Originally, I came from the article, but because of the manuscript, I couldn't enter the magazine. In addition, some people recently left messages on the website and said that they were speculating on the problem of Lan Yu, so I made public the vulnerability warning. The official has patched all the versions. Of course, some websites still have SQL injection vulnerabilities, so all the consequences have nothing to do with me and the BCT team.
I'm bored recently, so I'm walking around the Internet. I found that there are more and more complete station systems nowadays, and there are many modified versions and so on! There are more and more users of Lanyu Design’s entire station. Lanyu’s entire station system is modified from NOWA 0.94! The NOWA-based system not only refers to Blue Rain, but also many more! I won't list them one by one here. The cores are the same, but the additional functions of the program are different! In terms of security, because of NOWA-based system, the only vulnerability known so far is upload. The following article will see the SQL injection vulnerability that has never been seen in the NOWA modification system vulnerability! It’s just that Lan Yu didn’t do the injection problem when modifying the program! I can't blame this! Who told programmers not to pay attention to safety blind spots?
1. Determine the injection point
We will use the official website for testing, because we are worried that the version provided outside is not the latest version, which leads to differences in the correctness of the article. First, we submit http://***.net/?action=art&art_id=70 and 1=1 to return the following information.
Enter again
http://***.net/?action=art&art_id=70%20and%201=2 Return the following information
From the standard SQL injection point detection and1=1 and and 1=2d information return, it can be seen that there is SQL injection in the comments of this program for the two pictures, because the modified versions based on NOWA are now based on the ACCESS database architecture, so we can further determine the database type of this program.
2. Guess the database table
Because I am lazy, I have to borrow NBSI to perform SQL injection. How do you know if it is because NBSI is too powerful and cannot kill a chicken. It actually couldn't detect that there was SQL injection in the SQL injection point I found! It was really amazing (HaK_BaN: Is it really... I really have to inject T_T manually) NBSI is too shameful! So I had to bite the bullet and do manual injection. First guess whether the admin table exists in the database table. Construct statement submission
http://***.net/?action=art&art_id=70%20and%200????(select%20count(*)%20from%20admin) The database administrator table in the current program is not names such as admin, adminuser user, etc., so we can know as long as we grasp the psychology of the program author. After submitting the statement, the page returns normally, and we can confirm that the admin table exists in the database. We just need the admin password and account number, so other tables in the database can be ignored.
3. Guess the database field
Before guessing, in order to reduce more trouble and unnecessary guessing, we should collect some information about the intruded website, such as the administrator's QQ and the web name used by the administrator, because we usually use easy-to-memorize passwords and accounts so that we can not forget them. After finding the article page and other function pages, I couldn’t find the QQ number of the article editor and administrator. I had to search in BBS. Fortunately, we found the user name "Blue Rain" in BBS. In this way, when we wait and guess the admin account, we can try the Chinese name or pinyin letters. (HaK_BaN: I once saw through PLMM’s personality and birthday with a name on MSN. Everyone should pay attention to the importance of social engineering)
Let's take a look at what the administrator field of this program is! ? First, guess the submission statement that is name is as follows http://***.net/?action=art&art_id=70%20and%201=(select%20count(*)%20from%20admin%20where%20len(name)??0) (HaK_BaN:*_* is not! It is not a NAME field) After submitting the statement, the information return page is displayed abnormally, and it is confirmed that there is no field name name in the admin table. It seems that I have to think about how to guess. Since the name field is not good, try the admin_name field is OK! Construct the guess field statement again: http://***.net/?action=art&art_id=70%20and%201=(select%20count(*)%20from%20admin%20where%20len(admin_name)??0) (HaK_BaN: I'm OK now, right? I've taken a step further!) After submitting the statement, the page returns normally, and now it's OK.
Then, we start guessing the fields of password. In fact, when we look at the above echo, we can say that the password field is admin_password with great certainty, so the submitted statement is http://***.net/?action=art&art_id=70%20and%201=(select%20count(*)%20from%20admin%20where%20len(admin_password)??0) The information echo is normal, right! ? Hahaha
Speaking of this, the whole guess is almost over! (Rookie: What? Is there an account and password? Are you stupid?) Guessing the password and account is even more troublesome and time-consuming! OK, let’s take a look at the guesswork of the account and password? First, let’s guess the length of the account! Suppose we have already obtained the account name commonly used by administrators, "Blue Rain", which is the administrator account. We have two possibilities: one is the pinyin of Lanyu "lanyu", and the other is the Chinese of Lanyu converted to ASCII code to guess. Let's first try the possibility of pinyin. If this is the case, we need to construct the length of admin_name to be 5, so the submission statement is http://***.net/?action=art&art_id=70%20and%201=(select%20count(*)%20from%20admin%20where%20len(admin_name)??5) The page information returned cannot be displayed normally. Then submit /?action=art&art_id=70%20and%201=(select%20count(*)%20from%20admin%20where%20len(admin_name)??4) This sub-page is normal! Then submit the statement again as http://***.net/?action=art&art_id=70%20and%201=(select%20count(*)%20from%20admin%20where%20len(admin_name)=5) We can determine that the length of admin_name is 5. The length of the account has come out, but we don’t know the length of the password. According to the information collection, we learned that the password is encrypted using MD5 16-bit, so we can guess that the password length is 16-bit! Submit statement http://***.net/?action=art&art_id=70%20and%201=(select%20count(*)%20from%20admin%20where%20len(admin_password)=16) I won't take a screenshot here! We can basically know! The account length is 5 digits and the password length is 16 digits. (HaK_BaN: To be honest, I haven’t had a manual operation for a long time, and I almost have a back pain!) As for the account number and password, I won’t list it anymore! After testing the social engineering, the administrator account obtained just now is: lanyu is correct! The password is indeed MD516-bit encryption. The whole process can be injected using CSC that is stinky beggar!
4. Summary
There are several SQL injection pages for the entire program, all of which are based on the function pages added by Lanyu site itself, which are caused by the failure to do related SQL injection. If you are using this program, you can use a general injection prevention script to prevent it. Although MD5 requires brute force cracking, if you really offend people, don’t say cracking. Maybe your website will be completely clean by others. Network security is a very important part. I hope everyone will not underestimate the security link! If there are any errors in the above article, please point out if you have any problems. If you have any questions, you can go to a non-safe forum or BCT group to find me!
I'm bored recently, so I'm walking around the Internet. I found that there are more and more complete station systems nowadays, and there are many modified versions and so on! There are more and more users of Lanyu Design’s entire station. Lanyu’s entire station system is modified from NOWA 0.94! The NOWA-based system not only refers to Blue Rain, but also many more! I won't list them one by one here. The cores are the same, but the additional functions of the program are different! In terms of security, because of NOWA-based system, the only vulnerability known so far is upload. The following article will see the SQL injection vulnerability that has never been seen in the NOWA modification system vulnerability! It’s just that Lan Yu didn’t do the injection problem when modifying the program! I can't blame this! Who told programmers not to pay attention to safety blind spots?
1. Determine the injection point
We will use the official website for testing, because we are worried that the version provided outside is not the latest version, which leads to differences in the correctness of the article. First, we submit http://***.net/?action=art&art_id=70 and 1=1 to return the following information.
Enter again
http://***.net/?action=art&art_id=70%20and%201=2 Return the following information
From the standard SQL injection point detection and1=1 and and 1=2d information return, it can be seen that there is SQL injection in the comments of this program for the two pictures, because the modified versions based on NOWA are now based on the ACCESS database architecture, so we can further determine the database type of this program.
2. Guess the database table
Because I am lazy, I have to borrow NBSI to perform SQL injection. How do you know if it is because NBSI is too powerful and cannot kill a chicken. It actually couldn't detect that there was SQL injection in the SQL injection point I found! It was really amazing (HaK_BaN: Is it really... I really have to inject T_T manually) NBSI is too shameful! So I had to bite the bullet and do manual injection. First guess whether the admin table exists in the database table. Construct statement submission
http://***.net/?action=art&art_id=70%20and%200????(select%20count(*)%20from%20admin) The database administrator table in the current program is not names such as admin, adminuser user, etc., so we can know as long as we grasp the psychology of the program author. After submitting the statement, the page returns normally, and we can confirm that the admin table exists in the database. We just need the admin password and account number, so other tables in the database can be ignored.
