A tedious penetration Based on code analysis

I would like to briefly describe this site. The ASPX type site does not find the injection vulnerability and is configured securely. This system is actually open source code, so generally there will be fewer system vulnerabilities, I have encountered many problems during the Penetration Process. I 'd like to share with you.

First, I finally got the Administrator's username and password, and downloaded the source code of the system on the website to analyze the problem. The background of this system analyzes the upload vulnerability everywhere. This system is designed in this way. The uploaded attachment is a module embedded in this system. This module can be detached or loaded, and can be configured at the same time. This module is loaded by default.

I took a few test files for testing:

1. Normal GIF files. Test results: the uploaded file is correct and has no errors. The uploaded address is invisible.

2. Change the extension of the pure ASPX backdoor to GIF. Test result: the upload fails, but no prompt or error message is reported.

3. GIF files with the ASPX code in the GIF header. Test result: the upload fails, but no prompt or error message is reported.

4. Normal GIF file + ASPX binary GIF file. Test results: the uploaded file is correct and has no errors. The uploaded address is invisible.

Analysis:

1. The uploaded address is unknown. You can analyze the source code later to see if the pseudo data POST method can be used. (If the second half is customizable, the vulnerability may exist ).

2. How to pseudo POST binary data? This has always been a theoretical solution in my mind, but it is much more troublesome than NC. I have never practiced it, because it seems that I have never seen such a strict site for filtering.

With these problems, I began to analyze the code. Here are some analysis results.

1. The following is a code snippet:

Bool isfileTypeImages = false;
Switch (fileContentType)
{
Case "image/x-png ":
Case "image/bmp ":
Case "image/gif ":
Case "image/pjpeg ":
Case "image/jpeg ":
IsfileTypeImages = true;
Break;
}

Here, the file type is determined and the test result is verified. Therefore, it must be the correct file header. Another part of the code is to detect the file content. The author of this system is indeed very responsible.

2. The following is a function for generating file names.

Public string CreateFileName ()

{

String guid = Guid. NewGuid (). ToString (). ToLower (). Replace ("-","");

Return (DateTime. Now. ToString ("yyyyMMddhhmmss") + guid. Substring (0, 4 ));

}

This code is used to generate a file name. Although the folder name is invisible, it is the same as the default folder name indicated in the code. However, the above Code indicates that the file name cannot be manually guessed.

3. This system does not have a filtering extension in the background code. I suspect that the author wants to ensure that the uploading is not limited to those limited extensions. The front-end has a restriction on the upload extension, the upload address is invisible, so this location becomes a usable vulnerability in the case of source code.

 

Now I am hesitant to take it. If you want to take it, it will be very troublesome. It will not be so hard for ordinary people. I told the user about the result. After a few days, I decided to proceed with the user's strong requirement.

 

The next step is a long process.

1. Find a quiet time point to get the upload address. Then upload the image file with a backdoor, Which is uploaded with the ASPX extension. Here I specially wrote a program. Here I will briefly talk about the principle. This program will POST the data and the POST data will be organized based on the page content, the file is of course the data of the image file. submit the data in a byte array. Here, the header must set the original site address in the URLReferer attribute of HTTPWebRequest, and set CookieContaniner, place the logon credential here. Later, the program was successfully uploaded and a new image was displayed.

2. Guess the upload address. Now that you know the address of the first half and the extension, you have to guess the address of the file name. Analyzed by CreateFileName (), and calculated by an hour of error at that time point, a Range is given. The year and date of the first half have been determined. The values below the hour are estimated in the range. In the first step, the time point has been recorded. The values before and after the hour are estimated to be one hour, get a sequence Dictionary (here we need to remove some invalid time values to reduce the number of attempts). The four-digit guid is even more troublesome and we need to create another dictionary, this is a 4-power combination of 16, and the entire dictionary is very large. Now we are about to crack the attack. We found a tool available on the market, but unfortunately we did not find a scanning tool that supports cookies. You can't write it on your own. After writing the script, I kept running on a machine for 24 hours. I don't know how to run the script in a few days.

　　

After this address is obtained, the WebShell is successfully obtained.