Principles and Rules of brute-force database Vulnerabilities

Principles and Rules of brute-force database Vulnerabilities
SQL Injection has been popular for a long time. The purpose of vulnerability injection is to get something in the database, such as the user name and password. Further MSSQL databases can also obtain permissions. Based on access, isn't it better if we don't need to inject the entire database? As a result, the brute-force database becomes a simpler intrusion method than injection.
Experts often mention the methods of brute-force databases in intrusion articles, but most of them are mentioned in the document. Some of them talk about a method and mostly discuss it. A recent article "talking about the use of the % 5c storm Database" summarizes the storm database, so it is widely spread on the Internet. However, I still didn't talk about the principles, and the conclusion was just experience. It seemed like nothing, so I decided to talk about the principles and rules of the storm database. No, I 'd like to advise you more.

"% 5c" brute-force library approach
This method has been widely used for a while, But like other vulnerabilities, it is not as effective as it was before as many people know it. This method is simply to replace "/" in the website address with "% 5c" when opening the webpage, and then submit it to expose the database path.
In fact, not all URLs are valid. You need "asp? Id = ", or the address that indicates the behavior of calling the database. If you confirm that this web page has called the database, this is not the case later. For example, chklogin. asp can also be used (there are other conditions, and we will discuss it later ). Here is an example of the fourth round of anti-DDoS pro labs:
Http: // 219.237.81.46/yddown % 5cview. asp? Id = 3
Replace the second "/" with "% 5c ":
Http: // 219.237.81.46/yddown % 5cview. asp? Id = 3
After submission, the following results are returned:
Microsoft Jet Database Engine error '20140901'
'D:/111/admin/rds_dbd32rfd213fg.mdb 'is not a valid path. Check whether the path name is correctly spelled and whether it is connected to the server where the file is stored.
/Yddown/Conn. asp, row 12

This is a system of the anti-DDoS lab. The violent library is intentionally opened by small editors, because its mark is not injection, but how to obtain webshell after entering the background. We can see that we have directly obtained the database address and can download it.
Now many people know this method, so I will not give any examples. However, it is estimated that there are not many people who know the principles of brute-force database. Some people are successful and others are unsuccessful. In summary, "Let's talk about the use of brute-force database, the second "/" must be changed to "% 5c. It is very practical, but this conclusion is just an experience. In fact, it is not correct. Let's first look at its principles.
The "% 5c" method is not a Web page vulnerability, but uses a feature in the IIS decoding method. If the IIS security settings are incomplete, and the web page designer does not consider the IIS error, it will be exploited. Why use "% 5c "? It is actually a hexadecimal code of "/", that is, another representation. On the computer, they are the same stuff, but submitting "/" and "% 5c" produces different results. In IE, we replace "/" in the first address below with "/" for submission:
Http: // 219.237.81.46/yddown/view. asp? Id = 3
Http: // 219.237.81.46/yddown/view. asp? Id = 3
The access results are the same. IE will automatically convert "/" into "/" to access the same address. However, when we replace "/" with the hexadecimal format "% 5c", ie will not convert it. "% 5c" in the address is submitted as is. The packet capture result is as follows:
GET/yddown % 5cview. asp? Id = 2 HTTP/1.1
When IIS receives and parses the code, it restores % 5c to "/". In this way, the relative path of the web site in IIS becomes/yddown/view. asp, which is very important and the problem starts from here.