3. Guess the database field
Before guessing, in order to reduce more trouble and unnecessary guessing, we should collect some information about the intruded website, such as the administrator's QQ and the web name used by the administrator, because we usually use easy-to-memorize passwords and accounts so that we can not forget them. After finding the article page and other function pages, I couldn’t find the QQ number of the article editor and administrator. I had to search in BBS. Fortunately, we found the user name "Blue Rain" in BBS. In this way, when we wait and guess the admin account, we can try the Chinese name or pinyin letters. (HaK_BaN: I once saw through PLMM’s personality and birthday with a name on MSN. Everyone should pay attention to the importance of social engineering)
Let's take a look at what the administrator field of this program is! ? First, guess the submission statement that is name is as follows http://***.net/?action=art&art_id=70%20and%201=(select%20count(*)%20from%20admin%20where%20len(name)??0) (HaK_BaN:*_* is not! It is not a NAME field) After submitting the statement, the information return page is displayed abnormally, and it is confirmed that there is no field name name in the admin table. It seems that I have to think about how to guess. Since the name field is not good, try the admin_name field is OK! Construct the guess field statement again: http://***.net/?action=art&art_id=70%20and%201=(select%20count(*)%20from%20admin%20where%20len(admin_name)??0) (HaK_BaN: I'm OK now, right? I've taken a step further!) After submitting the statement, the page returns normally, and now it's OK.
Then, we start guessing the fields of password. In fact, when we look at the above echo, we can say that the password field is admin_password with great certainty, so the submitted statement is http://***.net/?action=art&art_id=70%20and%201=(select%20count(*)%20from%20admin%20where%20len(admin_password)??0) The information echo is normal, right! ? Hahaha
Speaking of this, the whole guess is almost over! (Rookie: What? Is there an account and password? Are you stupid?) Guessing the password and account is even more troublesome and time-consuming! OK, let’s take a look at the guesswork of the account and password? First, let’s guess the length of the account! Suppose we have already obtained the account name commonly used by administrators, "Blue Rain", which is the administrator account. We have two possibilities: one is the pinyin of Lanyu "lanyu", and the other is the Chinese of Lanyu converted to ASCII code to guess. Let's first try the possibility of pinyin. If this is the case, we need to construct the length of admin_name to be 5, so the submission statement is http://***.net/?action=art&art_id=70%20and%201=(select%20count(*)%20from%20admin%20where%20len(admin_name)??5) The page information returned cannot be displayed normally. Then submit /?action=art&art_id=70%20and%201=(select%20count(*)%20from%20admin%20where%20len(admin_name)??4) This sub-page is normal! Then submit the statement again as http://***.net/?action=art&art_id=70%20and%201=(select%20count(*)%20from%20admin%20where%20len(admin_name)=5) We can determine that the length of admin_name is 5. The length of the account has come out, but we don’t know the length of the password. According to the information collection, we learned that the password is encrypted using MD5 16-bit, so we can guess that the password length is 16-bit! Submit statement http://***.net/?action=art&art_id=70%20and%201=(select%20count(*)%20from%20admin%20where%20len(admin_password)=16) I won't take a screenshot here! We can basically know! The account length is 5 digits and the password length is 16 digits. (HaK_BaN: To be honest, I haven’t had a manual operation for a long time, and I almost have a back pain!) As for the account number and password, I won’t list it anymore! After testing the social engineering, the administrator account obtained just now is: lanyu is correct! The password is indeed MD516-bit encryption. The whole process can be injected using CSC that is stinky beggar!
4. Summary
There are several SQL injection pages for the entire program, all of which are based on the function pages added by Lanyu site itself, which are caused by the failure to do related SQL injection. If you are using this program, you can use a general injection prevention script to prevent it. Although MD5 requires brute force cracking, if you really offend people, don’t say cracking. Maybe your website will be completely clean by others. Network security is a very important part. I hope everyone will not underestimate the security link! If there are any errors in the above article, please point out if you have any problems. If you have any questions, you can go to a non-safe forum or BCT group to find me!