风神新闻管理 v1.7 静态版 设计缺陷
发布作者:LinkEr
影响版本:V1.7静态版
漏洞类型:设计缺陷
漏洞描述:风神新闻管理静态版1.7存在多处漏洞。
#1.1
后台验证文件 wwwroot/admin/islogin.asp
====================================================================================
<%
if session("admin")="" then
response.Write("<br><br><div align='center'>您还没有登录或操作超时请先<a href=login.asp
target=_top>登录</a>.</div>")
response.End()
end if
if instr(request.servervariables("http_referer"),"http://"&request.servervariables("http_host") )<1
then
response.write "<br><br><div align='center'>禁止从外部访问管理后台</div>"
response.End()
end if
%>
====================================================================================
是用session验证 没办法客户端欺骗 漏洞与验证文件无关.
==================================================================================
#1.1 wwwroot/admin/list.asp
<%@LANGUAGE="VBSCRIPT" CODEPAGE="936"%>
<!--#include file="admin_conn.asp"--> //注意 没包含islogin.asp
<html>
<head>
<LINK href="admin_Css.css" type=text/css rel=stylesheet>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312" />
<title>修改信息列表</title>
<style type="text/css">
<!--
.STYLE1 {
font-size: 14px;
color: #0000FF;
font-weight: bold;
}
-->
</style>
</head>
<body>
<div align="center">
<p><br>
<span class="STYLE1">管理首页</span></p>
<table class="table_back" width="567" border="0" cellspacing="1" cellpadding="0">
<tr>
<td colspan="2"><div align="center" class="table_title">服务器有关参数</div></td>
</tr>
<tr>
<td width="115" class="table_td2"><div align="left"> 服务器名</div>
<div align="center"></div></td>
<td width="449" class="table_td2"> <%=Request.ServerVariables("SERVER_NAME")%></td>
</tr>
<tr>
<td class="table_td2"> 服务器IP</td>
<td class="table_td2"> <%=Request.ServerVariables("LOCAL_ADDR")%></td>
</tr>
<tr>
<td class="table_td2"> 服务器端口</td>
<td class="table_td2"> <%=Request.ServerVariables("SERVER_PORT")%></td>
</tr>
<tr>
<td class="table_td2"> 服务器时间</td>
<td class="table_td2"> <%=now%></td>
</tr>
<tr>
<td class="table_td2"> IIS版本</td>
<td class="table_td2"> <%=Request.ServerVariables("SERVER_SOFTWARE")%></td>
</tr>
<tr>
<td class="table_td2"> 脚本超时时间</td>
<td class="table_td2"> <%=Server.ScriptTimeout%> 秒</td>
</tr>
<tr>
<td class="table_td2"> 服务器CPU数量</td>
<td class="table_td2"> <%=Request.ServerVariables("NUMBER_OF_PROCESSORS")%>个</td>
</tr>
<tr>
<td class="table_td2"> 服务器解译引擎</td>
<td class="table_td2"> <%=ScriptEngine & "/"& ScriptEngineMajorVersion
&"."&ScriptEngineMinorVersion&"."& ScriptEngineBuildVersion %></td>
</tr>
<tr>
<td class="table_td2"> 服务器操作系统</td>
<td class="table_td2"> <%=Request.ServerVariables("OS")%></td>
</tr>
<tr>
<td class="table_td2"> FSO读写</td> //以下省略无关紧要的代码
==================================================================================
#1.2 wwwroot/admin/dir.asp
<!--#include file="dir.inc.asp"--> //dir.inc.asp内容请看#1.3
<meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=gb2312"> //注意 也没包含isiogin.asp
<html>
<title>信息管理目录</title>
<link rel="stylesheet" href="style.css" type="text/css">
<head>
<SCRIPT language="javascript1.2">
function showsubmenu(sid)
{
whichEl = eval("submenu" + sid);
if (whichEl.style.display == "none")
{
eval("submenu" + sid + ".style.display=\"\";");
}
else
{
eval("submenu" + sid + ".style.display=\"none\";");
}
}
</SCRIPT>
</head>
<BODY bgcolor="#799AE1" leftmargin="0" topmargin="0">
<div align=center>
<table width="158" cellpadding="0" cellspacing="0" border="0" >
<tr>
<td valign="top">
<table cellpadding="0" cellspacing="0" width="158">
<tr>
<td height="42" valign="bottom">
<img src="images/title.gif" width="158" height="38">
</td>
</tr>
</table>
<table cellpadding="0" cellspacing="0" width="158" align="center">
<tr>
<td height="25" class="menu_title" onMouseOver="this.className='menu_title2';"
onMouseOut="this.className='menu_title';" background="images/title_bg_quit.gif">
<div align="left"> <a href="list.asp" target="mainFrame"><b>管理首页</b></a>
| <a href="loginout.asp" target="_top"> <b>退出</b></a> </div>
</td>
</tr>
</table>
<%
'//管理菜单
call showMenu()
%>
</td>
</tr>
</table>
<p> </div>
</BODY>
</html>
==================================================================================
