Blue rain design whole site SQL Injection Vulnerability

I used to contribute an article. Because of the issue of the article, I couldn't get into the magazine. In addition, some people recently posted a message on the website to explain the Blue rain, therefore, I have published the vulnerabilities mentioned in the vulnerability warning. The official version has been patched. Of course, some websites still have SQL injection vulnerabilities, so all consequences have nothing to do with me and the BCT team.

I'm bored recently. I walked around the Internet to see it. I found that there are more and more whole-site systems, and version modifications and so on! There are more and more users of the Blue rain design whole site. The blue rain whole site system was modified from NOWA 0.94! NOWA-based systems are not just blue rain, but there are many more! I will not list them here. The core is the same, but the additional functions of the program are different! In terms of security, because of the NOWA-based system, the vulnerabilities currently known are only uploaded. In the following article, the SQL injection vulnerability that has never been found in NOWA system modification vulnerabilities! It's only strange that the Blue rain didn't solve the injection problem when modifying the program! This cannot blame me! Who told programmers not to pay attention to security issues?

1. Determine the injection point

We will take the official website for testing, because we are worried that the version provided outside is not the latest version, which leads to a discrepancy in the correctness of the article. First, submit http: // ***. net/view. asp? Action = art & art_id = 70 and 1 = 1 the following information is returned.

Enter again

Http: // ***. net/view. asp? Action = art & art_id = 70% 20and % 201 = 2 return the following information:

From the standard SQL injection point detection and1 = 1 and 1 = 2d information, we can see that there are SQL injection in the comments of this program for the two pictures respectively, because the modified versions based on NOWA are all based on the ACCESS database architecture, we can further determine the database type of this program.

2. querying database tables

I am so lazy that I have to borrow NBSI for SQL injection. How can I know if it is because NBSI is so powerful that it cannot be used to kill chickens. It cannot detect all the SQL injection points I found! It's amazing (HaK_BaN: Is it true... I really want to manually inject T_T) NBSI is too easy to face! So I had to stick my head to the manual injection. First, check whether the database table has an admin table. Construct statement submission

Http: // ***. net/view. asp? Action = art & art_id = 70% 20and % 200 ???? (Select % 20 count (*) % 20 from % 20 admin) the database administrator table in the current program is not the name of admin or adminuser user, therefore, we only need to grasp the psychology of the program author. After the statement is submitted, the page returns normal, and we can determine that the admin table exists in the database. We only need the admin password and account, so other tables in the database can be ignored.

3. Guess database fields

In order to reduce the trouble and unnecessary guesses, we should collect some information about the websites that have been infiltrated, for example, the Administrator's QQ and the Administrator's network names must be known, because we usually use a password and account that is easy to remember, so that we can not forget. The Edit document and administrator's QQ number cannot be found on functional pages such as the document page. I had to find it in BBS. Fortunately, we found the "Blue rain" User Name in BBS, in this way, you can try Chinese names or pinyin letters when you guess the admin account. (HaK_BaN: I used to show me the PLMM character and birthday in MSN. Pay attention to the importance of social engineering)

Let's take a look at the Administrator field of the program !? First, I guess the name statement is as follows: http: // ***. net/view. asp? Action = art & art_id = 70% 20and % 201 = (select % 20 count (*) % 20 from % 20 admin % 20 where % 20len (name )?? 0) (HaK_BaN: * _ * not! If the information returned to the page is abnormal after the statement is submitted, it is confirmed that the field NAME is not in the admin table. It seems that I have to think about how to guess it. Since the name field is not enough, try the admin_name field! Re-construct the guess field statement: http: // ***. net/view. asp? Action = art & art_id = 70% 20and % 201 = (select % 20 count (*) % 20 from % 20 admin % 20 where % 20len (admin_name )?? 0) (HaK_BaN: can this problem be solved? I have taken another step !) After the statement is submitted, the page returns normal. Now the sub-statement is okay.

Then, we start to guess the password field. In fact, when we look at the echo above, we can say with certainty that the password field is admin_password, so the submitted statement is http: //***. net/view. asp? Action = art & art_id = 70% 20and % 201 = (select % 20 count (*) % 20 from % 20 admin % 20 where % 20len (admin_password )?? 0) The information is displayed normally, right !? Hahaha

Speaking of this, the entire guess is almost done! (Cainiao: What? Is there an account and password? Are you stupid ?) It is even more troublesome and time-consuming to guess the password and account! Let's take a look at the account and password guesses? First, let's guess the length of the account! Assume that we have obtained the name "Blue rain" commonly used by the Administrator as the administrator account. There are two possibilities. One is lanyu, the Pinyin of lanyu, and the other is converting the Chinese character of lanyu into an ASCII code for guessing. First, let's try the possibility of Pinyin. If so, we need to construct the length of admin_name to 5, so the submit Statement is http: // ***. net/view. asp? Action = art & art_id = 70% 20and % 201 = (select % 20 count (*) % 20 from % 20 admin % 20 where % 20len (admin_name )?? 5) The page information cannot be displayed normally. Then submit http://fj126.net/view.asp? Action = art & art_id = 70% 20and % 201 = (select % 20 count (*) % 20 from % 20 admin % 20 where % 20len (admin_name )?? 4) This subpage is normal! Then, submit the statement http: // ***. net/view. asp? Action = art & art_id = 70% 20and % 201 = (select % 20 count (*) % 20 from % 20 admin % 20 where % 20len (admin_name) = 5) we can determine that the length of admin_name is 5. The length of the account is reached, but we do not know the length of the password. According to information collection, we know that the password is encrypted using MD5 16 bits. So we can guess that the password length is 16 bits! Submit the statement http: // ***. net/view. asp? Action = art & art_id = 70% 20and % 201 = (select % 20 count (*) % 20 from % 20 admin % 20 where % 20len (admin_password) = 16) No! We can basically understand it! The account length is 5 Characters and the password length is 16 characters. (HaK_BaN: I haven't done it manually for a long time. It's almost a backache !) As for the number of accounts and passwords, I will not list them any more! The Administrator account obtained after the test of social engineering is: lanyu is correct! The password is indeed MD516-bit encryption. Throughout the process, you can use the CSC for injection testing!

Iv. Summary

There are several SQL Injection pages of the entire program, which are caused by the absence of related SQL Injection on the functional pages added by the Blue rain whole site. If you are using this program, you can use a general script to prevent injection. Although MD5 requires brute-force cracking, if you really offend people, do not crack it. Maybe your website will be done by others, and network security is a very important part. I hope you will not underestimate the security aspect! If you have any errors in the above articles, please point out that you can contact me in a non-secure forum or BCT group!