2. Tech
  3. Are you hidden? It's easy to pull out the database.

Are you hidden? It's easy to pull out the database.

xiaoxiao2021-03-06  76

Author: sniper article in Nature: Original release date: 2004-04-02 From: www.4ngel.net E-Mail: sniper@77169.com ######## This article has been published in the "Hacker X Files" ############################################################################################ Painting the database to rename the database, plus special symbols to increase security. However, recent security sites have been found and downloaded, which is the very hot "bliss" technology discussed recently. I have also studied this technology in all the friends and the habitant and hacker X archives. Although the research results are not a lot, I hope to have a throwing role. Below I will take two systems to do instance analysis: Power Article system generally tells each site program file (generally conn.asp), of course this file name and path are not fixed, some is In the root directory of the site, some are placed in a special folder, usually this folder is named INC, the file name is conn.asp. If you link this with the branches, people will usually think that by accessing this file, you will get information about the database, and in fact, we will directly access this file, you won't get the information we want, so you need to combine some vulnerabilities. The purpose of reaching the branches. First of all, let's briefly introduce this program, the dynamic article system is divided into commercial SQL version and free Access version, and we are of course Access version here. The program's Conn.ASP file is used to connect the database. In / incapacity, the database file is in the / Database directory. Connecting the database is relative path: DB = "Database / ADSFKLDFOGOWERJNOKFDSLWEJHDFOGOWERJNOKFDSLWEJHDFSJHK.MDB" This database path leak hazard should be caused by programmers, because conn.asp this file itself has hidden dangers, leading to attackers The database path. Vulnerability Discovery: Everyday (ie hacker X "is called SOHU's mm :), participating in researchers: strange dogs, Iceyes, snipeer. (Vulnerability Analysis can be referred to http://www.hackerxfiles.net/bbs/dispbs.asp?boardid=4&id=27293). At the beginning, we thought that editor.asp file lacked enough verification, but later analyzed that we found that it was not editor.asp. The way every day just uses Editor.asp to view the server to return information. Let's demonstrate this attack process. Open this page in IE to see what role can be played (as shown). Figure one is clear that this file is used for editing the content of the article, although there is no other permissions, but we can edit the HTML page. Click "Original Code" to find such a content:

This is the page identity When verifying, pass the content to Admin_chklogin.asp's content, below what we have to do is to change it into a conn.asp file:

After changing, click "Preview", see what? I saw it! The database path came out (Figure 2)! Let's take a look at this: 'D: /web/power/access/incogramdaBase/adsfkldfogowerjnokfdslwejhdfsjhk.mdb 'is not a valid path. Determine if the path name spell is correct, and whether it is connected to the server stored. Directory Structure I have already said that there is an Inc directory (used to store conn.asp) and Database directory (database file, readyfarkfogowerjnokfdslwejhdfsjhk.mdb), since the Database directory is not in the incnation, but just exposes the database Display / INC / DATABASE /. This is a big negligence written by the staff. Since INC and DATABASE are in the same-level directory, when we use Editor.asp to access Conn.asp, because Database is not in the Inc directory, the system confirms that you are in request /inc/Database/adsfkldfogowerjnokfdslwejhdfsjhk.mdb file In fact, there is no such file, the system can't find this file naturally report the wrong pull. To solve this problem, the most direct method is to make Conn.asp in the upper-level directory of the database file or the same directory. According to the analysis of the above dynamic article system, we can get the logo of the program where the database path leaks this problem: 1 conn.asp and the file calling it (such as index.asp) is not in the same directory. 2 Conn.asp Connecting Database is a relative path. I know the principle of the vulnerability, and the way to understand the database is not difficult. A big loophole for the first time, the discovery of the Motive Network Forum, can transfer any files. If this vulnerability is simply used, you can delete someone else file, but you can't get any permissions. When I was discussing this issue, I suddenly thought of a method, as long as we bind this vulnerability to our dynamic articles, we can easily think of the method of getting the network forum database. Let's take a look at what we should do with me. The vulnerability of the mobile network is in mymodify.asp file, which is overgraded in part of the user-defined avatar, we can use /./ to jump and move files, look at the following code:

'*****************' is filtered with the uploader image and the change IF cint (forum_setting (7)) = 1 THEN ON Error Resume Next Dim Objfso, UpFileName, NewFileName Dim Upface, Memberid Set RS = Conn.execute ("SELECT Userid, Face From [User] where userid =" & userid) MemberID = rs (0) Upface = trim (RS (1)) NewFileName = "" UpFileName = Split (Upface, "/") = 1 and upfilename (0) = "UPLOADFACE" THEN IF INSTR (UpfileName (1), "_") = 0 Then newFileName = "UploadFace /" & Memberid & "_" & UpFileName (1) / user-defined avatar becomes uploadFace / user ID Set objFSO = Server.CreateObject ( "Scripting.FileSystemObject") if objFSO.fileExists (Server.MapPath (upface)) then objFSO.movefile "" & Server.MapPath (upface) & " "," "& Server.Mappath &" "end if ifness err.number = 0 THEN CONN.EXECUTE (" Update [user] set face = '"& newfilename"' where userid = "& userid) end if set objfso = Nothing end if Endiff Rs.close set = nothing end if 'filters the uploader image and the end' *******************************

newfilename = "uploadFace /" & memberid & "_" & upfilename (1) / newfilename = user-defined avatar becomes another portion uploadFace / ID_upfilename user's look: if objFSO.fileExists (Server.MapPath (upface)) then objFSO.movefile " "& Server.mappath (Upface) &" "," "& Server.mappath (newfilename) &" / see is there? The most critical part is coming, if the file represented by the UPFACE is detected, the change file is moved and renamed! Ok, the code analysis is complete, see how we should use it. After registering a user, the key part is coming after entering the basic information modified. Do you still remember the jump catalog when playing the showfiles class file? Similar to the URL below, we use the ../ to jump directory to view the Passwd file. Submitted: http://www.target.com/show.php? File = .. / .. / .. / .. / .. / etc / passwd% 00 believes that everyone is /, / ,. and The role of .. Oh, let's do what we have to do is to the jump catalog transfer conn.asp. Add this sentence to the custom avatar address:

UploadFace /./../ Conn.asp The code has been analyzed before, this sentence should be understood, we point the "avatar" address to conn.asp of the upper class directory. Since it is in line with its judgment, it will transfer the conn.asp file to the UPLOADFACE. This is in line with the first condition when we play the dynamic articles system. Generally, everyone uses a relative path, so we will know the database path as long as we call this file. Newly built an HTML file is written as follows: