Research on the alternative writing of a message book into a Trojan

Magic spring [B .S.N] Follow Script Security sites.google.com/site/bsnguanzhujiaobenanquan

In the "Mining vulnerabilities in message books" article, I wrote a paragraph, that is, for the study of writing a sentence Trojan into the database, you can use the Request. serverVariables does not filter and bypasses writing a sentence to insert a database Trojan.

At that time, however, I only guessed that some php injection vulnerabilities caused by no filtering of ip addresses. However, learning is based on technical rigor. No matter what vulnerabilities are, they must be tested in person. Otherwise, the theoretical preaching is not convincing.

There is also such a message book. Let's test it.

Test code: Hua Mulan message book

Official Website: www.77f77.com

First, let's see what the submitted code filters out.

If there are few files, just list the structure of the message book.

Hua Mulan message book

| ___ Index. asp the main file contains the main code for submitting and displaying information.

|____ Gustbook_Conn.asp message book calls database files

| _____ Gustbook_sub.asp Function

| _____ Dqe_gustbook.asp database file

Here we mainly look at index. asp, because it has been confirmed that the database files are not protected against downloading and can be accessed directly.

Index. asp important code

Code:
Filter code

Function htmlencode (fString)

If not isnull (fString) then

FString = replace (fString, ">", "> ")

FString = replace (fString, "<", "<")

FString = Replace (fString, CHR (32 ),"")

FString = Replace (fString, CHR (9 ),"")

FString = Replace (fString, CHR (34), "") '"

FString = Replace (fString, CHR (39 ),"")''

FString = Replace (fString, CHR (13 ),"")

FString = Replace (fString, CHR (10) & CHR (10), "</p> <p> ")

FString = Replace (fString, CHR (10), "<br> ")

Htmlencode = fString

End If

End Function

 

Function uhtmlencode (fString)

If not isnull (fString) then

FString = Replace (fString, "", CHR (32 ))

FString = Replace (fString, "", CHR (9 ))

FString = Replace (fString, "", CHR (34 ))

FString = Replace (fString, "", CHR (39 ))

FString = Replace (fString, "", CHR (13 ))

FString = Replace (fString, "</p> <p>", CHR (10) & CHR (10 ))

FString = Replace (fString, "<br>", CHR (10 ))

Uhtmlencode = fString

End If

End Function

.......

Submit data

Books_mingzi = htmlencode (Request. form ("mingzi "))

If Books_mingzi = "" then Books_mingzi = "anonymous" End If

Books_biaoti = htmlencode (Request. form ("biaoti "))

Books_neirong = htmlencode (Request. form ("neirong "))
......

Set mRs = Server. CreateObject ("adodb. recordSet ")

MRs. open "Select * from dqe_gustbook", conn, 1, 3

MRs. addnew

MRs ("who") = Books_mingzi

MRs ("biaoti") = Books_biaoti

MRs ("neirong") = Books_neirong

MRs ("lanmu") = lanmu

MRs ("zhiding") = 0

MRs ("shijian") = now ()

UserIP = Request. ServerVariables ("HTTP_X_FORWARDED_FOR ")

If UserIP = "" Then userip = Request. ServerVariables ("REMOTE_ADDR ")

MRs ("ip") = UserIP

MRs. update

MRs. close

Set mRs = nothing

Response. Write "<script> alert (the message is successfully added to the http://www.77f77.com of the official website of Hua Mulan); this. location. href =" & Url & "; </SCRIPT>"

Response. End

 

With this useful code, the author filters the form information submitted by the user using htmlencode. It seems that the author still has some defense against the vulnerability.

However, the obtained HTTP_X_FORWARDED_FOR during update addition is not filtered, so we can use it.

Practical application:

 


 

You can directly use the post Submission Tool written by Hedgehog to submit the job, or you can capture the package and use nc to submit the job.

 
If 200ok is returned to prove that the request is submitted successfully, you will find that the request is successfully inserted when you access the database.