One-stop tutorial on universal forum intrusion (figure)

Page 1st: one-stop teaching of General forum intrusion (figure)

At present, there is a new trend on the Internet. The Hacker's attack targets have extended from the website to public places such as forums, chat rooms, and message boards, the Forum passwords of many users are exactly the same as those of e-mail and QQ, which poses a great threat to network security. In other words, hackers can gain higher permissions by intruding into these areas. For example, if port 80 is used for penetration intrusion, you can even obtain the highest permissions of the Service hosts such as forums, chat rooms, and message boards. Is it terrible? Many people think that only hackers can do this. In fact, they do not. Just a few simple steps, even cainiao can get everything from forums, chat rooms, and message boards! This article will take a common forum as an example to talk about the main methods and prevention methods of Forum attacks. First trick: overlord brute-force cracking the Forum Database Currently, many domestic forums use the dynamic network pioneer engine (an ASP Forum engine developed and maintained by aspsky. net ). If you want to control the entire forum, you have to have an administrator password. How can you get the administrator password of the dynamic network forum? One of the common tricks for hackers is to first obtain the database file of the online forum and then crack the administrator password in the database. However, the password in the database file is encrypted with MD5, therefore, you must use the tool software for cracking. For example, a hacker can first guess the directory in which the database files are stored. If he guessed it right, the success rate of downloading the database would be relatively high. Generally, administrators have a habit of naming the directories where database files are stored, such as data, database, BD, and MDB. Therefore, hackers can enter "hacker!" in the browser! In the next step, you only need to find the database file and download it, and you will hopefully get the administrator password of the other party. For example, hackers can use the vulnerability scanner X-SCAN scan target, to see if there is a vulnerability, if the target port filtering, only open port 80, we can try like this: put some common database addresses such as data. mdb, DB. mdb, database. add ASP to the X-scan CGI database, or use hacker dictionaries to generate database addresses. Then, create a separate database and add it to the X-scan CGI database. Then, only the CGI vulnerability is scanned. After a period of time, if the scan result is/data/database. asp, the database file is successfully scanned. Download the database with the download tool and change the file extension to. MDB. Next we can use the MD5 brute force cracking program and dictionary to solve the password. Don't underestimate this solution. Many people have cracked the password of your forum administrator! Second TRICK: become a forum administrator The following uses the mobile network pioneer Forum as an example. Recently, this forum has a vulnerability that allows common users to easily obtain the passwords of any users in the Forum, including administrators! Because the Tongji. asp file does not filter SQL query Input submitted by users, remote attackers can exploit this vulnerability to launch SQL attacks, which further threatens the security of forums or servers. Note: This method is effective for dvbbs ver 6.0.0, 6.0.0 SP1, and SP2, as well as for low-version dynamic network forums, and can be used for both access and ms SQL. 500) This. width = 500 "border = 0> 500) This. width = 500 "border = 0> 500) This. width = 500 "border = 0> Attack method: Find your target forum and enter its URL. Assume that Bytes. Then enter the http://www.target.com/dvbbs/tongji.asp in the address bar of the browser? Orders = 2 & n = 10. Note that you can write any number after "n =", which means you want to query several Forum users, press enter to view the user name (1) of the Forum ). Have you seen the Administrator name? OK, then enter "http://www.target.com/dvbbs/tongji.asp?" in the address bar? Orders = 2 & n = 10% 20 userclass, ", this will check the identities of these people in the Forum (2). Note that the Administrator has the highest permissions, the target of a hacker is him. Next, enter http://www.target.com/dvbbs/tongji.asp in the address bar? Orders = 2 & n = 10% 20 userid, "press enter and in the window you will see (3) Remember the administrator ID as the number of registered users in the Forum, assume it is 1. Next, enter "http://www.target.com/dvbbs/tongji.asp?" in the address bar? Orders = 2 & n = 10% 20 userpassword, ", you will see the password of the user in the Forum (4), unfortunately through MD5

Page 2nd: one-stop teaching of General forum intrusion (figure)

