Penetration of technology a glimpse-Chen thirteen brother recommended a classic series of articles-bug warning-the black bar safety net

ID MYHACK58:6220053732
Type myhack58
Reporter 佚名
Modified 2005-10-15T00:00:00


This article has been published in the chip

Penetration refers to the intruder directly with is the invasion of the object of the original function to complete the invasion, it can use a variety of methods. Whether it is a personal user, database administrator or website administrator, you want to construct a safe website, forums, database server, and the security of the SQL statement scripts, understand osmosis technology the potential hazards are very necessary.

Many users have such a feeling: the computer information security technology or hackers care about some of the things are relatively high, actually otherwise, such as infiltration techniques, may only is this a professional of technical terms will already make you a bit dizzy, but you know, in everyday computer applications, you often will with the penetration of technology pass by.

Let us take a small example to make a simple Description: If I tell you“’ or 1=1’”This is a user in a forum registered user name or password, you will think of something? If you slightly have a bit of SQL language of common sense, then you will understand what this username means anything, you'll understand the“Select u_name from userlst where u_name=xxx”and“Select u_name from userlst where u_name=xxx or 1=1”is a huge difference between the. A safety factor is not high the site, the hackers can easily utilize the similar simple SQL statement on the web site unauthorized access or attacks, and of these, only the osmotic technology of the iceberg of one of the corners.


“Stop! What Are you doing?” The guards called this in the command in front of the wandering for a long time young man.“ Tourists.” The young man looked at the guards, eyes surprisingly calm, he seems to consciously or unconsciously see not far from the headquarters at the sunset afterglow shrouded under the command seem so mysterious. Then, the young man in the guards watchful eyes dashing away.

The permeate, or Penetrate, it does not belong to a certain kind of intrusion method, it does not belong to some kind of tool. Penetration refers to the intruder directly with is the invasion of the object of the original function to complete the invasion, it can use a variety of methods. These original features seemed so loyal, but when they are the invaders after mastering, but it became the intruder powerful tool.

In all the work before the start, the Raiders need to probe. Include the function of the target, vulnerability, the information in the later work plays an important role, this process is called“scanning.” Generally, the invaders are using the scanner can report on most of the already existing vulnerability and the other services provided. When collected to a certain data, the intruder will be decided to invade or give up.

Sneak attack

As already mentioned, the penetration of a variety of forms, the popular penetration of technical expressions have special permissions directory, Forum infiltration, SQL injection, etc. several.

Breakthrough special permissions directory

Deep in the night, the guards are sleepy. Suddenly, a dark shadow quickly climb over the wall into the command, it is that during the day at headquarters in front of the stay over a period of time the young man, he wore specially made gloves, the perimeter wall of glass is also getting some down, scattered on the ground, in the moonlight under the flashing. Young men attend to these, one turned and hid in the shadows. He is an agent, his mission is to steal the enemy's latest strategy profile. To this end, he managed to observe the this command for several days, and today finally found a readiness to loose the entrance.

Generally, the server will set some of the Special Features of the directory, these directories are used to augment the server functionality provided, they can execute the script program, such as a forum.

Because of this, these directories the program will often make an exception thing. The program on the server by processing the different content of the data request to achieve functional expansion, and human-computer interaction, but even the program's authors cannot take into account the other party may issue what kind of data, and the program just die plate to accept the instruction to work, thus, the danger can happen anytime. If an intruder sends a special format of the data to the server, since the server on the data processing program and there is no such data to make a deal, a direct result is that the program is overrun, or the execution of the intruder's illegal request, such as a requirement to enter without the permission of the directories, view unauthorized files, etc. Because the program simply will not think, will obediently achieve the invaders wish.

Remember that most classic directory penetration?--“IIS secondary coding vulnerability”precisely because the author does not take into account some of the special character of the role, leading the intruder to use the browser or someone else to develop the tools easily into server 1 It.

! Figure 1 IIS a“secondary encoding vulnerability”leads to a directory penetration.

Of course, a free lunch is not always Delicious, the server although the arrangement of the special permissions for the directory, but does not give them too many permissions. With this method the penetration of the intruder, at Best a“guest”role, can do how many things? One can imagine that the invaders were not willing stop there either.

Vulnerable Forum

Command the door open, maybe because of the weather sultry, a bespectacled officer out breathable. He saw the wall that a bunch of shiny things, busy walked past. But he hasn't had time to take a closer look, it fell in that pile of glass, the young man's figure appeared behind him. Dive into the agents of change on officers ' uniforms, along with hats and glasses, and then took his keychain, paced steps walked into the headquarters.

The forum established in the special permissions of the directory on the basis of the server openning an interactive function, of course, also be intruders favorite piece of“fat”. Because the Forum is composed of a plurality of files are combined, as long as a file writing out of the question, the Forum is likely to become invaders in the keys. Some domestic famous Forum such as DVBBS and LB5000 were the invaders of most love, because these forums are powerful so they can directly obtain the entire machine control. The intruder even as managed to in LB5000 a file write a line“@ARGV”can be directly into the system interior. So to say: the Forum is an intruder the biggest“stage”.

The reason for that is the Forum the author of the program code written is not tight cause. Since the Forum of the program code is completely transparent, slightly useful heart, who analyzed the entire code will be able to know which step will go wrong--don't think those tutorials on the command is the author of Chaos on the keyboard. Once the Forum is infiltrated, the lightest of the consequences is an intruder taking on the administrator position, serious is an intruder and a controlled machine(Figure 2)。

! Figure 2 hackers use penetration techniques to enhance LB5000 user permissions.

Break the password of the defense

Agents the brim pressure is very low, the command in didn't people recognize him. He walked to the depths of the empty Intelligence room in front, found here need to enter a four digit password, the keyboard and a printer interface style of the data hole. Agents from the bosom took out a small machine and the data connection hole, and then began nervously waiting for something.

Sometimes, a forum program or other need of the password entry program has been modified very safe, directly to the problem code is clearly impossible, don't invade just to stop? No, the invaders were of course not easily give up.

Now the most common server programs are Microsoft IIS Internet Information server+ASP active page combination, and both the main operation is that the database read and write--IIS uses a database to store information has become standard, and it is this standard and the security on the server is pushed to a dangerous edge.

SQL injection SQL Injection is a recent comparison of the heat penetration method, then SQL injection is? Wrote database procedures friends all know, the database operation requires a user name and password, otherwise not allowed to open. These passwords through a fixed transmission format, which is“Structured Query Language”for Structured Query Language in. But in this link it shows the error: we can directly read the website information is because the author has put a password stored in a file inside the system your own submit. Therefore, the intruder can be in a relates to the database call the file address after adding a SQL if statements to track down the password length, and even presumably specific password, for example“data. asp? id=1 and 1=(select id from admin where left(password,5)='lk007')”, if the password happens to be“lk007”, the article on the normal display, because the statement“and”query identifier on both sides is equal. This step-by-step down the intruder got the complete password. This technique in abroad is called“hacking the SQL fill in the blank game”, funny right? Network administrator the ludicrous does not come out.

Break into the core

A few minutes in the past, agents entered the correct password, the door opened. In his surprise, inside there is an operator! The distance is too near, and the operator recognize that he is not one of their own. “Spy......” The operator has not finished the words will be bounced up, the head hit the roof, instantly lost breath. The original Agent pressed the door next to the emergency button, it is designed to put the illegal invaders directly smother on the inside. But it does not recognize people, as long as you input the correct password, it can be for you.

The agents take him to information, drive down the brim walked out of the intelligence room, the door quietly closed, as if nothing had happened. Taking advantage of the night, the agents escape from the headquarters.

SQL is too powerful, but this is not SQL language, but SQL Server procedures SQL Server, which provide the user powerful functionality at the same time, also gave the intruder a“hammer”in. In SQL Server there are many System Stored Procedures, some database for internal use, and some is through the execution of the stored procedure to call the system command. Direct harm to a server is a system stored procedure, the command“xp_cmdshell”, which in theoperating systemcommand-line interpreter mode execute the given command string, but it has a fatal weakness: it does not recognize people, as long as the intruder got the account, he can also perform many commands, direct harm to the server. Maybe you will say that this point does not matter, the account is not so easy to get. But to blame the SQL Server, but there are a variety of will allow an intruder to give account of the vulnerability, and then 3)...... ! Figure 3 for SQL Server's xp_cmdshell invasion program.

In fact, the intruder directly in the browser, enter the SQL command you can, for example,“exec master. dbo. xp_cmdshell 'command line' is.”


Late at night, command sounded the alarm. One of the soldiers stumbled down to the ground on the officer, and later people saw the intelligence in the operator's body. The entire command immediately enters A stage alert status, all people have to go through strict identity before being approved to enter. However, the agent also will come?

Discovery server is invaded, the invaders have been jibing, the majority of the network administrator the most bitter thing is this, if God give them a second chance, they will pray for the intruder to enter, if you want to add a periodThey want to be--forever.

Having said that, however, not every Webmaster techniques are enough to ward off all intrusion, also not all programs will have error of one day, we should be how to prevention of the penetration of technology may bring harm? Read the above articles and theoretical analysis, not difficult to the following effective preventive measures:

  1. Make sure theoperating system, database server, application development languages are playing on the latest patch, such as Service Pack and the corresponding server program patches, and be sure to time turn on the firewall function;

  2. Always pay attention to their own server's Forum program updates, add the necessary fields to filter;

  3. Pay attention to the user group changes, pay close attention to the strange user name, the user name and password to register to take stringent restrictions on the policy;

  4. Timing analysisoperating systemand the database log file.