In ASP Web pages, whenever a database is called, a database connection web page Conn is used. ASP, which creates a database connection object and defines the database path to be called, a typical Conn. ASP:
<%
Dim Conn
Dim dbpath
Set conn = server. Createobject ("ADODB. Connection ")
Dbpath = server. mappath ("admin/rds_dbd32rfd213fg.mdb ")
Conn. Open "driver = {Microsoft Access Driver (*. mdb)}; DBQ =" & dbpath
%>
Note the following sentence: "dbpath = server. mappath ("admin/rds_dbd32rfd213fg.mdb") ", server. the mappath method is used to convert the relative path of a website into an absolute physical path. Why? When connecting to the database, you must specify its absolute path to read and write data. What are relative paths and absolute paths? To prevent visitors from knowing the actual path and ensure that the website is not affected by address change, IIS uses a relative path to represent the relationship between directories and files. That is, the URL directory only indicates the relative position from the root directory. For example, the root directory of the website: http: // 219.237.81.46 is "D:/111/", and the download directory of the rain point is in the root directory (D:/111) in "yddown", when our website accesses the site, it is accessing the D:/111/yddown/directory, while http: // 219.237.81.46/yddown/admin/only indicates the relative relationship between the Admin directory and the yddown directory. The relationship between the Admin directory and the yddown directory is also not changed when you place the website on the edisk.
When server. when the mappath method converts a relative path to a real path, it is actually combined with three paths to obtain the actual path: the relative path of the webpage currently executed, that is, the relative path from the physical root directory of the website, for example, Conn. ASP is in the "/yddown/" directory starting from the root directory; then the relative path of the called database is admin/rds_dbd32rfd213fg.mdb, so that the complete relative path from the root directory is obtained: "/yddown/admin/rds_dbd32rfd213fg.mdb ". These are all relative paths. How can they become real paths?
People who have set IIS will know that each website must specify its physical directory on the hard disk. For example, in the above example, the physical directory of the website root directory is: "D: /111 ", server. the mappath method uses the "physical address of the website root directory + complete relative path" to obtain the actual physical path. The physical path of the database on the hard disk is: D: /111/yddown/admin/rds_dbd32rfd213fg.mdb. IIS uses "/" to indicate the directory relationship of the actual path, while "/" to indicate the virtual path, this may be the reason why IE will automatically convert "/" from our address.
To understand this, it is not difficult to understand the storm database. When we submit: http: // 219.237.81.46/yddown % 5cview. asp? Id = 3, view. ASP calls Conn. after ASP, the relative path of the webpage is as follows: "/yddown/", and add "admin/rds_dbd32rfd213fg.mdb" to get "/yddown/+ admin/rds_dbd32rfd213fg.mdb ". In IIS, "/" and "/" represent different meanings. When "/" is encountered, it is deemed that it has reached the physical path of the root directory, I will not go up for resolution (why not go up again? Will be analyzed later), so the complete relative path of the website is changed to "admin/rds_dbd32rfd213fg.mdb", and the physical path of the root directory is added to the "D: /111/admin/rds_dbd32rfd213fg.mdb ", but this path does not exist. Of course, the database connection fails. Therefore, IIS reports an error and provides the cause of the error:
Microsoft Jet Database Engine error '20140901'
'D:/111/admin/rds_dbd32rfd213fg.mdb 'is not a valid path. Make sure the path name is spelled
Whether it is correct and whether it is connected to the server where the file is stored.
/Yddown/Conn. asp, row 12
This is the history of the brute-force database method.
In the article "exploitation of the % 5c brute-force database", the website must be the second-level directory. Let's analyze it theoretically to see if there are any patterns. For example, if you change the first "/" to "% 5c", the relative path of the obtained website is "/yddows/admin/rds_dbd32rfd213fg.mdb ", when "/" is parsed, it is considered to have been resolved to the physical directory and will not be parsed forward. In fact, it is also the root directory, so the physical path obtained is: "D:/111/dydow/admin/rds_dbd32rfd213fg.mdb". This path is correct, so no error occurs, of course, the database path will not be exposed.
When the second "/" is changed to "% 5c", we have analyzed it above. Is it true that a second-level page can be exposed? In fact, it is only because second-level pages are common and not truth. If the Download System is a third-level directory on a website, the success of the third "/" is more likely. That is to say, the first success on the rightmost is likely!
