2. Tech
  3. Are you hidden? It's easy to pull out the database.

Are you hidden? It's easy to pull out the database.

xiaoxiao2021-03-06  66

Create time: 2004-02-06

Article attribute: original

Article submission:

Sniper (sniperhk_at_163.com)

Are you hidden? It's easy to pull out the database.

Author: sniper

Article nature: original

Update Date: 2004-02-05

From:

www.4ngel.net

E-mail: sniper@77169.com

###############################################################

Foreword

As a core part of a site, its importance is naturally self-evident, and the network managers have painstable database renames, plus special symbols to increase security. However, recent security sites have been found and downloaded, which is the very hot "bliss" technology discussed recently. I have also studied this technology in all the friends and the habitant and hacker X archives. Although the research results are not a lot, I hope to have a throwing role. Below I will take two systems to do instance analysis:

Power article system

Generally speaking, there will be a file that connects to data in each site program file (generally conn.asp), of course, this file name and path are not fixed, some are in the root directory, some are in a special folder. Usually this folder is named INC, and the file name is conn.asp. If you link this with the branches, people will usually think that by accessing this file, you will get information about the database, and in fact, we will directly access this file, you won't get the information we want, so you need to combine some vulnerabilities. The purpose of reaching the branches.

First of all, let's briefly introduce this program, the dynamic article system is divided into commercial SQL version and free Access version, and we are of course Access version here. The program's Conn.ASP file is used to connect the database. In / incapacity, the database file is in the / Database directory. Connecting the database is relative path: dB = "Database / adsfkldfogowerjnokfdslwejhdfsjhk.mdb"

The database path leak hazard should be considered by programmers, because Conn.asp file itself has a hidden danger, causing an attacker to obtain a database path. Vulnerability Discovery: Everyday (ie hacker X "is called SOHU's mm :), participating in researchers: strange dogs, Iceyes, snipeer. (Vulnerability analysis)

http://www.hackerxfiles.net/bbs/dispbbs.asp?boardid=4&id=27293).

At the beginning, we thought that editor.asp file lacked enough verification, but later analyzed that we found that it was not editor.asp. The way every day just uses Editor.asp to view the server to return information. Let's demonstrate this attack process. Open this page in IE to see what role can be played (as shown).

Figure one

Obviously, this file is used to edit the content of the article, although there is no other permission, but we can edit the change of the HTML page. Click "Original Code" to find such a content:

This is when the page is authenticated, pass the content to the content of the file to admin_chklogin.asp. The following we have to do it to change it to the conn.asp file:

After you change, click "Preview", what? I saw it! The database path came out (Figure 2)!

Figure II

What is the reason? Let's take a look at this:

'D: /web/power/access/incogram indatabase/adsfkldfogowerjnokfdslwejhdfsjhk.mdb' is not a valid path. Determine if the path name spell is correct, and whether it is connected to the server stored.

Directory Structure I have already said that there is an Inc directory (used to store conn.asp) and Database directory (database file, readyfarkfogowerjnokfdslwejhdfsjhk.mdb), since the Database directory is not in the incnation, but just exposes the database Display / INC / DATABASE /. This is a big negligence written by the staff. Since INC and DATABASE are in the same-level directory, when we use Editor.asp to access Conn.asp, because Database is not in the Inc directory, the system confirms that you are in request /inc/Database/adsfkldfogowerjnokfdslwejhdfsjhk.mdb file In fact, there is no such file, the system can't find this file naturally report the wrong pull. To solve this problem, the most direct method is to make Conn.asp in the upper-level directory of the database file or the same directory.

Mobile network forum

According to the analysis of the above dynamic article system, we can get the logo of the program where the database path leaks this problem:

1 Conn.asp and the file calling it (such as index.asp) is not in the same directory.

2 Conn.asp Connecting Database is a relative path.

I know the principle of the vulnerability, and the way to understand the database is not difficult. A big loophole for the first time, the discovery of the Motive Network Forum, can transfer any files. If this vulnerability is simply used, you can delete someone else file, but you can't get any permissions. When I was discussing this issue, I suddenly thought of a method, as long as we bind this vulnerability to our dynamic articles, we can easily think of the method of getting the network forum database. Let's take a look at what we should do with me.

The vulnerability of the mobile network is in mymodify.asp file, which is overgraded in part of the user-defined avatar, we can use /./ to jump and move files, look at the following code:

'*****************

'Filtering and renameting the uploader image

IF CINT (forum_setting (7)) = 1 THEN

ON Error ResMe next

Dim objfso, UpFileName, NewFileName

DIM Upface, MemberID

SET RS = Conn.execute ("SELECT Userid, Face from [user] where userid =" & userid)

MEMBERID = rs (0)

Upface = trim (RS (1)) NewFileName = ""

Upfilename = split (upface, "/")

if Ubound (UpFileName) = 1 and UpFileName (0) = "UploadFace" Then

IF INSTR (UpfileName (1), "_") = 0 THEN

NewFileName = "UploadFace /" & MemberID & "UPFILENAME (1) / User-defined avatar becomes UPLOADFACE / User ID

Set objfso = server.createObject ("scripting.filesystemObject")

IF objfso.fileexists (server.mappath (upface))

Objfso.movefile "& Server.Mappath (Upface) &" "," & Server.MAppath (NewFileName) & ""

END IF

IF err.number = 0 THEN

Conn.execute ("Update [user] set face = '" & newfilename "' Where userid =" & userid)

END IF

Set objfso = Nothing

END IF

END IF

Rs.close

SET RS = Nothing

END IF

'Filtering the uploader image and ending

'***************

Take a look at this sentence:

NewFileName = "UploadFace /" & MemberID & "UPFILENAME (1) / NewFileName = user-defined avatar is another part of UPLoadFace / User ID_UPFileName

Look at:

IF objfso.fileexists (server.mappath (upface))

Objfso.movefile "& Server.Mappath (Upface) &" "," & Server.MAppath (NewFileName) & ""

/Have you seen? The most critical part is coming, if the file represented by the UPFACE is detected, the change file is moved and renamed!

Ok, the code analysis is complete, see how we should use it. After registering a user, the key part is coming after entering the basic information modified. Do you still remember the jump catalog when playing the showfiles class file? Similar to the URL below, we use the ../ to jump directory to view the Passwd file. submit:

http://www.target.com/show.php?file=../../../../../etc/passwd

I believe everyone has learned there /, / ,. and .. Oh, let's do what we have to do is to the jump catalog transfer conn.asp. Add this sentence to the custom avatar address:

UploadFace /./../ conn.asp (accountation)

The previous analysis has been analyzed. The meaning of this sentence should be understood, we point the "avatar" address to conn.asp of the superior directory. Since it is in line with its judgment, it will transfer the conn.asp file to the UPLOADFACE. This is in line with the first condition when we play the dynamic articles system. Generally, everyone uses a relative path, so we will know the database path as long as we call this file. New HTML file is written as follows: