Vulnerability Analysis of Wuhu podcast Home Program

Wen/tU Shucheng Li Yin & [dream★Swordsman]
I believe Tudou and Youku are familiar with it? In my spare time, I liked this website to read "hundred forums". I saw many Members uploading various types of videos. I wonder if there is a free ASP podcast program like this? To the source code house, I found a set of programs to be tested in this article. Several vulnerabilities were found during the code reading process, so I got this article.
 
Injection Vulnerability
During code reading, many program vulnerabilities were found, mainly SQL injection vulnerabilities. The injection vulnerability has a serious impact on ASP programs. A slight neglect of variable filtering causes the vulnerability. Therefore, when there are many codes, the best way to prevent injection is to write anti-injection programs in the database connection file. This set of programs also has anti-injection programs, but they are not called in the database connection file conn. asp file, which gives us the opportunity to take advantage. The video playback file video_play.asp contains the following code, and does not contain the anti-injection program (www_ SQL .Asp ).
 
<%
Photoid = request ("photoid ")
If photoid = "" then
FoundErr = True
ErrMsg = ErrMsg & "<br> <li> specify the video ID </li> <br>"
Call WriteErrMsg ()
Else
End if
Set rs = server. createobject ("adodb. recordset ")
Rs. open "select * from flv where photoid =" & photoid & "order by photoid desc", conn, 1, 3
Rs ("hits") = rs ("hits") + 1
Rs ("DayHits") = rs ("DayHits") + 1
Rs ("WeekHits") = rs ("WeekHits") + 1
Rs ("MonthHits") = rs ("MonthHits") + 1
Rs. update
%>

The photoid variable in the above Code is imported into the database for SQL query without being filtered by any function, resulting in an injection vulnerability. The shielding of this vulnerability is simple. Use the built-in VBS function isnumeric to check the vulnerability. Enter "and 1 = 2" in the address bar to return an error, proving that the vulnerability exists.
This vulnerability may be exploited by readers and may be used to crack accounts and passwords. In addition to this vulnerability, I found an injected file "blog_show.asp" during code reading. This file is the latest log display file, and the code is as follows.
 
<%
Articleid = request ("articleid ")
Set rs = server. createobject ("adodb. recordset ")
Rs. open "select * from article where articleid =" & articleid & "order by articleid desc", conn, 1, 3
Rs ("hits") = rs ("hits") + 1
Rs. update
%>

The articleid in the Code still performs SQL queries without any judgment, resulting in the injection vulnerability again. The main reason is that the "bolg_show.asp" file did not call the anti-injection file. Later, when I was reading the code, I found that this system only contained a very small number of files containing the "www_ SQL .Asp" anti-injection file. However, I think that a podcast program like this on the Internet should not easily have Injection Vulnerabilities. Now, when a slightly security-conscious administrator sets up a site, it is very likely that the "www_ SQL .Asp" file is included in the database connection file. We will not discuss this issue first. We can use the obtained account and password to enter the background and find that the background function is quite powerful. It is estimated that it can compete with the dynamic ease, as shown in 1.

Figure 1
The database backup function exists in the background of this program. I uploaded an image Trojan and restored the database to obtain WebShell. As I have said above, this podcast system also has anti-injection files. If the Administrator calls this file in the database connection file conn. asp, it will be difficult to inject this path. However, when looking at the program code, we found that even if the database connection file contains the anti-injection file (www_ SQL .Asp), it cannot ensure its security. Next we will continue to explore the vulnerability.
 
Hypothetical Vulnerability
Why is it a hypothetical vulnerability? This vulnerability may or may not occur, but I personally think it is more likely to generate than the preceding SQL injection vulnerability. Readers may ask why, so let me take a closer look.
As mentioned above, this program has "www_ SQL .Asp" anti-injection file, but its code is a little problematic, that is, it does not filter the Cookie for submission. The Code is as follows.
 
<%
If Request. QueryString <> "Then
For Each Fy_Get In Request. QueryString
For Fy_Xh = 0 To Ubound (Fy_Inf)
If Instr (LCase (Request. QueryString (Fy_Get), Fy_Inf (Fy_Xh) <> 0 Then
Fy_dbstr = "DBQ =" + server. mappath ("SqlIn. asp") + "; DefaultDir =; DRIVER = {Microsoft Access Driver (*. mdb )};"
Set Fy_db = Server. CreateObject ("ADODB. CONNECTION ")
Fy_db.open Fy_dbstr
Fy_db.Execute ("insertinto SqlIn (Sqlin_IP, SqlIn_Web, SqlIn_FS, SqlIn_CS, SqlIn_SJ) values (" & Request. serverVariables ("REMOTE_ADDR") & "," & Request. serverVariables ("URL") & ", GET," & Fy_Get & "," & replace (Request. queryString (Fy_Get ),"","")&")")
Fy_db.close
Set Fy_db = Nothing
%>

