Brief Analysis and Summary of leichi news System Vulnerabilities

Author: Leng Feng

Note: This article mainly summarizes several vulnerabilities in the three versions of leichi and simply uses shell to summarize the progress. Haha, this article is dedicated to the same dishes as me! Asp for beginners. for errors, please refer ~ Thank you!
1. 'or' = 'or' Vulnerability
1. Vulnerability Analysis
Of course, the vulnerability file is in the background verification file/admin/CHKLOGIN. ASP. For details, see Line 4-7 of the Code:
Dim rs
Admin1 = request ("admin") 'is not filtered
Password1 = request ("password") 'is not filtered
Set rs = server. CreateObject ("ADODB. RecordSet ")
Rs. open "select * from admin where admin =" & admin1 & "and password =" & encrypt (password1) & "", conn, 1

'Encrypt () function encryption Password

Obviously, the user name and password entered are directly obtained without any filtering check. Then we can construct and inject the SQL query statement as long as it is not empty. I believe that everyone understands this and does not talk nonsense.
2. Simple use
In fact, this vulnerability has always existed in V1.0 V2.0 V 3.0 with the leichi news system. However, in V3.0, the anti-injection system of Firefox cannot be injected successfully, it will be intercepted!
In this way, you can enter the background for versions earlier than 3.0.
Ii. brute-force database Vulnerabilities
Cause: no access permission judgment
Directly Access admin/adminconn. inc to expose the data address. This shows if the database is asp or asa (useful later)

Iii. cookie Injection Vulnerability
The enhanced version 2.0 of leichi news system (not included in version 2.0) has been added to the anti-injection system. However, according to the analysis, it is found that the cookie injection vulnerability exists in Firefox 3.0 of General SQL anti-injection system, check the vulnerability code in the/SQL/Neeao_SqlIn.Asp file:
-------- POST part ------------------
If Request. Form <> "" Then
For Each Fy_Post In Request. Form
For Fy_Xh = 0 To Ubound (Fy_Inf)
If Instr (LCase (Request. Form (Fy_Post), Fy_Inf (Fy_Xh) <> 0 Then
If WriteSql = True Then
KillSqlconn. execute ("insert into SqlIn (Sqlin_IP, SqlIn_Web, SqlIn_FS, SqlIn_CS, SqlIn_SJ) values (" & Request. serverVariables ("REMOTE_ADDR") & "," & Request. serverVariables ("URL") & ", POST," & Fy_Post & "," & replace (Request. form (Fy_Post ),"","")&")")
KillSqlconn. close
Set killSqlconn = Nothing
End If
Response. Write "<script type =" text/javascript "> // <! [CDATA [
Alert (system prompt: please do not include illegal characters in the parameter to try to inject !);
//]> </Script>"
Response. Write "illegal operation! You have been recorded by the system for the following illegal operations:
"
Response. Write "Operation IP:" & Request. ServerVariables ("REMOTE_ADDR ")&"
"
Response. Write "operation time:" & Now &"
"
Response. Write "Operation page:" & Request. ServerVariables ("URL ")&"
"
Response. Write "submission method: POST
"
Response. Write "Submit parameters:" & Fy_Post &"
"
Response. Write "submit data:" & Request. Form (Fy_Post)

<P style = "text-align: left;"> Response. End
End If
Next
Next
End If
---------------------------------- </P>
<P style = "text-align: left;"> -------- GET section -------------------
If Request. QueryString <> "Then
For Each Fy_Get In Request. QueryString
For Fy_Xh = 0 To Ubound (Fy_Inf)
If Instr (LCase (Request. QueryString (Fy_Get), Fy_Inf (Fy_Xh) <> 0 Then
If WriteSql = True Then
KillSqlconn. execute ("insert into SqlIn (Sqlin_IP, SqlIn_Web, SqlIn_FS, SqlIn_CS, SqlIn_SJ) values (" & Request. serverVariables ("REMOTE_ADDR") & "," & Request. serverVariables ("URL") & ", GET," & Fy_Get & "," & replace (Request. queryString (Fy_Get ),"","")&")")
KillSqlconn. close
Set killSqlconn = Nothing
End If
Response. Write "<script type =" text/javascript "> // <! [CDATA [
Alert (system prompt: please do not include illegal characters in the parameter to try to inject !);
//]> </Script>"
Response. Write "illegal operation! You have been recorded by the system for the following illegal operations:
"
Response. Write "Operation IP:" & Request. ServerVariables ("REMOTE_ADDR ")&"
"
Response. Write "operation time:" & Now &"
"
Response. Write "Operation page:" & Request. ServerVariables ("URL ")&"
"
Response. Write "submission method: GET
"
Response. Write "Submit parameters:" & Fy_Get &"
"
Response. Write "submit data:" & Request. QueryString (Fy_Get)
Response. End
End If
Next
Next

End If
Obviously, the file only checks the validity of the GET and POST submission methods. Generally, webpage files are processed by POST or GET. For example, Request. form or Request. QueryString. Anti-injection program 3.0 is a limitation, which can be submitted in either way. The Request. cookie method is not restricted. That is to say, as long as we construct the Request. cookie statement for injection, the injection can be successful.

