Brute-force database intrusion OBLOG!

After work, I went to my friend's website and looked at it. Websites are mobile and easy to modify and beautify, and almost all are static htm files. Take a closer look. The website has a "blog Center" more than a few days ago. After you click it, the page is quite beautiful. The Copyright indicates powered by OBlog ver2.22. Ignore it and open a link http: // ***/blog/index. asp? Classid = 3. It is customary to add a single quotation mark to the back. The page is displayed as follows:
Code: Microsoft VBScript runtime error '800a000d'
Type Mismatch: 'clng'
/Blog/index. asp, row 11
It seems that there is no choice for sol injection. Next, set http: // ***/blog/index. asp? Classid = 3 for http: // ***/blog % 5cindex. asp? Classid = 3. Haha, I almost fainted. The page shows:
Code: Microsoft JET Database Engine error '000000' D: \ Alibaba \ web \ guhuo \ data \ # mwfblog. asa' is not a valid path. Check whether the path name is correctly spelled and whether it is connected to the server where the file is stored. /Blog/conn. asp, line 14
The database was exposed. In the evening, you have a sneer ......). Open flashget and download its database. Carefully analyzed the Blog page and database. The Administrator account in the database and the password of common users are encrypted by MD5 and can only be cracked, Which is troublesome.
I found a "forgot password" link to the user on the Blog page, so I wondered if I could use this function to modify the administrator or user's password (later I found that only the user's password can be changed through this function ). After the password is opened, enter a username "shmily" and the Password Change Prompt "qiner" in the database. The password of the user is successfully modified. 1:

 

Screen. width-333) this. width = screen. width-333 "border = 0>

Use this account to log on. After successfully logging on to the system, you can find the file upload function in user management. Unfortunately, only jpg, gif, and png files can be uploaded, you can upload some junk files to your friends ......). However, this "forgot password" function is also very harmful. It can change the password of all users in the Blog, thus changing or damaging the data of all users.
It seems a little difficult to get the webshell of a friend's website. However, when thinking about the evening, there is no way to break the Administrator's password, hoping to change the File Upload type through background management.
Fortunately, the Administrator's MD5 password was cracked in less than half an hour. It seems that none of my friends can even eat supper at night. You can easily guess the admin _login.asp page. After logging on to the admin page, find the place to modify the file type to be uploaded, add an asp file, and directly upload the asp Trojan to obtain webshell. 2:

Screen. width-333) this. width = screen. width-333 "border = 0>

The next thing almost made me vomit blood. I did not expect that after modifying the file type, I could not upload asp files or only upload jpg, gif, png and other files.
I'm so worried that I can't be lazy. You can only download the source program from the official website _ blank> www.oioj.net for analysis.
Find the following code in upload. asp:
Code: sAllowExt = Replace (UCase (sAllowExt), "ASP ","")
Dizzy, no wonder you can't upload asp files by modifying the upload file type in the background. It was originally blocked by this Code.
The wise man has to worry about it. Although the Program prohibits the upload of asp files, it forgets to prohibit files such as cer. Add the cer upload file type in the background immediately, log on with the shmily account again, and upload a cer Trojan. 3:

Screen. width-333) this. width = screen. width-333 "border = 0>

Wow, it's a success. You can eat it all night long. 4:

Screen. width-333) this. width = screen. width-333 "border = 0>

After getting webshell, how to further win the server is what readers and friends are all looking.
Note: There is no new technology in this article, and it is accidental to discover this vulnerability. Do not use it for illegal purposes. After the event, I searched for powered by OBlog by google and found that 90% of the sites could use brute-force databases. Even more surprising to me, the official website can also be used as a brute-force database. 5:

Screen. width-333) this. width = screen. width-333 "border = 0>

I suggest that you enhance the database security before releasing patches to prevent downloading. Filter out cer and other files in the upload. asp file.