Let me give an example. The reason is:
Http://nice.xmu.edu.cn/channely/blog/showlog.asp? Cat_id = 31 & amp; log_id = 246
When the second "/" is changed to "% 5c", the website is opened slowly, but there is no error. When we change the third "/" to "% 5c", submit:
Http://nice.xmu.edu.cn/channely/blog%5cshowlog.asp? Cat_id = 31 & amp; log_id = 246
Database exposure:
Microsoft Jet Database Engine error '20140901'
'H:/channely/log_mdb/% 29dlog_mdb % 29. asp 'is not a valid path. Check whether the path name is correctly spelled and whether it is connected to the server where the file is stored.
/Channely/blog/Conn. asp, Row 18
Why? This is because the website uses a virtual directory, that is, the sub-directory channely of the website is not in the root directory of the website. People who have set IIS will know that they can set a real physical directory outside the website directory as the virtual directory of the website. That is to say, the relative diameter of the website is not always counted from the root directory, and it is likely that a subdirectory points to a physical directory.

Obviously, channely is already in the root directory of the H: disk, and there is no directory on it. In fact, it is likely that the website is on D: disk or E: disk, and the channely virtual subdirectory is set in IIS to "H:/channely/" outside the root directory of the website /".
Here, we can see more clearly why Microsoft IIS does not go to the root directory, as long as there is a "/", it is considered that it has reached the physical absolute path and will not go up for resolution reasons, this is to handle the situation where the virtual directory of the website is not the same as the root directory. It first queries whether each directory points to a physical path. If it points to a physical path, it is replaced with an absolute path, and the relative address above it is not parsed and converted.
From the above analysis, we can only use "/" ("% 5c") between the relative database address and its absolute directory address to achieve the goal. In the above example, if you use it in the second place, it will only affect the IIS to find the virtual channely directory address, while the conn. the database location parsed in ASP is "H:/channely/blog/log_mdb/% 29dlog_mdb % 29. ASP is still correct.
The exploitation of the % 5c brute-force database also mentioned a solution that only has a level-1 Directory: "In fact, level-1 directories can also be successful, we can construct a multi-level directory to achieve the goal of violent library. For example:
Http://www.target.com/noexists/..%5clist.asp? Id = 1
In this way, everyone will be pleasantly surprised ." Really? Theoretically, this method will not succeed. When "% 5c" is encountered, the page will not be parsed. Therefore, the directories constructed in the middle are discarded because they do not work. The relative paths are still in the root directory, so the paths will not go wrong. To prove this, I specifically found an example:
Http://www.om88.com/Article_Show.asp? ArticleID = 481
For this website, we first use the conn. asp method to expose the database (this method will be explained later), indicating that the server and website settings can be used as a brute-force database. Submit:
Http://www.om88.com/inc/conn.asp
We can see that the database is vulnerable, and we will submit it again:
Http://www.om88.com/abc/..%5cArticle_Show.asp? ArticleID = 481
The normal page is still displayed without warehouse. This is because the relative path has changed, so the image path cannot be found correctly, but the path is discarded by "% 5c" during absolute path parsing. No error occurs. Of course, the file cannot be exported.

Conn. asp Method
Here, conn. asp only indicates the database call file, because most of them use this name (some websites change their names, we also think of it as Conn. asp ). In fact, this type of violent library method was the first to appear. Many cool people have discussed this method before. I remember that anti-DDoS also discussed this method very early. This is only a small number of people mentioned after the "% 5c" Brute Force Library method appeared. In fact, I personally think that the "% 5c" brute force method will be less and less useful as the server security is enhanced. However, the conn. asp brute-force library method has more room to use. It can be constructed manually. This is also true for the famous large-volume migration of the mobile network to achieve brute-force library.
Upload. Let's look at another example of stealing: http://www.51see.org/
Submit:
Http://www.51see.org/db/user.asp
The following result is displayed :.