Also analyzed the/owens. asp file, the Code is as follows:
<! -- # Include file = "conn. asp "--> <% owen = request (" owen ") owen1 = request (" owen1 ") owen2 = request (" owen2 ") n = request (" n ") if n = "" then n= 100 end if %>

<P style = "text-align: left;"> <% </p>
<P style = "text-align: left;"> if owen1 <> "" and owen2 <> "then
SQL = "select * from NEWS where BigClassName =" & owen1 & "and SmallClassName =" & owen2 & "order by id desc"
Set rsw.conn.exe cute (SQL)
Do while not rs. eof

%>

As soon as I saw this, many of my friends said there was an injection, but there was indeed an injection. But we can see this line again to conn. asp (connect to the database file), the Code is as follows:
<% Dim conn, connstr on error resume next c + server. mappath ("data/nxnews. mdb ") +"; DefaultDir =; DRIVER = {Microsoft Access Driver (*. mdb)}; "Set conn = Server. createObject ("ADODB. CONNECTION ") conn. open connstr %>

<! -- # Include File = "SQL/Neeao_SqlIn.Asp" -->
If the last row does not exist, the general anti-injection system written by neeao is included. That is to say, as long as the database query is involved, the anti-injection system must be filtered. Then we cannot inject the injection smoothly.
So we can only inject through cookies. We can use javascript cookies for injection and construct statements. It is relatively lazy to inject directly using GreenBrower's jscookie plug-in, which is relatively simple.

First, construct the injection statement. Open the database and discover 11 fields. You can construct such a statement for injection:

-1 union select 1, admin, password, from admin

Among them,-1 is to let him execute the joint query statement after it is not true. Now, the principle analysis is complete.
2. Usage:
Open a news page, such as http: // 59.77.72.12/leichi3.0/onews. asp? Id = 42. We submit http: // 59.77.72.12/leichi3.0/onews. asp? Id = 42' (note that this single quotation mark is not in English, it is in Chinese, and the English is filtered out). The "data error prompt" indicates that injection exists,

Then we use greenbrower for injection, and remove the id after the url: http: // 59.77.72.12/leichi3.0/onews. asp. The error 2, 3:

The injection is successful. onews is returned. Asp, appears, administrator password and stand out, 4:

The User Name Admin Password bfpms, the encryption algorithm is very simple, see the analysis below.
Iii. Password Encryption
Leichi news system encryption is too simple, you can directly calculate, but remember the ASCII code, here I wrote a helper tool (: http://bbs.awolf07.cn/attachment.php? Aid = 46). Crack it directly. Let's see how it is encrypted. Look at the encryption password of the encrypt () function. As mentioned above, let's look for it and see how it is written, in the file/admin/adminiconn. in the inc file,
Function decrypt (dcode)
Dim texts
Dim I
For I = 1 to len (dcode)
Texts = texts & chr (asc (mid (dcode, I, 2)-I)
Next
Decrypt = texts
End function
Function encrypt (ecode)
Dim texts
Dim I
For I = 1 to len (ecode)
Texts = texts & chr (asc (mid (ecode, I, 2) + I)
Next
Encrypt = texts
End function
%>

The encryption program encrypt and the decryption program decrypt. Here I will briefly describe its encryption principle: the ascii code corresponding to the letter in the password minus the number of digits in the letter in the password. The result is the ASCII code corresponding to the original password. For example, after admin encryption, it is bfpms. A simple encryption method, specifically, implements a simple transformation. If you are interested, you can manually convert the table by yourself. I have prepared it for you, saving you the trouble of querying ASCII tables. The leichi encryption method is non-MD5 encryption.
This is a weakness, because if it is md5, even if you get the md5 hash, but if the password is strong, then they can be cracked. (Of course, some people may say that they can use cookies to cheat login. In fact, this is also acceptable. The younger brother does not know how to construct it, but also looks at his fingers)
Now, the encryption algorithm is here.