Take advantage of Elmah and Google to experience a thrill of intrusion

Introduced

About Elmah, I believe everyone is not unfamiliar, the most popular error logging component, used by people know its powerful power, can record very detailed error information for administrators and developers to analyze. Elmah is very simple to configure, but it also brings a problem: if the configuration is not good, it will be invaded, and the method of intrusion is very very simple, this article I will demonstrate how to use the Elmah error information and Google search to invade a site, At the same time, this paper also provides the correct Elmah configuration method .

Note 1: My goal is to let everyone correctly configure Elmah, not to teach you invasion oh, intrusion is risky, implementation needs to be cautious

Note 2: here, I would like to clarify that the use of Elmah intrusion site, not to say Elmah itself, but because of the configuration of the problem caused, so we do not lose confidence in the Elmah component, it is still very useful, and remains my first choice.

Powerful features of the Elmah

Background: Elmah is an error logging component developed by Atif Aziz, which is currently popular, and its popularity can be seen from NuGet, with a total ranking of 14.

Let's take a look at some of his features:

1. You can add the Elmah component directly without having to compile it again, you just have to refer to the class library and simply configure the settings.
2. Log storage is very convenient, you can use memory storage, you can use files, Email, and even various databases (Access, SQL Server, Oracle, Sqlite, vistadb) to store, once configured, the log will be automatically recorded.
3. The above mentioned email function can also be very powerful, such as when the page error, you can directly to the user automatically email to tell him "Hello, I see you have problems, we will solve immediately", so that users look very excited, because it seems that you care about him.
4. Error log viewing is very convenient and can be accessed directly via/almah.axd, without the need to create an additional ASPX file.
5. The information that Elmah records is really very, very detailed so that developers can quickly trace the source of the problem, but there is also the problem that once the hacker sees the error message, the hacker can search for the information that is very beneficial to the invasion from these detailed information, which is also the purpose of writing an article.

Sniffing information

Let's see what kind of useful information we can get from Elmah. To see an example,

Through the picture can see, we deliberately visited a/blah.aspx file, and then Elmah recorded the file did not find the 404 error, click to enter we can see the details of the error log information, such as:

The Change information page includes the most detailed stack trace information, including the. NET internal implementation details), although you can use the custom error information page to direct users to the page, but Elmah will still record 404 such error messages. Let's look for something from this information page, Oh yeah! found, see:

The contents of the red box mark in the picture are my most interested, let me explain:

1. The auth_user variable shows the admin, which is the authenticated user name of the system when the error occurred, in other words, the admin landed on the system when that error occurred.
2. . Aspxauth Cookie, which is a special cookie value generated by the system to verify user information when using ASP. Membership provider , to store a user's authentication status, That is, it contains your security verification information, which we will verify later.

Find target

This time you see the key point of this article, it is not to Elmah log error protection, so that everyone can see, that if you want to invade a site like this, is very simple thing, just want to search google on this keyword: inurl:elmah.axd Aspxauth on the line, look at:

Oh, man, what a horrible thing, there are tens of thousands of records that include verification (authentication) information, and the use of additional Aspxauth keywords can be used to rank these eligible information on top. Although some of the information is on the same site, but so much information is worth our attention.

In the Google engine this situation, the implementation of my wife is called Google Dork, the meaning of the word is that although this information is not prohibited by Google, but often is safe or deadly information, such as phpMyAdmin initialization, if not set the password , or the administrator did not delete a similar initialization page, the default page is typically an initialization operation, such as Welcome to PhpMyAdmin, and then let you create a database (Create new), if you search for "Welcome to PhpMyAdmin "and" Create New database ", Google will give you a large number of records, but I think as Google such a search engine, should be more famous for these systems (such as WordPress, ELMAH, PhpMyAdmin) The default security information to give shielding, do not block, called Google Dork, or you can be called the idiot Google, Baidu's information seems not much oh? Hey.

Hunting targets

So far, we've actually got. Aspxauth information is basically OK, if you do not have this information, you can use some tricks to get it, such as to the administrator of the site to send a message, or to leave a word on his Weibo, let him click on his own site to enter an address, then there is a way.

