Unconsciously "LM gang" see Black defense has been two spring and autumn, biennium not fall. After such a long time, I can start to play one or two strokes. Watch the second phase of the black defense "Dreamweaver triggered the network crisis", "LM Gang" heart there is no emotion, I thought that there are 40% of Web pages have such a loophole, it is not again can harvest n more chickens. But careful research has found that the method of this article has some problems, not as easy to play as imagined. Now let's discuss the session together.
Since it is to talk about session cheating, then first look at the session in the end is what, it is how to work. In ASP, the server can differentiate different browsers through the session object, because the session object is used to record browser-side variables and store some sensitive or useful information, such as user names. This seems like a cookie. But we know that the value of the cookie is stored on the client, while the session value is saved on the server side. When each visitor first accesses an ASP page of the server, the server creates a new and separate session object for him, assigns it to the session identification number, and sends a cookie (session identification number) of the specially encrypted version containing the session identifier to the customer. Because the expires value is not provided in the cookie (session identification number), the session identification number disappears when the browser is closed.
Each time the user accesses the ASP site, the ASP will find the session identification number through the browser. Named Aspsessionidxxxxxxxx, where each x is an alphabetic character. We can see when we grab the bag:
Set-cookie:aspsessionidsqbbqqds=gcinnkpdigdnpeaogldfffem; path=/
However, this cookie (session ID) does not appear in the Request.Cookies or Respsones.cookies collection, although the ASP hides it, but it is still stored on the browser. For each ASP Web page request, the ASP has to view the value. This cookie (session identification number) contains a value that indicates the user's session. As a result, the contents of the corresponding session object that is already in memory and that always contains all the values that were performed during the previous page request can be handed over to the script in the ASP Web page. In other words, the browser side has a server allocation of a session ID number, when we have a request, the server can use this ID number to find the corresponding sessions of the value of the object, but also to achieve the distinction between different browsers.
Use
Writing is not good, I do not know from the previous principle part of the session has a certain understanding. Now let's look at how the Dreamweaver triggers the cyber crisis to take advantage of session sessions.
There is a Web site abc.com, under the login page: Login.asp, after the successful login to see the sensitive information ok.asp (with access restrictions, validation through the display), otherwise turn to fail.asp.
In this article, The author wants to construct a hack.asp Web page first, by browsing the webpage, setting up session conversation, setting up the value needed in the sessions verification, and then entering the Web page after login directly in the Address bar ok.asp, because ok.asp is validated by the session, so the author thinks this can succeed. However, we know from the previous analysis that this attack is not possible if ok.asp and hack.asp are not on the same server. Because the value of the session object is kept on the server side, it is not possible as the author said: Let the ASP to execute and left in IE, the value of the sessions, IE has only a conversation ID number. If we browse the hack.asp on the local or other server, the validation value is set on the server where hack.asp is located, but the corresponding validation value is not set on the server where ok.asp resides, and even session sessions are not established. It can be seen that if ok.asp and hack.asp are not on the same server, it will not cause a network crisis.
But we can through this session of deception in the invasion to leave behind a difficult to killing the back door! The following is Mypower Power 3.5 as an example to show you how to pass the session spoofing to achieve the goal of direct login backstage.
Let's take a look at the source code of the power, the validation of the session in Admin_chkpurview.asp:
Adminname=replace (Session ("AdminName"), "'", "" "
If Adminname= "" Then
Call Closeconn ()
Response.Redirect "Admin_login.asp"
End If
Sqlgetadmin= "SELECT * from Admin where Username= '" & AdminName & "'"
Visible, the power is through the Session object AdminName variable to authenticate, and use it as the user name to query the database, and AdminName's initial assignment is in admin_chklogin.asp, when the user successfully login will give you two session value:
Session. Timeout=sessiontimeout
Session ("AdminName") =rs ("username")
Since login is detected after the session object, we can construct the following statements (such as copyright.asp) in any ASP Web page that can be accessed:
<%session ("adminname") = "admin"%>
This can be validated by the admin_chkpurview.asp session. Where admin refers to the administrative user name that exists. This construction, even if we are in the broiler any Trojan is killed, as long as the administrator's username has not changed, we can first visit the copyright.asp, and then directly enter the admin_index.asp can directly login backstage!
So how do you prevent this? In fact, the momentum also used a certain way, you will find that in this way to enter other background pages can not be successful, because the admin_chkpurview.asp also has the following verification:
Comeurl=lcase (the trim (request). ServerVariables ("Http_referer"))
If Comeurl= "" Then
Response.Write "<br><p align=center><font color= ' red ' > Sorry, for system security, the direct input address is not allowed to access the admin page of this system. </font></p> "
Response.End
Else
Curl=trim ("http://" & Request.ServerVariables ("SERVER_NAME"))
If Mid (Comeurl,len (CURL) +1,1) = ":" Then
Curl=curl & ":" & Request.ServerVariables ("Server_port")
End If
Curl=lcase (CURL & request). ServerVariables ("Script_name"))
If LCase (left (Comeurl,instrrev (Comeurl, "/")) <>lcase (left (Curl,instrrev (CURL, "/")) Then
Response.Write "<br><p align=center><font color= ' red ' > Sorry, for system security, it is not allowed to access the system's admin page from the external link address. </font></p> "
Response.End
End If
End If
But in the Admin_index.asp page does not call admin_chkpurview.asp, so we can pass the verification! Then why not call it? Don't ask me, try it yourself.
Postscript
We know that by closing the browser we can end the session, but all we have to lose is the session identification number assigned to us by the server. Before the end of the session's lifecycle, the server does not clear the session value that corresponds to the conversation identification number from memory.
Little knowledge: The life cycle of the session for general IIS defaults to 20 minutes.
Using this principle, if we have access to the session identification number established by other browsers when they log on to the server. Then we can use this session identification number to get the same permissions as the hijacked browser side. If it is an admin in the login background, then we can use this session ID on another computer to log in to the background, and thus achieve a remote attack. Specific methods Welcome to the Black Defense Forum discussion.
If there is any omission, please let the brothers point out that any brother who has a better way to use it is welcome to share
