How I Discovered and Exploited a 0‑Day in an EIS Office Platform

Environment Setup

A Windows 2012 VM is created, IIS site configured, application pool switched to Classic mode, and a matching database is added. The web.config connection string is set to

Data Source=.\SQLEXPRESS;User ID=sa;Password=password01!;Initial Catalog=EIS

, then the provided SQL scripts are imported.

License Bypass via Reverse Engineering

The product requires a license file; accessing login.aspx shows an “invalid or expired” message. By inspecting EkpBaseGlobal.Application_Start() → EkpGlobal.CheckLicense(), the author enumerates the license validation flow:

Read Bin/Landray.lic (contains 10 fields, key field array[3] = "DeptName|FullName").

Gather CPU ID and MAC address, decrypt the file with a key derived from CPU + "xxxxxxx20800" and IV = MAC.

Read database table Mekp_EISProductInfo for LicenseKey and decrypt it with the same key/IV.

Compare the FullName from file and database; for trial versions also check DateTime.Now < expiration.

If validation passes, store the license info in the Application object.

For a quicker bypass, the author comments out core checks in yard.Framework.dll (methods like EkpGlobal.CheckLicense(), EkpPage.OnInit(), etc.) using dnSpy and recompiles the project in Visual Studio.

web.config Permission Analysis

Several <location> entries allow anonymous access, e.g., /XX/*.asmx, /aaa/*.aspx, /Services/MobileDown.aspx, exposing web services and download endpoints.

Frontend Vulnerabilities

SSRF : The PostResponse method in Service.cs concatenates the unvalidated base.Request["link"] parameter into a URL without a whitelist, enabling arbitrary requests.

down.aspx SQL Injection : Parameters are directly concatenated into SQL queries, allowing injection.

Notify.asmx SQL Injection : The LoginName field from JSON is embedded in a query

SELECT id FROM FI_ORG_EMP where account=N'{person.LoginName}'

without sanitisation.

Arbitrary User Creation : The UserInfo.cs WebMethod lacks permission checks, permitting unauthenticated insertion of new users into the FI_ORG_EMP table.

Backend File‑Upload Flaws

UploadLogImg.aspx : Methods saveBg() and saveLogo() write files to /App_Themes/Login using a path derived from Server.MapPath. The upload name is user‑controlled, but the target directory disallows execution, preventing a web shell.

bulkinsert_data.aspx : Uses SaveAs(filename) with __VIEWSTATE and __VIEWSTATEGENERATOR validation. Directory traversal is possible via forward slashes (e.g., ../third/shell.aspx resolves to third/shell.aspx), allowing file write to the third folder, which is anonymously accessible.

Conclusion

By combining license‑check bypass, misconfigured web.config permissions, and multiple injection and upload vulnerabilities, the author achieves full authentication bypass and arbitrary code execution on the EIS platform. The write‑up provides step‑by‑step reproduction details, code snippets, and screenshots to illustrate each finding.