In the above Code, illegal characters are written to sqlin. the asp database records illegal operations. However, this database is an ASP suffix and does not contain table downloading protection. This creates a vulnerability, we can enter some special characters in the address bar of IE and try to write a Trojan horse into the database to get WebShell. The idea is always good, but the actual situation sometimes gets a little different. I found later that the database sqlin. asp is no longer usable, because the database showed a situation in step 2 during browsing under IE.

Figure 2
During the test, I set a trojan "<% execute request (" ") "%>" encrypted to "% 3C % 25 execute + request % 28% 22a % 22% 29% 25% 3E" can be successfully written into the database, but it is a pity that it cannot be used now. Unfortunately, the next vulnerability is even more lethal.
 
Admin_mobanadd.asp file not verified
This vulnerability should be caused by human error because it has not been verified by Session. The database connection file of the admin_moban.asp file is not the conn. asp file, but the conn_user.asp file. In the conn_user.asp file, the database is not the master database of the website. If it is the master database of the website, there is really no way, because the master database contains an anti-download table, so even if you have the opportunity to plug in the horse, you cannot run it. The conn_user.asp file contains the following code:
 
<%
Dim UserTableType, Conn_User, db_bbs
UserTableType = "MyPower" db_bbs = "date/# el99cn516showcn9988 # d. asp"
Database File Location
Set Conn_User = Server. CreateObject ("ADODB. Connection ")
Conn_User.Open "Provider = Microsoft. Jet. OLEDB.4.0; Data Source =" & Server. MapPath (db_bbs)
Sub CloseConn_User ()
Conn_User.close
Set Conn_User = nothing
End sub
%>

The above Code does not contain the "on error resume next" error tolerance statement, which leads to a database storm vulnerability. It would be perfect to exploit the vulnerability together with the plug-in. Click <% execute request ("a") %> In the Admin_mobanadd.asp file to submit the request, as shown in 3.

Figure 3
Next, the admin_mobansave.asp file is called, and the admin_mobansave.asp file contains the following code.
 
<%
Set rs = server. createobject ("adodb. recordset ")
SQL = "select * from [bgs]"
Rs. open SQL, Conn_User, 1, 3
Rs. addnew
Bgname = request ("bgname ")
Point = request ("point ")
If not isnumeric (point) then
Response. write "<script> alert (the number of points must be a number !); History. go (-1); </script>"
Response. End ()
End if
Bgintor = Request ("bgintor ")
Rs ("bgname") = bgname
Rs ("point") = point
Rs ("bgintor") = bgintor
Id = rs ("id ")
Rs ("bgid") = right ("0000000" & id, 3)
Rs. update
Response. Redirect "admin_moban.asp"
%>

The code above only determines whether the number of points is an integer. Other parameters are directly written to the database without any filtering. As a result, one sentence can be successfully written, as shown in figure 4.

Figure 4 now, the vulnerability analysis of the system is complete, mainly due to some old vulnerabilities, SQL injection and database plug-in. It is a headache to insert a database plug-in. Therefore, we hope that programmers will pay more attention to database security issues. Alternative intrusion of official sitesThis official intrusion happened by accident. I used the WebShell method in the background of DVBBS8.1. The official site is relatively much more secure, and many pages are filtered. However, the official website uses the SQL Server database, which is destined for vulnerabilities, as I know, access database protection against injection attacks is stronger than SQL Server. After some time, I finally found an injection point, as shown in Figure 5. As shown in figure 5, I think many readers will consider using differential backup to obtain WebShell, but I didn't use this method. I think this method is too much to use and is not fresh. So I went around the pipe network and found dvbbs8.1. Recently, the userpay. asp file of mobile network 8.1 has been exposed to a security vulnerability? I didn't take advantage of this vulnerability here. It seems that the Forum was just launched. It's just a member, so of course it's the administrator himself, I successfully logged on to the front and back end with the default Administrator name and password, as shown in figure 6. Figure 6 I thought it was easy to get WebShell. The result made me very depressed. You can use the asp. asp folder as the backup directory to obtain the WebShell for VPC 8.0. In Windows 2003 Server, if any file is put in an asp folder with the suffix, it will be processed as an ASP file. Therefore, it is easy to get WebShell from the mobile network 8.0. However, Version 8.1