Author: Xuanmao[]
Website: /&/
Original:/
When reprinting, please pay attention to the copyright, published in Issue 7 of HeiX2005
1. Preface.
I first learned about Feicheng in 2002. At that time, it launched something that seemed to be called Feicheng Post Office, providing 280M of space (it was very large at that time). When I was studying SQL Injection, I used it to practice it. Now this site has developed quite a lot, so I checked it again and found that the loopholes were flying all over the sky, and it was very interesting. The systems of the entire website have their own characteristics, including .net, php, and asp. I really don’t know how many people developed it bit by bit, and what kind of server they use, it’s weird~ In fact, we can see their technical unprofessionality. Judging from the detection results, the vulnerabilities are very naive. Okay, let me introduce some of the typical vulnerabilities I found one by one (I won’t talk about the injected vulnerabilities, because the cat is too lazy to find the injection point. You can look for them yourself. There are many, but the error prompt is closed.), and try to include most common website program vulnerabilities.
2. Introduction to website program vulnerabilities.
Xuanmao’s habit is to first look at the system functions. The loopholes found in this place are generally more dangerous.
1. The password retrieval is not strictly validated, resulting in a vulnerability to modify any user's password.
People are in the world and they are bound to forget their passwords. The password recovery function is of course the "standard configuration" of network programs involving member management now, but the password recovery function is prone to a big mistake, which is that the verification is not strict. Let's take a look:
Register a user with the user name BlackCat, then click the "Forgot Password" button on the homepage to retrieve the password, and look at the process of the program. First enter the user name, then fill in the answer to the question, and then modify the password (reader: another one who uses nonsense to cheat manuscript fees). We saved this third step page and opened it with UltraEdit to read the source code. When we read lines 118, we saw a line of code <input name="g_username" type="hidden" value="blackcats"/> In order to take care of readers who do not understand Html, I will talk about the meaning of this code. This is a hidden text field with a value of blackcats, that is, the user name we want to retrieve the password. Because the hidden domain is not displayed on the web page, many programmers use it to pass parameters, but using this method here leads to an extremely serious vulnerability. For the sake of explanation, we will register another user called "BlackWoods" with the password set to 123456. After the registration is successful, we will modify the web page file saved to the local area, change value="blackcats" to value="BlackWoods", and then change the action="getpassword_2.aspx" on line 93 of the file to action=" ****.com/reg/ getpassword_2.aspx" to action=" ****.com/reg/ getpassword_2.aspx" to open this web page, enter 654321 where the new password is entered, and then submit it. The modification is successful. We log in to user BlackWoods with a password of 123456 and will find that the password is wrong. Then log in with 654321. Success. This is a serious vulnerability to modify the user password at will due to poor verification.
Let’s take a look at the loopholes in the services it provides.
2. Network content cross-site loopholes.
First of all, let’s look at Yuji service. Generally speaking, for things like Yuji that are written by one person and read by many people, we need to consider the XSS cross-site loopholes (don’t underestimate the cross-site. I think Radiation Fish has a lot of research in this regard. He often proposes stronger ways to use cookies in addition to stealing cookies, such as directly using the administrator’s form to perform some operations. You can check out the previous magazines). In the following content, we try to use the code <scSun pt>alert("Xuanmao, Xuanmao, Xuanmao is going to take the college entrance examination")</scSun pt> to test whether our JavascSun pt script can be run on the page.
We open a page to write a Script, first test whether the content can be written in a cross-site script, write the title of the Script, and write the content <sc Sun pt>alert("Xuan Mao, Xuan Mao, Xuan Mao is going to take the college entrance examination")</sc Sun pt>, and then go and take a look. It is not difficult to see that the sc Sun pt we wrote was replaced with s c Sun pt, (Figure 1)
There is an extra space in the middle, so try changing the case. The content is written in <Sc Sun pt>alert("Xuan Mao, Xuan Mao, Xuan Mao is going to take the college entrance examination")</sc Sun pt>, but it still doesn't work. It seems that we need to think of a workaround. We will find out which other ones can be output. By the way, the title, but some friends will have questions. Let's write 10 words in the title, which is not enough. Let's save the file locally and study form verification: There is a <FORM id=frmAnnounce name=frmAnnounce onsu The code of bmit="return checkform();" is not difficult to see that the function triggered by this onsubmit is the code that checks the number of words in the title. We delete onsubmit="return checkform();" and then complete the action, fill in the title with <scSun pt>alert("Xuanmao, Xuanmao, Xuanmao is going to take the college entrance examination")</scSun pt>, write some things casually and submit them. In the page that is refreshed, our dialog box is so elegant that it pops up, and cross-site success. (Figure 2)
Website: /&/
Original:/
When reprinting, please pay attention to the copyright, published in Issue 7 of HeiX2005
1. Preface.
I first learned about Feicheng in 2002. At that time, it launched something that seemed to be called Feicheng Post Office, providing 280M of space (it was very large at that time). When I was studying SQL Injection, I used it to practice it. Now this site has developed quite a lot, so I checked it again and found that the loopholes were flying all over the sky, and it was very interesting. The systems of the entire website have their own characteristics, including .net, php, and asp. I really don’t know how many people developed it bit by bit, and what kind of server they use, it’s weird~ In fact, we can see their technical unprofessionality. Judging from the detection results, the vulnerabilities are very naive. Okay, let me introduce some of the typical vulnerabilities I found one by one (I won’t talk about the injected vulnerabilities, because the cat is too lazy to find the injection point. You can look for them yourself. There are many, but the error prompt is closed.), and try to include most common website program vulnerabilities.
2. Introduction to website program vulnerabilities.
Xuanmao’s habit is to first look at the system functions. The loopholes found in this place are generally more dangerous.
1. The password retrieval is not strictly validated, resulting in a vulnerability to modify any user's password.
People are in the world and they are bound to forget their passwords. The password recovery function is of course the "standard configuration" of network programs involving member management now, but the password recovery function is prone to a big mistake, which is that the verification is not strict. Let's take a look:
Register a user with the user name BlackCat, then click the "Forgot Password" button on the homepage to retrieve the password, and look at the process of the program. First enter the user name, then fill in the answer to the question, and then modify the password (reader: another one who uses nonsense to cheat manuscript fees). We saved this third step page and opened it with UltraEdit to read the source code. When we read lines 118, we saw a line of code <input name="g_username" type="hidden" value="blackcats"/> In order to take care of readers who do not understand Html, I will talk about the meaning of this code. This is a hidden text field with a value of blackcats, that is, the user name we want to retrieve the password. Because the hidden domain is not displayed on the web page, many programmers use it to pass parameters, but using this method here leads to an extremely serious vulnerability. For the sake of explanation, we will register another user called "BlackWoods" with the password set to 123456. After the registration is successful, we will modify the web page file saved to the local area, change value="blackcats" to value="BlackWoods", and then change the action="getpassword_2.aspx" on line 93 of the file to action=" ****.com/reg/ getpassword_2.aspx" to action=" ****.com/reg/ getpassword_2.aspx" to open this web page, enter 654321 where the new password is entered, and then submit it. The modification is successful. We log in to user BlackWoods with a password of 123456 and will find that the password is wrong. Then log in with 654321. Success. This is a serious vulnerability to modify the user password at will due to poor verification.
Let’s take a look at the loopholes in the services it provides.
2. Network content cross-site loopholes.
First of all, let’s look at Yuji service. Generally speaking, for things like Yuji that are written by one person and read by many people, we need to consider the XSS cross-site loopholes (don’t underestimate the cross-site. I think Radiation Fish has a lot of research in this regard. He often proposes stronger ways to use cookies in addition to stealing cookies, such as directly using the administrator’s form to perform some operations. You can check out the previous magazines). In the following content, we try to use the code <scSun pt>alert("Xuanmao, Xuanmao, Xuanmao is going to take the college entrance examination")</scSun pt> to test whether our JavascSun pt script can be run on the page.
We open a page to write a Script, first test whether the content can be written in a cross-site script, write the title of the Script, and write the content <sc Sun pt>alert("Xuan Mao, Xuan Mao, Xuan Mao is going to take the college entrance examination")</sc Sun pt>, and then go and take a look. It is not difficult to see that the sc Sun pt we wrote was replaced with s c Sun pt, (Figure 1)
There is an extra space in the middle, so try changing the case. The content is written in <Sc Sun pt>alert("Xuan Mao, Xuan Mao, Xuan Mao is going to take the college entrance examination")</sc Sun pt>, but it still doesn't work. It seems that we need to think of a workaround. We will find out which other ones can be output. By the way, the title, but some friends will have questions. Let's write 10 words in the title, which is not enough. Let's save the file locally and study form verification: There is a <FORM id=frmAnnounce name=frmAnnounce onsu The code of bmit="return checkform();" is not difficult to see that the function triggered by this onsubmit is the code that checks the number of words in the title. We delete onsubmit="return checkform();" and then complete the action, fill in the title with <scSun pt>alert("Xuanmao, Xuanmao, Xuanmao is going to take the college entrance examination")</scSun pt>, write some things casually and submit them. In the page that is refreshed, our dialog box is so elegant that it pops up, and cross-site success. (Figure 2)