerability patch has already been released by this article. Friends who use this system should go and patch it.
Also: The default installation mode in the official exe is equipped with a browser plug-in, which is not a good idea.
1. Any member login/data modification vulnerability
The system only judges the username value of cookies, see the code:
if ("qcdn")("user_name")="" then
Haha, but we can fake cookies, so now we can log in with any front desk account. Similarly, when modifying information in front desk users, we can also make a judgment based on the username of cookies, and we can also modify anyone's information at will.
2. SQL injection vulnerability
The first place is where the user comments are, which is this file. Unid Without filtering dangerous characters, it is directly brought into the SQL statement and can be injected directly with tools. When the condition is true, there will be comments, and if it is false, there will be no comments, so you have to find an article with comments for injection.
The second place is a bit hidden, and it is in the "recommended friends" of each article (file). You cannot inject directly here, but its Unid will be placed in the hidden domain of the page. When you fill in the friend's email address, Unid will be brought into the SQL statement, and there is no dangerous characters filtering. If the condition is true, the "mail send failed" will pop up (because I did not install JMail), and the fake condition page will report an error.
This SQL injection vulnerability will cause the background username and its MD5 encrypted password to leak. If the password is not very complicated, the intruder will quickly break it.
3. Vulnerability to modify passwords of any backend account in the normal backend account
Let's first look at the key code of admin_EditPass.asp:
if request("method") = 1 then
Unid = ("Unid")
if Trim(("username")) = "" then
Errmsg = "<li>Please enter the username."
FoundErr = true
else
username = (Trim(("username")))
end if
if Trim(("pass1")) = "" or Trim(("pass2")) = "" then
Errmsg = Errmsg + "<li>Please enter your password and confirm your password."
FoundErr = true
elseif Trim(("pass1"))<>Trim(("pass2")) then
Errmsg = Errmsg + "<li>The entered password does not match the confirmation password."
FoundErr = true
else
password = (Trim(("pass1")))
password = md5(password,16)
end if
if FoundErr then
Call Qcdn.Err_List(Errmsg,1)
end if
sql = "Update article_admin set username = '"& username &"',[password] = '"& password &"' where id = " & Unid
(sql)
("<script>alert(""Modification was successful"");=""admin_EditPass.asp""";</script>")
end if
Note that the SQL statement ""Update article_admin set username = '"& username &"',[password] = '"& password &"' where id = " & Unid, username, and password are all submitted through the form, and none of them are verified. So as long as we know the id of the backend user, and then change the password to modify the unid in the hidden domain, we can modify his password.
4. Vulnerability of the website when deleting any file in the backend account
There is a "upload file management" function in the background, which can delete uploaded files. Observe its URL, the form is: http://localhost/QcNews/admin_picmang.asp?Action=Del&FileName=
FileName is the file name to be deleted, the file is in the Upfiles folder. Try to construct FileName to jump out of this directory. The author also considered this issue, so there is a judgment code like this:
if left(trim(arrFileName(i)),3)<>"../" and left(trim(arrFileName(i)),1)<>"/" then
Although filtering out of the directory, we can construct a URL similar to http://localhost/QcNews/admin_picmang.asp?Action=Del&FileName=lake2/../../ to delete any file.
5. The vulnerability of directly obtaining administrator permissions for ordinary backend accounts
The backend of this system has 3 different permissions: administrator, entry, and auditor. The administrator has all permissions, the entry officer can only post and the auditor reviews the post. However, the author's biggest negligence is that the entry and auditor have the same authority as the administrator.
Although ordinary accounts cannot see links to other management functions, we can directly enter the file address that implements the corresponding functions in the browser and manage it like an administrator. For example, to backup the database, I log in to the system as an entry clerk, and then directly enter http://localhost/QcNews/admin_backupdata.asp in the browser. Haha, how about it? You can back up the database. The same goes for other functions.
6. Backend database backup vulnerability
Well, from SQL injection to the background, we can now use database backup to get webshell.
It’s still the same rule, change asp to gif, and then upload and backup. However, when uploading pictures, the system will first check whether the file is in the image format. Simply changing asp to gif is not possible. what to do?
You must still remember the ASP method that copies the asp code to the end of an image file. Haha, just pass on such an image and back it up.
Because I was researched by others, I barely found these bugs, but it is enough to pose a threat to the use of large websites. Of course, the purpose of my article is not to teach everyone to hack the website, but to hope that our network is safer...
If you have anything to communicate with me, come to the mental hospital to chat. Call 120 and find Chairman Hu^_^