'''
__ __ ____ _ _ ____
| \/ |/ __ \ /\ | | | | _ \
| \ / | | | | / \ | | | | |_) |
| |\/| | | | |/ /\ \| | | | _ < Day 8 (0 day)
| | | | |__| / ____ \ |__| | |_) |
|_| |_|\____/_/ \_\____/|____/
'''
- Title : Sirang Web-Based D-Control Multiple Remote Vulnerabilities
- Affected Version : <= v6.0
- Vendor Site :
860K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4A6M7X3q4F1k6#2)9J5k6h3y4G2L8g2)9J5y4X3&6T1M7%4m8Q4x3@1t1`.
- Discovery : Abysssec.com
Description :
this CMS suffer from OWASP top 10 !!!
some of there will come here ...
Vulnerabilites :
======================================================================================================================
1- SQL Injection
Vulnerability is located in content.asp
line 131-133
...
txt="select * from news where del='false' and "+keyfld+"!='-' order by id desc limit 1"
set rs=conn.execute(txt)
while not rs.eof
...
content.asp line 202-206
...
if id<>"" then
txt10 ="select * from "+ cstr(tblname) +" where del='false' and id='"+ id +"'"
set xx = conn.execute(txt10)
if not xx.eof then
...
lots of files those will have to do input validation from user input are vulnerable to SQL Injection .
PoC :
067K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4A6N6r3g2Q4x3X3g2U0L8$3#2Q4x3V1k6E0j5h3W2F1i4K6g2X3k6X3q4Q4x3X3g2S2M7%4m8Q4x3@1k6K6N6r3q4@1N6i4y4Q4x3@1c8F1k6i4N6K6i4K6t1$3L8X3g2%4M7@1W2p5i4K6y4p5x3U0y4Q4x3U0N6Q4x3V1k6Q4x3V1q4Q4x3V1q4Q4x3V1k6#2L8X3W2G2L8W2)9J5c8W2)9J5b7g2)9J5b7g2)9J5c8X3q4D9L8q4)9J5c8W2)9J5b7g2)9J5b7g2)9J5c8Y4y4W2L8r3g2U0N6q4)9J5c8W2)9J5b7g2)9J5b7g2)9J5c8U0q4Q4x3V1x3J5i4K6u0o6x3#2)9J5b7K6c8Q4x3V1x3#2i4K6u0o6y4W2)9J5b7K6N6Q4x3V1x3^5i4K6u0o6z5g2)9J5b7K6p5H3i4K6u0o6x3e0q4Q4x3V1x3I4x3W2)9J5b7K6p5K6i4K6u0o6x3e0c8Q4x3V1x3I4y4g2)9J5b7K6p5$3i4K6u0r3i4K6u0m8i4K6u0m8i4K6u0r3k6Y4u0G2L8g2)9J5c8W2)9J5b7g2)9J5b7g2)9J5c8X3c8U0i4K6g2X3j5h3c8E0K9h3&6Q4x3V1k6Q4x3V1q4Q4x3U0k6F1j5Y4y4H3i4K6y4n7i4K6t1$3L8X3u0K6M7q4)9K6b7R3`.`.
note : if you can't see result you need to do it blindly
======================================================================================================================
2- Bypass uploads restriction:
after you got user/pass with sql injection go to
079K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4y4A6N6r3g2Q4x3X3g2U0L8$3#2Q4x3V1k6S2k6r3#2A6L8W2)9J5c8X3c8U0i4K6g2X3N6i4m8D9L8$3q4V1i4K6u0W2j5i4y4H3i4K6t1$3L8X3u0K6M7q4)9K6b7W2)9J5y4X3&6T1M7%4m8Q4x3@1t1`.
js file line 13-34 :
function showthumb(file) {
if (file !='') {
myshowfile = file;
extArray = new Array(".gif", ".jpg", ".png", ".bmp", ".jpe");
allowSubmit = false;
while (file.indexOf("\\") != -1)
file = file.slice(file.indexOf("\\") + 1);
ext = file.slice(file.indexOf(".")).toLowerCase();
for (var i = 0; i < extArray.length; i++) {
if (extArray[i] == ext) { allowSubmit = true; break; }
}
if (allowSubmit) thumb.src=myshowfile;
else
alert("Only files that end in types: " + (extArray.join(" ")) + " could be previewd.");
}
else {
alert("Only files that end in types: " + (extArray.join(" ")) + " could be previewd.");
}
}
as you can see the uploader will check malicious extention by javascript . just disable javascript and you can upload "ASP" shell.
you can find your shell in :
b12K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4A6N6r3g2Q4x3X3g2U0L8$3#2Q4x3V1j5H3i4K6g2X3M7$3W2@1k6g2)9#2k6X3y4G2L8g2)9J5c8W2)9#2b7Y4u0F1k6q4)9J5k6r3&6#2L8h3u0W2M7W2)9#2c8q4)9J5k6h3q4K6M7l9`.`. (the application itself will show you right rnd number after upload)
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