"Microsoft Jet Database Engine error '123'
'D:/hosting/wwwroot/uilady_com/htdocs/db/downloadwoaini12345.asp 'is not a valid path. Check whether the path name is correctly spelled and whether it is connected to the server where the file is stored.
/DB/user. asp, Row 6"
Some people may say that it is so easy to use brute-force databases! Is this true for all websites? Of course not. websites that have already been protected will certainly not work. Those that have not been protected will also be eligible for brute-force databases. If the first method of brute-force library uses absolute path errors, This method uses relative paths for errors.
In general, this problem occurs as long as Conn. asp is not in the root directory and the calling file is in the root directory. Of course, this statement is also empirical. To be accurate, if the relative position of conn. asp and the file that calls it changes, an error is reported and the database path is exposed. In this case, someone may not understand it. It doesn't matter. Then you will understand it.
Let's start with the dynamic article system.
Conn of the dynamic article system. ASP is located in the INC directory of the system, while many files calling ASP are located in the root directory of the system, such as user_chklogin.asp. when ASP is executed, it is executed in the system root directory "D:/wwwroot/zyx688/wwwroot. Therefore, in the conn. asp file, when calling the database, it takes into account the directory path during execution. Therefore, the relative address of the database is written as follows:
DB = "database/fp360609.asp"
In this way, when it is executed in the root directory of the system, the relative path of the database is the "Database" directory under the root directory, but when we directly request it, the current directory where it works is in the INC directory under the root directory, and the relative path of the database becomes "INC/database/fp360609.asp", so that it certainly has an error, "Inc" is also displayed in the obtained absolute path ". To make it clearer, let's look at a website that can use two methods to crack the database and compare the differences. Submit:
Http://www.pofen.com/ SC /down%5cshow.asp? Id = 437
Get:
"Microsoft Jet Database Engine error '123'
'D:/webdata/pofen.com/ SC /db/download.mdb' is not a valid region. Check whether the path name is correctly spelled and whether it is connected to the server where the file is stored.
/SC/down/DB/user. asp, Row 6"
Submit again:
Http://www.pofen.com/ SC /down/db/user.asp
Get:
Microsoft Jet Database Engine error '20140901'
'D:/webdata/pofen.com/ SC /down/db/db/download.mdb' is not a valid region. Check whether the path name is correctly spelled and whether it is connected to the server where the file is stored.
/SC/down/DB/user. asp, Row 6
The absolute path obtained by the two methods is smaller than the actual path, and the other is more. Both systems are caused by the fact that conn. asp is not in the system root directory. Is conn. asp in the root directory and the called file in the same directory? If they are together, of course it's okay, but the cow has its own cow method, you can use the constructor method to cause relative path changes, which can also achieve the goal of violent library. For example, the big data migration method of the dynamic network shifts conn. asp to a brute-force database.
Of course, in practice, the website failed to work because conn. asp was removed, but this idea was still inspired by many people. If a method can be used to copy, not move, or call other files of conn. asp, such as chklogin, instead of moving conn. asp, it will succeed theoretically. Today, we have just seen the latest method of the violent system path. Its principle is to construct an error to achieve the goal of obtaining a real path.

Prevention of violence Library
To put it bluntly, the violent library is because the IIS server will give a detailed description of each execution error and stop the execution. The default setting of IIS is to return the error message to the user. Therefore, to avoid brute-force database exposure, you should change the default settings of IIS. when selecting an error, only one error notification is sent and No details are provided.
In fact, some virtual hosts generally do not turn off the information returned for convenience of webmaster debugging. As website administrators, when they cannot set virtual hosts, they can only strengthen protection on webpages. Add this sentence to the page where an error may occur: "On Error resume next ". It means that after an error occurs, the following statement will be resumed, that is, the error will be ignored, and of course no error information will be provided. After this sentence is added to the mobile system version 3.62, the path is no longer available, and the conn of Tianyi business network. ASP is not in the root directory, but the database cannot be exposed because of the addition of this sentence.