A little research on php universal password Injection

Source: Internet
Author: User
Tags mssql server

Dark visitor

I have been working on the website yesterday. It is a pleasure to turn off the lights at the dormitory from two o'clock P.M. to. One of the technologies used is worth review and research. Below is a simple example:

The resin3.0.21 server can read arbitrary files of any drive letter by exploiting the vulnerability of brute-force source code. I read the boot. ini file and found it was a windows server. 1. Shows but does not support relative paths similar. Adding "c:" To the url cannot browse the file on drive c. Next, add N more special characters to the url. But the problem is that resin directs all the errors to an error page, and the error cannot be reported, I tried to use the jsp brute-force method to expose the path, but there was no progress.

I haven't thought of a better solution for a long time. During this period, the resin vulnerability was used to read my. ini to the mysql database root password, but the port is not connected. I scanned it with nmap. 3389 and 1723 (vpn) were found, and 80 (resin) 8080 (php + apache + mssql was later known that the mssql Server was used because it did not have a unique c: windowssystem32inetsrvmetabase. xml file, so it is determined that iis is not installed) the login interface found that the operating system is 2003. Five ift s later I found that there were no backdoors. It was normal and I didn't think much about it.

I scanned it with wwwscan, and there was nothing valuable. I tried to pull things together, and the results were not optimistic. Only pay and so on.

Xiaolong gave me the address of the background login Portal:Http: // w, and ww.xxxx.com: 8080/admin_manage/. 2. It is the same server as the target website, but the port is changed to 8080, php script. Enter a page that does not exist to view the error message. Based on experience, it is certainly set up by apache. He found the absolute path of the php site by entering the 'php verification interface in the background to report an error.

Then we can look at the source code to find the relative path. We are lucky to find the main file in the background. I found that many background files do not have permission verification.

The reality hit me again, and every connection in the background was inaccessible. Finally, confirm that the file is deleted. My day. It was another painful blow. There is no way to continue.

Using resin to view the verification file (main. php) in the background, we found that the universal injection code can be used. The source code is as follows:

Include_once ("./include/connect_db.php ");
$ Mydb = new mydb ();
$ Conn = $ mydb-> open ("unicom ");

$ Sql0 = "select pass_wd, user_name, powers from t_admin_user where user_id =". $ _ POST [account]. "";
$ Result0 = mssql_query ($ sql0, $ conn );
$ Row0 = mssql_fetch_array ($ result0 );

If ($ row0 ["pass_wd"]! = Md5 ($ _ POST ["passwd"]) {
?>
<Script language = "javascript">
Alert ¡");
Top. location. href = "http: // xxxxx/admin_manage/index. php ";
</Script>
<?
Exit ();

After analysis, it is found that exit () is used if the password is incorrect. No way to bypass.

Select pass_wd, user_name, powers from t_admin_user where user_id = ". $ _ POST [account]." ";

$ Result0 = mssql_query ($ sql0, $ conn );

If ($ row0 ["pass_wd"]! = Md5 ($ _ POST ["passwd"]) {

The possibility of a universal password is perfectly explained. Another point is that the gpc of this website is escaped from all single quotes. It seems that it cannot be done, but later it came into being a spark of a collision with the birds, indicating the use of the dual-byte encoding vulnerability. Although it is not omnipotent, this website does catch a cold.

Construction statement: mite union select top 1 0x3231323332663239376135376135613734333839346130653461383031666333, user_name, powers from t_admin_user --

Enter admin in the password field.

0x6361344252616336646242536542533130643664376635663833344153323631 is the result of admin's 32-bit md5 encrypted hash value and then converted to hexadecimal. Why is it not 16-bit? Because the md5 () function of php is encrypted with 32 bits. Try it if you don't believe it. The reason why hexadecimal conversion is required is that single quotation marks are not allowed. In addition, 0x6361344252616336646242536542533130643664376635663833344153323631 should also be placed in the first place. The reason is very simple. You can see the code of its query.

Result 4 is displayed.

Although an error is reported, the injection is successful. It is really interesting. However, we finally found a very interesting thing, that is, when the first character is single quotation marks and the back is not single quotation marks. The gpc can also be bypassed. I don't know why, but it may be a problem with the mssql database.

By the way, the post of the injection point that looks like the injection point in the background will be forwarded to get and then run the result pangolin to find it is an injection point. However, the permission is public and it has been tested manually, it seems that you can create a table, but you do not know whether the table is successfully created. The results of Manual table explosion are not displayed.

Birdie said it was done in linux.

We will continue to follow this website. Update it to your blog.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.