佚名MYHACK58:6220066158The use of Session spoofing configuration the most hidden WebShell-vulnerability warning-the black bar safety net
Unknowingly“LM groups”to see the Black anti-there have been two spring and autumn, the period does not fall. Painstaking practice so long, can start playing on a trick or two. See the Black anti-second period of the DreamWeaver caused the network crisis of a text,“LM groups”the heart indescribably excited, thinking online is 4 0% of web pages are there is such a vulnerability, wouldn’t it be also can harvest N more meat chicken. But careful study found that the POST method there are some problems, not like the imagination as easy to play. Here and everyone together to discuss the Session.
Since it is talking about Session spoofing, then first take a look at the Session exactly what it is and how it works. In ASP, the server can pass the Session object to distinguish between different browsers, because the Session object is used to record browser-side variables, store some, such as username and other more sensitive or useful information. This point seems to and Cookie a little like. But we know the value of the Cookie are stored in the client, and the Session value is saved on the server side. When each of the visitors for the first time the browser accesses the server of an ASP page, the server will be for him to create a new and independent Session object, and assigned to the session is a session identification number, and contains the session identifier of the special encrypted version of a Cookie, the session ID number sent to the customer. Since the Cookie session Identification Number are not provided in the Expires value, so when the browser is closed, this session identification number is also disappeared.
Whenever a user access this ASP website, the ASP will be through the browser to find the session ID number. Named ASPSESSIONIDxxxxxxxx, wherein each x is a letter character. We are in the grasp of the received packet when can see:
Set-Cookie: ASPSESSIONIDSQBBQQDS=GCINNKPDIGDNPEAOGLDFFFEM; path=/
But the Cookies, the session ID number does not appear in the Request. Cookies or Respsones. Cookies collection, although the ASP hide it up, but still stored in the browser. For each ASP page request ASP to view the value. This Cookies, session Identification Number, contains the value that identifies this user’s session. Therefore, the corresponding Session object, the object is already in memory, and always contains all the previous page request process in the ultra-operation of the value of the content can be handed over to the ASP page in the script. That is, the browser has a server assigned a session ID number when we request time, the server can pass this ID number, find the corresponding Session object of value, will achieve the distinction between different browsers.
Use
The writing is bad, Don’t know everyone from the front surface of the principle part of the Session with a certain awareness. Now we look at the DreamWeaver caused the network crisis of a text is how to use Session session.
已 有 某 网站 abc.com, the following login page: the Login. asp, after successful login turn can see the sensitive information OK. asp with access restrictions, authentication by the display, otherwise the steering Fail. asp.
In this paper, the authors want to construct a hack. the asp page by browsing the web page to establish the Session session, and set Session to verify when the desired value, and then directly in the address bar to enter the login after the web page ok. asp, since ok. asp is through the Session to verify, so the authors believe that this can succeed. However, by the previous analysis we know that if ok. asp and hack. asp is not the same server, this attack can not be achieved. Because the Session object values are retained on the server side, it is impossible to like the author said above: make ASP perform, and in Internet Explorer leaving the Session value, IE have a Session the session Identification Number. If we in the present machine, or other server to browse a hack. asp, set the validation value is in the hack. asp resides on the server, but in the ok. asp resides on the server and did not set the corresponding verification value, even Session to session are not established, and how authenticated? Visible if ok. asp and hack. asp is not on the same server, it will not lead to a network crisis.
But we can through this Session spoofing method in after the invasion to leave yourself a difficult to kill the back door is! Here’s to MyPower power 3. 5 as an example for everyone to demo, how to pass the Session deception to achieve direct login background purposes.
We first look at the power of the source code, in Admin_ChkPurview. asp Session authentication:
AdminName=replace(session(“AdminName”),““,”“)
if AdminName=”" then
call CloseConn()
response. redirect “Admin_login. asp”
end if
sqlGetAdmin="select * from Admin where UserName=” & amp; AdminName & “*”
Visible, the power is through the Session object in the AdminName variable to authenticate, and use it as the username to query the database, and the AdminName of the initial assignment is in the Admin_ChkLogin. asp, when user successfully login after will give you the two Session values:
session. Timeout=SessionTimeout
session(“AdminName”)=rs(“username”)
Since after logging in through Session object to detect, so we can access the ASP page can be configured the following statements such as Copyright. asp: the
<%session(“AdminName”)=“admin”%>
So that you can by Admin_ChkPurview. asp Session authentication. Which Admin refers to the presence Management User name. Such a structure, even if we in the broiler on of any Trojan horse are killing, as long as the Administrator’s user name did not change, we can access Copyright. asp, and then direct input Admin_Index. the asp will be able to log in directly to the background!
So for this case how to prevent it? In fact, the power also with a certain way, you will find that by this method the input of the other of the background page can not be successful, it is because in Admin_ChkPurview. asp also has the following validation:
ComeUrl=lcase(trim(request. ServerVariables(“HTTP_REFERER”)))
if ComeUrl=“” then
response. write “<br><p align=center><font color=red>sorry, for System Security, do not allow direct input of the address to access the system Admin page.& lt;/font></p>”
response. end
else
cUrl=trim(“http://” & Request. ServerVariables(“SERVER_NAME”))
if mid(ComeUrl,len(cUrl)+1,1)=“:” then
cUrl=cUrl & “:” & Request. ServerVariables(“SERVER_PORT”)
end if
cUrl=lcase(cUrl & request. ServerVariables(“SCRIPT_NAME”))
if lcase(left(ComeUrl,instrrev(ComeUrl,“/”)))<>lcase(left(cUrl,instrrev(cUrl,“/”))) then
response. write “<br><p align=center><font color=red>sorry, for System Security, do not allow from the external address to access the system Admin page.& lt;/font></p>”
response. end
end if
end if
But in the Admin_Index. asp page does not call Admin_ChkPurview. asp, so we can verify! So why not call? Don’t ask me, yourself to give it a try will know.
PostScript
We know by closing the browser to end the session, but it lost just a server to us the assigned session Identification Number. While in the Session the session life cycle before the end, the server is not the session identification number corresponding to the Session value is cleared from memory.
Tip: generally the IIS Session lifecycle default is 2 0 minutes.
Using this principle, if we pass a certain pass to get the other browser to log in to the server when the established Session the session Identification Number. Then we will be able to use this session identification number to get robbed browser the same permissions. If it is a administrator in the login background, then we on another computer with the session ID through Session spoofing can also login to the backend, thereby achieving a remote attack. Specific methods welcome to the Black anti-Forum discussion.
Articles if there are omissions please brother pointed out, which the brothers if there is a better use of the method is welcome to share together.