Encryption, but this is enough. Finally enter "http://www.target.com/dvbbs/tongji.asp? Orders = 2 & n = 10% 20 usercookies, "enter and write down the Administrator's usercookies in the displayed window (5). Generally, the value is 0. Now, the hacker gets the Administrator's cookies. He can intrude into the Forum by forging the Administrator's cookies on the local machine. If you enter "http://www.target.com/dvbbs/tongji.asp? Orders = 2 & n = 10% 20 quesion, ", you can also get the password prompt question when the forum user forgot the password, enter" http://www.target.com/dvbbs/tongji.asp? Orders = 2 & n = 10% 20 answer, "you can get his answer (also MD5 encrypted )! 500) This. width = 500 "border = 0> Next, register a new user in the forum, and then use cookies management software (such as iecv) to modify cookies on the forum. In fact, the purpose of this step is to make the Forum think you are the Administrator through cookies, because the main way to determine whether the forum is an administrator is to use the forum ID and password, cookies record the Forum ID and password, which are encrypted and stored in cookies. 500) This. width = 500 "border = 0> Run the cookies management software iecv and select "obsolete cookie file" under the "View" menu to view the cookies in your computer. Because you are a newly registered Forum ID, you can see the cookies file of the Forum at the beginning of the main UI of iecv and "√" before it ", right-click aspsky in the center of the interface, select "Edit cookie content" (figure 6) in the pop-up menu, and then you can edit your cookies, replace the content with the content you just found. Close the software, close the browser, and re-enter the address of the Forum. Then the hacker will become the administrator of the Forum! At this point, this forum is under control of hackers and can do whatever they want! 500) This. width = 500 "border = 0> For example, a hacker can press the tab key or the capslock + Tab key after opening notepad to form a special space. Copy the blank space and use the username he wants to impersonate and add the space to register a new user. In this way, a new user will be successfully registered with the same name as the other user, and then he can impersonate the speaker, if you don't pay attention to others, you will be ready. Enter AAAA, aaab, or aaac using the location Input Method to form special spaces. In addition, you can create a special space in the HTML Tag (that is, to display the meaning of the blank content. The success rate of impersonating AAAA, aaab, and aaac entered using location input methods in ASP programs is extremely high, while the success rate of the tab key and special spaces made is higher in PHP programs. What's more terrible is that on the wdb forum and Ibb forum, a special user name constructed with the tab key can have the same permissions as the original user. If the original user name is administrator, the hacker-constructed impersonating user will also become Administrator! Third move: The Dark warehouse forms a web Backdoor As you know, if "system @ argv; #" is written in CGI or Perl programs (note that no quotation marks are entered), an interesting Web backdoor is formed. In the IE Address Bar, enter http: // ip/*. pl? Dir will see the physical directory of the website. Take the free CGI message book of agbii, which is very popular on the Internet as an example. The messages in this message book are arranged by the number, user name, title, and content of the N messages, messages are sent to a fixed directory of data/user names in sequence. It seems complicated. Let's look at Figure 7. Suppose this is a hacker's message in the free CGI message book of agbii. It is the 14th messages in the message book. Suppose the registered user name is: system, the title is @ argv; #, And the content is "Haha", 14 in the data/222 directory. the PL file content is shown in 8. Because the user of this message book is 222, as long as the hacker enters http: // ip/book/data/222/14 .pl? in the address bar of the browser? Dir will get a shell (figure 9 ). Note that http: // ip/book/is the address of the message book. After obtaining the shell, the hacker can also get the Administrator's password! Enter "http: // ip/book/data/Administrator name/14.pl?" in the address bar of the browser? Type + the physical directory \ User \ Administrator name. cgi of the message book. Take this article as an example, just enter "http://www.xxx.com/book/data/lxgyp/14.pl? Type + D: \ VM \ WEB \ book \ User \ lxgyp. CGI "to get the Administrator's username and password, the email address at registration, his website address, IP address, and logon time! 500) This. width = 500 "border = 0> 500) This. width = 500 "border = 0> 500) This. width = 500" border = 0> Page 3rd: one-stop teaching of General forum intrusion (figure) Another interesting and difficult method is called cross-site scripting. Let's start with an interesting phenomenon. There is a bug in the popular UBB code in the forum. When someone clicks this post, a dialog box will pop up. If you replace the preceding content :, A dialog box is displayed, and a new webpage window is opened. What if a hacker adds a webpage to this webpage? The answer is that you are a Trojan! In addition, using this method can also promote users who do not have any permissions in the Forum to administrators! Suppose the URL of a new forum administrator hacker is http: // ip/BBS/upadmin? User = hacker. Because this URL can be successfully executed only as an administrator, it is useless to enter it directly in the address bar. However, to use the cross-site scripting attack just mentioned, as long as the hacker registers a user named hacker, creates a new post, and writes the code in the file: inter or TXT attachment to forge it, hackers can also make the forum administrator unaware after clicking the post or TXT attachment, so it is difficult to prevent it. The key reason for attacks such as forum or message board attacks is that vulnerabilities exist, so long as these vulnerabilities are blocked, there will be no problem. However, many vulnerabilities are caused by the omission of the author during forum or message board programming, which is difficult for users to prevent. We can only hope that the author can solve these problems as soon as possible. From this perspective, forum administrators often patch their own forums. You should always pay attention to the vulnerability announcements released by major hacker organizations to promptly discover problems in your forums. In addition, special characters must be strictly filtered to prevent attacks by special characters. We recommend that you set a strong password and change it regularly to prevent other users from cracking your password. We recommend that the Administrator change the database file of the Forum to an irregular complex name and change the extension from MDB to Asa, for example, 3sdal9eklz9c0ad. asa, 3sdal9eklz9c0ad. INC, etc. It's a bit like using MD5 encryption, right? At the same time, you also need to put the file into a deep Directory, which can reduce the risk of being downloaded to a certain extent. Changing database. mdb to # database. mdb is the simplest and most effective method. Let's explain the advantages of doing this: Suppose someone else gets your database address string will be: bytes. Do not set the directory to be accessible. In this way, no matter what tools others use, they cannot be downloaded. Note: As long as the database file name contains '#' anywhere, no one else can download it normally. Similarly, the space number can also be '#', but it must be a space in the middle of the file name. In addition, access software must be used to encode and encrypt database files. Select Tools> Security> encrypt/decrypt database, select database files, and click OK. The "Save database encrypted and saved as" window appears. After confirmation, the file is encrypted. The above operation is not to set a password for the database, but to encode the database file to prevent others from using other tools to view the content of the database file. Next, you can set an access password for the database. First open the encoded library file. When opening the file, select the "exclusive" mode. Select "Tools> Security> set Database Password" in the menu, and enter the password. In this way, even if others get this file, they cannot see the content without a password. In this way, even if hackers know the name of the Access database, they cannot easily download it. This method is usually used when someone else's server is rented. Finally, we recommend that you set the directory where the database is located to unreadable in IIS to prevent files from being downloaded! For common users, it is recommended that you do not leave authentic contact information in the forum, such as e-mail and QQ, your password in the Forum must not be the same as other passwords, so that you will not be confused and get all your secrets!