#1.3 wwwroot/admin/dir.inc.asp
<meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=gb2312">
<%
'//预定义
dim menu(3,9),j,tmpmenu,menuname,menurl
menu(0,0)="信息管理"
menu(0,1)="<a href=ArticleAddSelClass.asp target=mainFrame>发布信息</a> | <a
href=ArticleModSelClass.asp target=mainFrame>修改信息</a>"
menu(0,2)="<a href=SearchArticle.asp target=mainFrame>查找信息</a> | <a href=TjArticle.asp
target=mainFrame>推荐信息</a>"
menu(1,0)="FSO生成htm"
menu(1,1)="<a href=QtMake.asp target=mainFrame>生成前台文件 </a> "
menu(1,2)="<a href=HtmlMake.asp target=mainFrame>重新批量生成htm</a> "
menu(2,0)="综合管理"
menu(2,1)="<a href=ClassManage.asp target=mainFrame>类别管理</a> | <a href=SuperUser.asp
target=mainFrame>用户管理</a>"
menu(2,2)="<a href=SpaceSize.asp target=mainFrame>空间占用</a> | <a href=SysSet.asp
target=mainFrame>系统设置</a>"
menu(2,3)="<a href=DataManage.asp target=mainFrame>数据库维护</a>| <a href=moban.asp
target=mainFrame>模板管理</a>"
menu(3,0)="版权信息"
menu(3,1)="<font face=Arial, Helvetica, sans-serif><b>当前版本:</font></b>V1.7"
menu(3,2)="<a href=http://www.strongfire.cn target=_blank><font face=Arial, Helvetica, sans-serif><b>
烈火工作室</b></font></a>"
menu(3,3)="<font face=Arial, Helvetica, sans-serif>网站定制、静态化处理"
menu(3,4)="<font face=Arial, Helvetica, sans-serif>QQ:839225572(火烈鸟)"
sub showMenu()
dim menuStr
for i=0 to ubound(menu,1)
menuStr = "<br><table cellpadding=0 cellspacing=0 width=158>"&_
"<tr>"&_
"<td height=25 class=menu_title onmouseover='this.className=""menu_title2""'
onmouseout='this.className=""menu_title"";' background=images/admin_left_"&(i+1)&".gif id=menuTitle1
onclick=showsubmenu("&i&")>"&_
"<span>"&menu(i,0)&"</span>"&_
"</td>"&_
"</tr>"&_
"<tr>"&_
"<td style='display:' id='submenu"&i&"'>"&_
"<div class=sec_menu style='width:158'>"&_
"<table cellpadding=0 cellspacing=0 align=center width=135 ID=Table1>"
for j=1 to ubound(menu,2)
if isempty(menu(i,j)) then exit for
menuStr = menuStr&"<tr><td height=20>"&menu(i,j)&"</td></tr>"
next
menuStr = menuStr&"</table>"&_
"</div>"&_
"</td>"&_
"</tr>"&_
"</table>"
Response.Write menuStr
next
end sub
%>
==================================================================================
dir.inc.asp dir.asp list.asp都没加身份验证文件 故访客可以任意浏览服务器==信息 甚至还可以加内容 旁注的
黑阔们有福了
==================================================================================
#2. 鸡肋的防注入
wwwroot/admin/Check_SqlIn.asp
<%
'SQL通用防注入程序,只需要在conn.asp之类的打开数据库文件之前引用这个页面即可
dim sql_injdata
SQL_injdata ="'|and|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|char|declare"
SQL_inj = split(SQL_Injdata,"|")
If Request.QueryString<>"" Then
For Each SQL_Get In Request.QueryString
For SQL_Data=0 To Ubound(SQL_inj)
if instr(Request.QueryString(SQL_Get),Sql_Inj(Sql_DATA))>0 Then
Response.Write "<Script Language=JavaScript>alert('提示:请不要在参数中包含非法字符尝试注
入!');history.back(-1)</Script>"
Response.end
end if
next
Next
End If
If Request.Form<>"" Then
For Each Sql_Post In Request.Form
For SQL_Data=0 To Ubound(SQL_inj)
if instr(Request.Form(Sql_Post),Sql_Inj(Sql_DATA))>0 Then
Response.Write "<Script Language=JavaScript>alert('提示:请不要在参数中包含非法字符尝试注
入!');history.back(-1)</Script>"
Response.end
end if
next
next
end if
%>
==================================================================================
仍然是不防cookies注入 大小写没注意过滤 大写可绕过关键字表
==================================================================================
#3. 暴库
wwwroot/admin/Admin_Conn.asp
<%
StrSQL="DBQ="+server.mappath("../data/article.mdb")+";DRIVER={Microsoft Access Driver (*.mdb)};"
set conn=server.createobject("ADODB.CONNECTION")
conn.open StrSQL
%>
==================================================================================
#3.1
wwwroot/conn.asp
<%
StrSQL="DBQ="+server.mappath("data/article.mdb")+";DRIVER={Microsoft Access Driver (*.mdb)};"
set conn=server.createobject("ADODB.CONNECTION")
conn.open StrSQL
%>
==================================================================================
没容错 爆菊花吧
==================================================================================
#4.eWebEditor
wwwroot/eWebEditor/eWebEditor.htm
不解释 你懂的