Discuz plug-in "Virtual Stock Market" blind Injection Vul (blind Injection) Exploitation

The vulnerability was discovered by the penetration of a website. Since discuz version is 7.0, I have to focus on the third-party plug-ins it has installed.

After a simple test, we found the injection vulnerability in virtual stock market:
Http://www.target.com/plugin.php... _ One & stockid = 91 #91 is Variable Parameter
Http://www.target.com/plugin.php... ser_Show & uid = 13 #13 is Variable Parameter

After the injection is confirmed, try to use order by to guess the number of fields and then union select. However, when both injection points reach a certain number of fields, the executed SQL statement changes. The reason is that there is a control statement in the plug-in code, so that it jumps to another line for execution. In this case, we cannot obtain the number of fields.

There are two ideas:
1. Try blind Injection
2. Check the table structure and field count by reading the source code of the plug-in "virtual stock market ".

However, after searching, we found that the author of this plug-in encrypted its source code with zend when it was released. However, none of the existing decryption tools are ideal (this is why the vulnerability principles and details cannot be clarified ). Therefore, we can only adopt blind injection (for me ).

Blind injection takes no time, but we will think about what information can be obtained by blind injection? My method is as follows:
# Determine the MYSQL version. If the returned result is normal, the value is 5. If the returned result is abnormal, continue to test whether the returned result is 4.
/Plugin. php? Identifier = stock & module = stock & action = User_Show & uid = 13 and substring (@ version, 1, 1) = 5
# Whether subquery is supported (version 4)
/Plugin. php? Identifier = stock & module = stock & action = User_Show & uid = 13 and (select 1) = 1
# Whether the current user is root
/Plugin. php? Identifier = stock & module = stock & action = User_Show & uid = 13 and (select 1 from mysql. user limit 0, 1) = 1

The following is different based on the situation:
1. If the database user is root, the root password HASH can be taken out and then cracked. If the other server is open in 3306 or phpmyadmin is installed, you will not have to go to the next step. If 3306 is not enabled or phpmyadmin is not installed, you can use the cracked password to guess the ftp password, 3389 password, or SSH password, or the background administrator password.
2. If the database user is not the root user, the administrator password HASH of the discuz User table cdb_members is taken out and then cracked.

####### Retrieve data
# Whether the ASCII value of the first character in the first row of the mysql. user table is greater than 80
And ascii (substring (SELECT concat (username, 0x3a, password) from mysql. user limit 0, 1, 1)> 80
# Whether the ASCII value of the second character is greater than 90
And ascii (substring (SELECT concat (username, 0x3a, password) from mysql. user limit),)> 90
............

In this case, the password HASH of MYSQL4 is 16-bit MD5 encryption, and the password HASH of MYSQL5 is 41-bit (plus ).

Password cracking:
1. If MYSQL version 4 is used, www.sqlhack.com is available. This tool uses a legendary BUG and is fast.
2. if MYSQL version is 5, I recommend using ighashgpu for cracking (it seems that only GPU is used, no CPU is needed). My AMD4 Core + HD 4650 graphics card, the cracking speed is 60 M/s, put it on the Inter Core i7 8-Core + NVIDIA GeForce 9800GTX + platform, and the speed is 70 M/s. With passwordpro, the speed is only 170 w/s, which is the gap. I only spent more than seven minutes on 7 pure letters.

For the environment at that time, the method I could think of was like this. If there are other vulnerabilities, they may be better used together to achieve a one-blow attack. Finally, you are welcome to enlighten me if you are interested in penetration :)

Refer:
1. Full SQL Injection Tutorial (MySQL) From milw0rm.com
2. Great google