Research on Lan Yu design of Whole station SQL injection Vulnerability

Originally the article came, because the issue of the manuscript so can not go to the magazine, coupled with some recent comments on the Web site comment on the question of blue rain, so I open the vulnerability warning said loophole, the official has put the version of the patch, of course, some of the use of the Web site still has a SQL injection loophole, So all the consequences have nothing to do with me or the BCT group.
Recently bored, walking around the internet to see. Found that now the whole station system is more and more, modify the version and so on N-ah! and Lan Yu design of the whole station users are more and more, the blue rain whole station system is from the Nowa 0.94 modified from! Based on the Nowa system not only refers to the blue rain one still has a lot of! I do not enumerate here, the core is the same, but the additional functions of the program are different! The security aspect because of the Nowa system so far known vulnerabilities are only uploaded. The following article shows an Nowa SQL injection vulnerability that has never been modified in a system vulnerability! Only blame Blue rain modify the program when not ready to inject the problem! You can't blame me for this! Who told a programmer not to pay attention to a safe corner?
One, determine the injection point
We are testing the official website because we are concerned that the external version is not the latest version, which results in different correctness of the article. First we submit http://***.net/view.asp?action=art&art_id=70 and 1=1 to return the following information.
Enter again
Http://***.net/view.asp?action=art&art_id=70%20and%201=2 returns the following information
Detection of and1=1 and 1=2d information returns from standard SQL injection points as you can see, there is a SQL injection in the comments for this program for two images, because now the modified version based on Nowa is based on the Access database schema, So we can further determine the database type of this program.
Second, guess the database table
Because I lazy so had to borrow NBSI for SQL injection work, how to know is not because of the NBSI is too powerful, can not overkill. It doesn't even detect the SQL injection point that I found. It's really amazing (Hak_ban: Is it true ...)? Really want me to manually inject t_t) Nbsi too much! So I had to bite the bullet and inject it manually. First guess whether the database table exists in the admin table. Construct statement Submission
http://***.net/view.asp?action=art&art_id=70%20and%200???? (Select%20count (*)%20from%20admin) Now the Database administrator table in the program, is not the name Admin,adminuser user, so we just grasp the program author's psychology can know, After submitting the statement, the page returns to normal, so we can be sure that the admin table exists in the database. We just need admin password and account number, so other tables in the database can be ignored.
Three, guess the database field
Before guessing, in order to reduce more trouble and unnecessary guessing, should be to the invasion of the site to do some data collection, such as the Administrator's QQ and the administrator to use the network name is to know, because we usually use easy to remember the password and account, so that we can not forget. Find the article page and so on function page can not find the article editor and the administrator QQ number. Had to find in the BBS, very fortunate that we found in the BBS "Blue Rain" This user name, such as waiting to guess the admin account when we can try Chinese name or pinyin. (Hak_ban: I was once in MSN with a name to see through plmm character and birthday of Oh, we should pay attention to the importance of social engineering AH)
Less nonsense, let's take a look at this Program admin field is what!? The first guess is that the commit statement for name is the following http://***.net/view.asp?action=art&art_id=70%20and%201= (Select%20count (*)%20from%20admin% 20where%20len (name)?? 0) (hak_ban:*_* not Ah!) Not the Name field-Returns the page after submitting the statement is not normal to confirm that the admin table does not have name in this field name. It seems to think about how to guess the solution, since the name field is not a try admin_name field row No! Re-construct the guessing field statement: http://***.net/view.asp?action=art&art_id=70%20and%201= (Select%20count (*)%20from%20admin% 20where%20len (admin_name)? 0) (Hak_ban: This is all right? I'm a step further! After submitting the statement, the page returns to normal, which is finally OK.
Then, we began to guess the password of the field, in fact, a look at the echo of the above we can be very sure that the password field is Admin_password, so the statement submitted is http://***.net/view.asp?action= Art&art_id=70%20and%201= (Select%20count (*)%20from%20admin%20where%20len (admin_password)?? 0 information back to normal, right!? Ha ha
Speaking of the whole guessing solution is almost finished! (Rookie: What?) You got the account number and the password? Are you stupid or something? Guess the password and account is more of a trouble and waste of time to live! OK, let's go and see how the account and password are guessed. First we guess the length of the account! Suppose we've got the administrator's usual account name, "Blue Rain" is the administrator account. We have two possibilities, one is the blue rain Pinyin "Lanyu", the second is the blue rain of Chinese into the ASCII code to guess the solution. We first try the possibility of pinyin, if this is the case we will construct the length of the admin_name is 5, so the submission statement is http://***.net/view.asp?action=art&art_id=70%20and%201 = (Select%20count (*)%20from%20admin%20where%20len (admin_name)?? 5)   Page information returned does not display correctly. And then Submit http://fj126.net/view.asp?action=art&art_id=70%20and%201= (Select%20count (*)%20from%20admin%20where% 20len (admin_name)?? 4 This page can be considered normal! Then resubmit the statement as http://***.net/view.asp?action=art&art_id=70%20and%201= (Select%20count (*)%20from%20admin%20where% 20len (admin_name) =5) We can determine the length of the Admin_name is 5. Account length out, and the length of the password we do not know, according to information gathered learned that the password is encrypted using md5 16 bit, so we can guess the length of the password is 16 Ah! Commit Statement http://***.net/view.asp?action=art&art_id=70%20and%201= (Select%20count (*)%20from%20admin%20where%20len (Admin_password) =16) Here's no screenshots! We can basically know! Account length is 5 digits, password length is 16 bits. Hak_ban: Seriously, I have not manual for a long time, almost backache back pain! As for the account number is how many password is how much I will not enumerate! After testing just social engineering to get the Administrator account: Lanyu is correct! and the Code doesis MD516 bit encryption. The whole process can use the CSC of the Smelly beggar to inject the test!  
Four, summary
The entire program has a few SQL injection pages, is based on the blue rain Whole station itself added function page did not do the relevant SQL injection caused, if you have to use this program, you can use the generic prevent injection script to prevent, although said MD5 need brute force to crack, but if you really offend people, Don't say crack. Maybe your site will be done by others, network security is a very important part of the hope that we do not despise the safety of this link! The above article if there are errors please point out that there are any problems can go to the unsafe forum or BCT team to find me!