From cookies to the Driving School web site to understand the security risks

The source of the loophole: Driving School website System 1.0

Vulnerability Hazard: Get Webmaster Account and password

In the domestic Driving School website, 80% is built with the Driving School website System 1.0, and this program is hidden a serious SQL injection vulnerability, this injection vulnerability with ordinary SQL injection method can not inject success, but the hacker through cookie injection way to easily get the webmaster's account and password.

What is the difference between ordinary SQL injection and cookie injection? This should be explained in terms of the two principles. In a normal SQL injection attack, a hacker uses a GET or POST method to submit data, and cookie injection needs to modify the cookie.

The Web site usually filters the data submitted by the Get and post methods, but does not filter the data submitted by the cookie. The vulnerability test method is as follows:

STEP1: Opens a page with a SQL injection vulnerability, which is a http://www.***.com/shownews.asp page URL. Clear the contents of the Address bar and enter the following code: Javascript:alert (document.cookie= "id=" +escape ("the" and 1=2 Union select 1,username,password,4,5, 6,7,8,9,10,11 from admin), the browser will pop up a dialog box after the carriage return and click OK.

STEP2: Back to the vulnerability page, press the F5 key to refresh the page, when the page will appear webmaster's account number and password, where the title of the article is the Administrator account, the contents of the display is MD5 encrypted ciphertext. In this case, the account number is admin, ciphertext is 7a57a5a743894a0e.

STEP3: Open MD5 ciphertext cracked web site http://www.cmd5.com, in the text box input ciphertext 7a57a5a743894a0e, click the "Decryption" button, cracked after the original password admin. After the site domain name Input admin/login.asp, enter after the Driving School website admin login page, enter account admin, password Admin can login to the site backstage.

The Driving School website was so easily captured by hackers. If hackers want to further power, you can also use the background of the database backup function to obtain a webshell, or by modifying the background of the upload file type, the ASP Trojan directly uploaded to the Web site, so that the server further infiltration.

How do you plug the loophole? The temporary solution is in the vulnerability page shownews.asp call "Universal Anti-injection program", if you want to completely eliminate the vulnerability, the best way is to cancel the application of cookie authentication, and use session validation.

See more highlights of this column: http://www.bianceng.cnhttp://www.bianceng.cn/web/Skills/