See the above picture of the message, the default and ASPX is not a comma, is <, generally if the administrator does not pay attention to the point in, must write the error log into the Elmah, it is likely to leave his cookie, even if the administrator did not log in, You can also forge an address that needs to be logged in to make him click.

Anyway, get. Aspxauth's cookie value is still relatively simple, if we get the following string:

. Aspxauth= 3c886ba2344099338361c921c846eaf4e02f2a88e5e7ede6838705928f7bb7c6ff469d35feb1532c44b81db38f200dee08b6ed0e6121b945c659e932d 8ce8b69fff09e7b59dbe4820873dbd7891dd6b6bc4a486f35a2f99849017a6c72d9c6a44517d9afdc731b3a3c55596e79732806

The intrusion step, in fact, is very simple, chrome and Firefox have the corresponding cookie extension can be used, modify or add a cookie on the line, name is. Aspxauth, value is a large string above, the domain name is the site to be the tool.

After the modification, then refresh, see:

Oh yeah, it worked! It worked! This is not Uncle Tom's credit, not my own credit, this is just a demo site!

The real intrusion method may have a little bit of variation on different sites, but generally as long as it is used with ASP. Membership provider, and you can get this. Aspxauth words, all should be able to succeed. What can be done after the invasion success, I will not say more, authority AH, super account Ah, financial information Ah, point card ah, points ah what, play your imagination.

More avenues to invade

The information that Elmah exposes is not just the simple session (Cookie) of ASP, through which we can sometimes find a lot of other rich information, such as the use of well-known SQL injection vulnerabilities , so you find the following such information, That means there might be a problem with the site:

Or the error message generated by the SQL batch statement is also fatal:

Or you can search for the keywords related to the password , you may also draw useful information OH:

You can even search for a mainstream open source component name (if he is a loophole), to see if the site uses this component, if so, wouldn't that be cool?

However, the biggest problem is not that these problems are very much, but that hackers may use a variety of attempts, generally elmah produce a variety of logs, and then from these logs to analyze a variety of useful information: Physical address, IP address, other cookie values and so on. Elmah recorded error messages are too specific!

Prevention methods

See so much use of Elmah information attack method, is not very worried, in fact, the method of prevention is very simple, that is the most commonly used to restrict URL access, because you use membership and role provider, Configuring the Web. config phase to disable URLs is straightforward:

< LocationPath= "Admin">  <system.web>    <httphandlers>      <Addverb= "Post,get,head"Path= "Elmah.axd"type= "Elmah.errorlogpagefactory, Elmah" />    </httphandlers>    <Authorization>      < AllowRoles= "Admin" />      <DenyUsers="*" />    </Authorization>  </system.web>  <system.webserver>    <handlers>      <Addname= "Elmah"Path= "Elmah.axd"verb= "Post,get,head"type= "Elmah.errorlogpagefactory, Elmah"Precondition= "Integratedmode" />    </handlers>  </system.webserver></ Location>

Note: You need to put Elmah handler in the admin path, because if you do not do so, even if the limit of admin/elmah.axd, that people can also from the/foo/ Elmah.axd in any directory like this, because you are only configuring Elmah.axd.

Inspection Tools

The author of the original article developed a website http://asafaweb.com/ to help ASP. NET developers to detect the security of the site, you only need to enter the Internet can access the address of the website can help you detect, such as:

If your site has a problem, it will give a red hint, if no problem will give a green hint:

When you click on each red button, this security-related information is displayed and suggested behavior if this security breach is eliminated:

Invasion Blog Park

Let's check out the blog's Vulnerability Information:

From the figure can be seen without this loophole, it seems Dudu is very powerful, OX x! Then we can only give up.

Summarize

An improper configuration of a elmah caused so many problems, after reading, you know how serious it is, so in the use of third-party components must be detailed understanding of configuration and security settings.

About the security of ASP, the original author wrote the owasp Top 10. NET version, or very good, English good Bo friends can see the following, after years I will release the Chinese translation version, please pay attention.

Copyright NOTICE: This article for Bo Master http://www.zuiniusn.com original article, without Bo Master permission not reproduced.

Take advantage of Elmah and Google to experience a thrill of intrusion