Home | hacker invade | crack analyzes | hacker course | Exploit | encryption decipher | network management | System crack | the virus to be related | invades the examination | firewall
You are here: hacking technology > crack analyzes > Content
Hot Articles
GE-Fanuc CIMPLICITY w32r
CA BrightStor ARCserve B
Apple iPhone Passcode Lo
Apple iPhone Passcode Lo
BitTorrent and uTorrent
FoosunCMS Sql Injection
KMail password encryptio
Rainbow awareness tool t
IE7 0Day crack analysis
Roams through three secu
Discuz! NT 2.5 pour into
Cracking the password pr
Ghost has the crack mirr
phpinfo cross station sc
Tomcat crack's analysis
Recommend Articles
Roams through three secu
FoosunCMS Sql Injection
In PHPCMS2.4 an interest
World browser local xss
Z-blog cross station scr
About XSS crack another
hzhost hypothesized main
php the escapeshellcmd m
Thunderclap ActiveX cont
360 security browser loc
The third party browser
The careful character re
Maxthon roams through br
Yahoo! Statistical funct
Using sohu website URL s
New Articles
The H?to half of all mal
Capital protects eyes cr
Agents of the secret net
fingerPIN launches multi
Tips to supply household
OCS Resolution Security
Spyware attacks tripled
Drink and drug driving c
Forgot your password?has
PKWARE PartnerLink membe
Masternaut provides live
Troj / Erazer-A Trojan i
Hacker of 21?Years old,
Free Firefox anti-phishi
Cyber-criminals are not
Discuz! NT 2.5 pour into the crack to test the analysis most newly (chart)
  Add date: 09/16/2008   Publishing date: 09/16/2008   Hits: 122
Total 2 pages, Current page:1, Jump to page:
 
Discuz! NT is a section of function formidable based on ASP.net the platform BBS system, holds many market shares, specially some large and middle scale specialized communities use this system. Recently, the ISTO member had discovered in its newest 2.5 editions a security crack, the success uses this crack to be possible to revise manager's password to enter the backstage directly, obtains the manager jurisdiction, thus controls the entire website. The following author deployed that the environment analyzes this crack, brings to everybody's attention by the time.
  Environment description
  Operating system: Windows 2003
  Discuz! NT edition: 2.5
  URL: http://www.gslw.com
  Database: SQL Server 2005
  1st, crack cause
  The crack is causes by the showuser.aspx document, this document's function demonstrates forum's member tabulation. Because in the script regarding uses for user sorting the ordertype parameter not after the filtration, but inquires the database directly, the aggressor may carry on the database through the careful structure ordertype parameter to write the operation. (Figure 1)

  2nd, the crack tests
  Judges Discuz! Whether NT does have this crack, I may construct the ordertype parameter advancement test. The following code's meaning deletes the gslw database, because does not have the gslw database bulletin to be therefore wrong “is unable to the database ' glsw'zhixing the deletion, because it does not exist, or you do not have the jurisdiction which needs.”This explained that has carried out the database operation, I may act according to the error message to judge whether to have this crack. I construct URl is
  http://www.gslw.com/showuser.aspx?ordertype=desc;drop database glsw; --
  The demonstration wrong page sees right in front of one Figure 1, explained that has this crack. (Figure 2)

3rd, the user proposes the power
  Opens the forum to register a user is the hacker member see Figure 3, then I may carry on construct section of URL through the showuser.aspx ordertype parameter the hacker promotion am the manager. Structure URL is “http://www.gslw.com/showuser.aspx?ordertype=desc;update dnt_users set adminid='1', groupid='1' where username='hacker'; --” its function is registers user hacker adminid and the guoupid establishment is 1, is also its promotion is the manager. After this URL input browser address fence carriage return, may see hacker is promoted to see for the manager Figure 4. (Figure 3) (Figure 4)


  hacker promoted may register after the manager the system backstage to carry on each kind to operate. Discuz! The NT backstage function is truly quite formidable, (Figure 5)

  4th, change upload form
  This crack except may promote the manager is, but may also change the default the appendix upload form. In default situation, Discuz! NT only supports the jpg, gif, png, zip, rar, jpeg form the appendix upload, uses this crack to be possible some kind of form replace to be asp, aspx and so on may carry out the script form, thus obtains Webshell. I may construct URL to change its upload document format, for instance I the jgp form change am the aspx form, may construct such URL “http://www.gslw.com/showuser.aspx?ordertype=desc;update dnt_attachtypes set extension='asp' where extension='jpg'; --”, final carries out the effect to see Figure 6. (Figure 6)

 
Other pages: : 1 * 2 * Next>>
Prev:Google blog blogspot.com steals the cookie crack Next:WordPress 2.6.1 SQL Column Truncation Vulnerability analysis

Comment:

Category: Home > crack analyzes
Home