BY LCX
Recent online popular web script invasion. There are two commonly used intrusion methods, one is SQL INJECTION (is a profile to pass the SQL code to a professional term in the application you want to be desired by the developer), and the other is to use the web script to the cookie variable Filtering is not strict invading. So what is cookie? Simply put is the web page server to record your information, placed on your hard disk, a very small text file. Specific points say if they are 98, they are stored by default in the drive: / windows / cookies directory, if they are 2K they are in the Drive: / Documents and Settings /% Your Username% / Cookies directory (no more than each file 4KB). Their file name format is: your username @ generated cookie web files in the web directory [cookie change] .txt. Specific example is like this file: iWam_system @ cookie [3] .txt. Here I only talk about three intrusion tools related to cookie.
One is a cookie's sniffing tool. Netizen Pskey recently wrote an article with severe vulnerability >>. The article is great to develop and maintained the source code of www.aspsky.net and maintained by the DVBBS6.0 Forum due to its tongji.asp file, which is not filtered to the SQL query, causing the remote attacker to use this vulnerability to perform SQL injection attacks . SQL version of dbvvs6.o can add administrator users directly on the server host, and submit special URLs on the DBVVS6.o's ACESS version to get a cookie data of all users in the forum, threat to the forum or server security. Original you can see in the Security Focus Site (http://www.xfocus.net).
There is a paragraph in the article "Take a look at what the administrator is in the forum. For example, when you delete the post: post /asp/dvbbs/admin_postings.asp?action=delet http / 1.1 accept: image / gif, Image / x-xbitmap, image / jpeg, image / pjpeg, application / vnd.ms-powerpoint, application / vnd.ms-excel, application / msword, application / x-shockwave-flash, * / * referer: http: / / www.target.com/asp/dvbbs/admin_postings.asp?action= Delete Topics & BoardId = 2 & ID = 2 Accept-Language: ENCODINGE: Application / X-WWW-FORM-URLENCODED ACCEPT-ENCODING: GZIP, deflate User-Agent: Mozilla / 4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.0.3705) Host: target.comContent-Length: 124Connection: Keep-AliveCache-Control: no-cache Cookie: aspsky = userhidden = 2 & password = 18e071ccfb2d1c99 & userid = 1 & userclass =% B9% DC% C0% ED% D4% B1 & username = admin & usercookies = 0; iscookies = 0; BoardList = BoardID = Show; ASPSESSIONIDAASCSCDC = IPKLMGFAKFJLMOLNMMEMFDGC; upNum = 0 title =% B9% E0% CB% AE & content = & DOWEALTH = -7 & dousercp = -5 & douserep = -5 & id = 2 & replyid = & boardid = 2 & msg = & submit =% C8% B7% C8% CF% B2% D9% D7% F7 "
These data is the communication data of the administrator when the reticed net host is in the deletion. Many rookies don't understand here, how does pskey get these data? In particular, how is the cookie data of the last large segment detected? What tools for PsKey I have not known, but I introduced Winsock Expert This gadget can also detect this data. It is a program written by Dang Shuangqiang, who has written to monitor and modify the network to send and receive data, but unfortunate is an English version. However, it is very simple to use. For example, I will log in to the mobile network forum I have set up in this machine, Figure 1.jpg. I chose that cookies saved a day, see what data will Winsock Expert sniff? At this point, open Winsock Expert, Figure 2.JPG, point open icon in the menu of the pop-up window, find the login page of the mobile network, Figure 3.jpg, point OPE for listening. Then I lands on the mobile network forum, after logging in, then look at Winsock Expert helps me receive the cookie data in this unit? Figure 4.jpg. I saw that there is no, we have received similar data that PsKey mentioned in the article, which contains all values of the cookie. Of course, you can use this tool, you can not only monitor the send and receive cookies, but also to help you debug your web application, analyze the communication protocol of the network program (such as analyzing OICQ's transmission and receive data), and can modify the send during it The data. These features have a brief description in the help of the software. The second is a sending tool for cookie. Still first look at the netizen pskey's << lb5k forum remmail.cgi existence certification and filtering is not strict loophole >> Article. Original text You can also see it safely. The article mentioned that LB is a CGI forum open from www.leoboard.com development and maintenance; due to Remmail.cgi existence of authentication and filtering, it may cause illegal user control forums or to implement on the system with Web permissions. Any command. Attack method: If the "Perl.exe% S% S" mapping mode is easy to get in the "Perl.exe% S% S" mapping mode, you can get a web page shell: get /perl/lb5000mx/cgi-bin/remmail.cgi ? MEMBER = system% 20% 40ARGV http / 1.1 host: target.com cookie: AmembernameCookie = system% 20% 40ARGV rookie does not understand, how do I send this data? I won't start at the beginning, and a small software is written in VB to send this data. Later, I asked the master in several forums and learned a cookie to send a method. The tool is to use the Swiss army knife nc.exe, the method is to submit the following lines similar data: nc -vv www.target.com 80Get /xxx/xxx.cgi?xxx=xxx http / 1.1host: www.target.comcookie: XXXXX = xxxxx See I am experimenting in this machine, Figure 5 This is a method for submitting cookies with NC. Figure 6 This is a WebShell. Note that the Telnet tool with W2K can also do, the method and nc.exe are the same, but I found that Telnet is not easy to control character input.
The third cookie management tool, IECOKIESVIEW. Looking at the name, I understand what it is to do. Let's take a look at the cookie file left by the Notebook I have just launched the mobile network forum. It is put it in my hard disk C: / documents and settings / administrator / cookies directory, the file name is administrator @ DVBBS6 [1]. txt, as follows: aspsky userid = 1 & usercookies = 1 & userhidden = 2 & password = 469e80d32c0559f8 & userclass =% B9% DC% C0% ED% D4% B1 & username = admin 192.168.1.3/asp/dvbbs6/ 0 1896775680 29244795 3943711152 29244638 * ah, so a lot of place to look Do not understand, there are some garbled. We open with IecookiesView to see. Figure 7. From the figure, we clearly see the meaning of the cookie generated by this mobile network. Key is the keyword of cookie. Value is the value of cookie. Domain is a cookie. The version of the cookie is a cookie's overall period. Modified is a cookie's generation time (:-) Sorry, my electricity is 1999 ), Secure is the meaning of security, and its value is generally NO. Through this tool, we can clearly know that these cookies have meaningful, and it also automatically generates the URL encoding codes produced by Chinese characters into Chinese characters. On the top, I opened the garbled% B9% DC% C0% ED% D4% B1, now we understand that it is three Chinese character administrators. The biggest benefits of IECOOKIESVIEW is to easily modify cookies because we can understand. Like a mobile network forum, you use the vulnerabilities mentioned by PSKey, which is also used to use cross-site or other means to get the cookie of the administrator. Then you can use the Ordinary User Login Forum to generate a cookie in this unit, then open IECOKIESVIEW to edit your ordinary user's cookie, like Figure 8. After modifying each cookie value of the administrator, you can turn into an administrator's cookie. At this point, you will open the IE to re-log in to the mobile network forum, you will become the forum administrator.
Below, I use this Nc.EXE and Winsock Expert to make a cookie spoofer to make a cookie spoofer, further illustrate the usage of the cookie three sword tool tool I introduced. I have written a simple ASP script Level.asp, source and source code as follows: <% response.write now ()%> <% response.write "
"%> <% response.write
