Attack and Defense practices: Exploitation and prevention of Injection Vulnerabilities

Source: Tianji blog

Before taking the IT Certification Examination, I am used to searching online. After a stroll, I accidentally came to the Chinese site of PROMETRIC. The author found that the entire site is an ASP program. Besides, there is a login interface for the test room just now. It would be nice to find any vulnerabilities.

Vulnerability Detection

I found a page (_ id = 0 "> http://www.promet.ric.com.cn/openpage.asp? Page_id = 0). Add a single quotation mark after parameter 0. The returned page shows: 500 internal server error. In IE's "Internet Options> advanced", there is a "show friendly HTTP Error message" option to cancel the previous hook. Now we can see the detailed error message:

Microsoft ole db Provider for ODBC Drivers error 80040e14
[Microsoft] [odbc SQL Server Driver] [SQL Server] Line 1: Incorrect syntax near./audit. asp, Row 18

In the past, PROMETRIC used MSSQL. It seems that there is a serious Injection Vulnerability (this is not detailed here due to the suspected attack steps ).

Vulnerability Principle

The SQL injection vulnerability is usually caused by a programmer's lack of knowledge about it and the filtering of a specific parameter during program design. Taking the parameter page_id in the Link Used in the test just now, the filter check is certainly not performed. The query statement in the source program is as follows:

Select * From Table Where page_id = 0

When we submit http://www.prometric.com.cn/openpage.asp? When page_id = 0 and 1 = 1, the query statement is changed:

Select * From Table Where page_id = 0 and 1 = 1

When we submit other query statements, the program will also execute the judgment, such:

Http://www.prometric.com.cn/openpage.asp? Page_id = 0 and user> 0

The query statement is changed:

Select * From Table Where page_id = 0 and user> 0

User is a built-in function of MSSQL. It refers to the user name currently connected to the database and is a nvarchar value. When it is compared with the integer value 0, MSSQL will try to convert the user value to the int type, so MSSQL will report an error:

[Microsoft] [odbc SQL Server Driver] [SQL Server] Syntax error converting the nvarchar value web to a column of data type int.

The error message is followed by the database name, table name, and data. What if the recipient shields the error message? At this time, we will use Unicode, Substr, and other functions to predict through conditional judgment.
How to Use

You can use the nbsi2-mssql (hereinafter referred to as "nbsi2.") tool developed by Xiaozhu. However, you must note that a tool is always a tool and can only be used to improve efficiency and accuracy. You must understand the principles.

We have successfully exported the table names and data in the pro metric Chinese site database through nb_2, including the login users and passwords of various test rooms.

Through cross-database query, the author also found that the BALANCE field in the BALANCE Table stores the BALANCE information of the exam prepayment. As long as the Cross-database update is performed, this amount can be changed completely.

At this time, the author suddenly wondered whether we could set up a private test room ......

The test system is immediately installed. The installation process is very complex and requires the config. dts file (not available on the website ).

Just as I did not know what to do, I suddenly discovered the enterprise mail service. PROMETRIC opened _ blank "> Sina enterprise mail for every test room.

Will these test rooms not change the default password for convenience? As a result, many test rooms did not change the default password, and the author easily entered these mailboxes. After some searching, I finally found the config. dts file sent by PROMETRIC in my mailbox ......

This security test has come to an end. Imagine if the test room program is installed without authorization, can we modify the examinee information at will? If you change the prepayment, can you register for the exam for free? Moreover, using the test room ID and password, we can modify the registration information of any test room on the website, and then clone a false test room by means of social engineering.

Postscript

I don't know whether you can remember the article about Oracle injection vulnerability in the last issue of the Computer newspaper. Although the two have different technical implementation methods and harms, they have one thing in common-opening gaps from a small place, causing great harm.

In my website, some websites only filter illegal characters submitted in the address bar, but ignore the characters submitted in the search function, so that the website still has the injection vulnerability.

Network security is a very important and comprehensive task. You must pay attention to it everywhere. Otherwise, it is difficult to estimate the loss caused.