Forum vulnerability analysis-Upload Vulnerability and brute-force database Vulnerability

Software Security

A Forum is an electronic information service system on the Internet. It provides a public electronic whiteboard. Every registered user can "write" it on it to publish information or make comments.

Currently, few forum software are compiled by themselves, most of which use the source program downloaded from the Internet. Common Forum source programs include dynamic network forum (dv bbs), leiao forum, and the popular bbs xp forum.

This section describes two common vulnerabilities in the forum, and focuses on the use of ideas to arouse the security awareness of forum administrators.

4.3.1 Upload Vulnerability

The Forum upload vulnerability is a common vulnerability in the Forum. The source code of the Forum is often caused by design mistakes. The vulnerability that allows remote users to upload arbitrary files to the Forum host is called the Upload Vulnerability of the Forum. Through the Forum Upload Vulnerability, intruders can even have full control over the host that remotely starts the forum service. Most forums support the file upload function for the appearance and humanization of the interface, while the uploaded files have type restrictions. design mistakes refer to lax filtering of file types, for example, if only JPEG files are allowed to be uploaded, the user can upload ASP files. The following describes the specific content and usage of the Upload Vulnerability in the Internet forum (dv bbs.

1. Instance

Attackers can exploit the online forum Upload Vulnerability to intrude into the website.

Description of the online forum Upload Vulnerability: the online forum upload vulnerability exists in all versions of DV BBS7.0 SP2 and earlier versions. The previous versions of DV BBS7.0 SP2 can be used to directly upload ASP files.

The vulnerability exists in the position where the profile picture is uploaded when the basic information is modified. As shown in Figure 4-73, clicking the upload button will call the upfile. asp file. asp file type filtering is lax.

Figure 4-73

How to exploit the vulnerability: after detecting the vulnerability, register a user account in the vulnerability forum and use this account to obtain the Cookie. Create a webpage Trojan file locally and use a dedicated tool to upload the webpage Trojan to a remote host based on the obtained Cookie value.

Step 1: Search for vulnerabilities

Vulnerability search can use Baidu (http://www.baidu.com), Yahoo (http://cn.search.yahoo.com/) and other search engines. For example, search "" Powered By: Dvbbs Version 7.0.0 SP1 "" in Baidu, as shown in Figure 4-74.

Figure 4-74

In this example, an online forum host with an upload vulnerability is attacked. The address is http: // 192.168. 232.132, and the version is 6.1.0, 4-75.

Figure 4-75

Step 2: register a user

In this example, to exploit the Upload Vulnerability, you need to go to the user's basic information settings page. Therefore, you must first register a user. Here, the user name is registered as squirrel, and the password is 111111, as shown in Figure 4-76 upon logon.

Figure 4-76

After logging on to the console, select the basic information modification option in the user control panel, as shown in Figure 4-77.

Figure 4-77

The page is displayed 4-78.

Figure 4-78

Step 3: Obtain the Cookie

What is Cookie?

A Cookie is a file created by an Internet site that stores information on a computer, for example, a preference when accessing a site. Cookies can store personal identifiable information, such as name, email address, home or work address, or phone number. Once a Cookie is saved on a computer, it can only be read by the website that creates the Cookie.

Cookies include permanent cookies and temporary cookies. Permanent cookies are stored as files on the computer. when Internet Explorer is disabled, they are still stored on the computer. When you access the site again, the website that created the Cookie can read the Cookie. Temporary cookies or session cookies are only stored in the currently browsed dialog. when Internet Explorer is disabled, they are deleted from the computer.

Tool Introduction

Tool used: Winsock Expert.

Tool Description: currently, the commonly used version is Winsock Expert v0.6 beta1. Winsock Expert is a specialized software used to track program execution. It can be used to track IE execution and obtain related Cookie information.

Cookie acquisition

Open Winsock Expert, as shown in Figure 4-79.

Figure 4-79 Log on to the Forum with a registered user name and go to the basic information modification page, as shown in Figure 4-80. Figure 4-80

To obtain the Cookie, you need to track the execution of IE and capture packets. Return To Winsock Expert, click the icon, and Select the page you just opened in Select Process To Monitor. Here is "mobile network pioneer Forum-Modify basic information", as shown in 4-81.

Figure 4-81 Select and click the "Open" button, as shown in Figure 4-82 on the Winsock Expert running interface. Figure 4-82 Temporarily put Winsock Expert aside and do not perform other operations on it. On the personal Basic Information Modification page of the forum, Click Browse to select a file, as shown in Figure 4-83. Figure 4-83

After you click the upload button, the page is displayed as 4-84. directly uploading ASP files will be filtered out. The following steps will show you how to upload ASP Webpage Trojans using tools, now we only need to prepare for the following steps to get the Cookie.

Figure 4-84 Here, data packets are captured. In the Winsock Expert window, locate the row of the "POST path" item in the Packets Text column, and click this row, the details in the lower part of the window contain the required Cookie information and the path information and file name information of the uploaded and processed files, as shown in Figure 4-85. The Cookie information obtained in this example is ASPSESSIONIDQGQQGUDK = NMPJMAFDNGMAJHOCNLOELOHL. The path for uploading and processing files is the forum root directory and the file name is upfile. asp. Figure 4-85

Step 4: generate a webpage Trojan

Tool Introduction

Tools used: Haiyang top network ASP Trojan 2006.

Tool Description: Haiyang top network ASP Trojan 2006 contains 6 files. The usage instructions of the files are as follows.

2006. asp, Haiyang top net ASP Trojan 2006 files.
Pack. vbs: unlocks the package file "HYTop. mdb.
2006X.exe, 2006 C/S mode converter for ASP Trojan horse on the top network of Haiyang.
2006X2.exe, a dedicated short server C/S mode converter for ASP Trojan 2006 on Haiyang top network.
2006Z.exe, jizang top network ASP Trojan 2006_Lite version aggregator, generate a Lite version Trojan with a custom function.
Hididi.ini,2006Z.exe configuration file.

Use the webpage Trojan file generated by 2006z.exe. The advantage of using 2006z.exe is that the webpage Trojan generation function is optional and easy to operate after uploading.

2006Z.exe instructions for use: After opening the program, you can select the ASP Trojan function module of the Lite version Haiyang top network in the "Page selection" framework, in the "page generation" framework, the source file refers to the Full version of Haiyang top network ASP Trojan 2006 (2006a in this folder. asp), select the corresponding source file and generated file, and click the "generate" button to generate the Haiyang top of the corresponding function combination