Aquaboutic | Focus Security Research | Vulnerability Exploit | POC


white hat technology / ideas

Posted by fleschner at 2020-03-31

Author: ha ha, the most delicious one of the 226 safe team!

Anyway, I asked him about miscellaneous writing. That's what he said. Since the team has no column in Zhihu, I can only post it on my notes and share it with you. Let's summarize the common vulnerabilities. It's very good. (*)


Cause: the program did not filter the user's input, so it was directly substituted into the database for query, which led to SQL injection vulnerability.

Idea: at the URL, you can manually test SQL injection through single quotation mark and and 1 = 1 and 1 = 2 statements.

Post injection: for example, input single quotation mark test injection in background login box. If there is an error, it means that the existing injection can be directly captured, and the injection can be completed with tools. (in HTML, submission type codes, especially background login and comments, need to be submitted in the form of post, and post submission will not be displayed in the URL in the form of get.)

About SQL injection, cookie injection, blind injection, misinjection, etc


Input single quotation mark for preliminary judgment. If an error is reported, it indicates that there may be injection.

Then I guess the real SQL statement to execute should be: select * from info where FID = 623

Continue to enter and 1 = 1, and 1 = 2 to see whether manual injection is possible, that is, to see whether there are display errors on the page, rather than single quotation mark errors.

Because I posted it, I didn't have this screenshot, but I made a mistake. And 1 = 1 and 1 = 2 are as follows in the SQL statement:

[SQL] plain text view copy code

Such a statement can be successfully queried in database query. 623 and 1 = 1 and here and is a logical judge. 623 is correct, and 1 = 1 is also correct! Therefore, if it is correct and correct, it will query 623, so the page will return to normal, and 1 = 2 is definitely not equal, so if it is correct and wrong, it will query the error, so it will report an error.

Now that the existence is injected, lazy hands throw sqlmap directly.

XSS vulnerability

Principle: the web program parses the user's HTML code operation. In other words, when a programmer designs the input and output parts of a website, he does not filter the user's input, which results in malicious code being executed by the web program.

XSS classification: reflective type, storage type, DOM type, flash (DOM, flash are not commonly used)

Reflective XSS: where there is input and output, it does not have the step of transferring database, but a simple input and output. Generally, this kind of vulnerability is less harmful, because its propagation mode requires malicious users to send their constructed malicious URL to you, and you can only trigger it if you click it. Generally, those with security awareness rarely get hit.

Storage XSS: without filtering the user's input, it is directly stored in the database. Generally, this kind of vulnerability is the most harmful, and can be used in many aspects. As long as you have solid knowledge and broad thinking, this vulnerability can play a lot of tricks. However, at present, the most widely used vulnerability is to enter malicious code in the message board of the website, let the webmaster check it, and recruit, so as to steal cookies.

Reflective example:

Reflective (see URL) vernacular summary: what to eat and what to vomit

Find PHP? S = 24 (the output below is 1, under test)

It is found that the content of the page will be replaced after the content of S is replaced, then XSS reflection vulnerability should exist here.

Let's construct the next commonly used JavaScript pop-up code and see the effect.

Come back.

Through testing, we found that this is a typical reflective XSS vulnerability.

Storage XSS instance:

This is a phishing site with a stored XSS vulnerability.

Then, we right-click to simply view the source code of the web page.

When looking at the source code, we find that when the claim code is not equal to 98, it returns true, and the claim code is equal to 98.

After inputting the code, we will pop up a prize page. In this page, we can actually type it blindly.

Before we start, we will find an XSS platform to copy a piece of malicious code that steals cookies.

The place where XSS is inserted is mostly the title and content (anything that can output text content can be inserted), and then we try to insert it.

Insert it into the contact address to test whether it can be inserted (add ">" in front) in case of closing the front label.

#(here, I actually don't recommend this kind of insertion, because the format and word limit are all HTML level restrictions. It is recommended to grab packets and insert XSS code, so the probability of being hit is greater.)

The submission is successful here, so wait for the administrator to hook up.

It seems that the administrator of this phishing website is also a person who always pays attention to information and is responsible for the management! Unlike the operation and maintenance staff of some companies, they didn't enter the backstage for most of the year. I remember a friend of mine, a few days ago, sent a message saying that the content was mlgbz. A message board inserted two years ago, I actually received this cookie today...

Using the vulnerability of Web middleware, the paper analyzes the malformed script format.

This doesn't explain the problems in the development of the program itself.


Common combination: Server 2003 + IIS6 (IE6.0)

1. Normal parsing formats include: ASP, ASA, cer

2. Normal parsing 1. ASP;. Jpg | 1. ASA;. Jpg | 1. Cer;. Jpg | 1. ASP; xxxx.pdf

3. Normal parsing of any file under 1. ASP folder: for example, if there is a folder named 1. ASP in the website directory, then any file under this folder, such as 1. JPG, 1. PDF, 1. Doc, 1. ABC, will be parsed into ASP script file. Another example is a link:

If the middleware of the station is iis6.0, the link will be parsed into ASP script.

Note: when using upload vulnerability, if you can't upload ASP format file, try to upload ASA, CER format first, and then try to upload 1. ASP;. JPG format file. If you can control the uploaded directory, upload test.jpg image to 1. ASP directory.

IIS 7.5

Common combination: Server 2008 + IIS7 / iis7.5

Common vulnerabilities range from 2.0. * to 2.2*

Apache file parsing method: the file name is parsed from right to left. That is to say, 1.jpg.pdf Apache will recognize the PDF format first, and then the JPG format. Because Apache can recognize the PDF format, it will not parse the. JPG format here. For example, Apache recognizes the. ABC format first, and then the. JPG format. Here, Apache does not recognize the. ABC format, so Apache parses it into the. JPG format.

Use: upload 1. PHP. ABC 1. Jpg. ABC. PHP. 123. Rar (?)

NGINX 0.5.* | 0.6.* | 0.7-0.7.65 | 0.8-0.8.37

Other common middleware:

asp , aspx: iis5.0 , iis6.0 , iis7.0 , iis7.0 , iis8.0

php: apache , nginx , fast-cgi

jsp: tomcat , weblogic , jboss , jetty , GlassFish , Resin , IBM Websphere

Brother format of ASPX: ashx

Jsp: jspx

After manual testing, it is found that there is SQL injection, and then it is thrown into the injection tool.

However, the form was not injected. Later, several injection tools were changed for injection. As a result, there was no form data.

Then use the directory scanner to scan and find a webdata secondary directory. Do you think it's a database file?

Then, continue to scan the secondary directory to find the database file webdata / webdata.mdb, and find the account and password after downloading.

Since the account and password are all available, go to the backstage.

Directory scanner, scanning background not found = =! Well, let's do it by hand...

Finally, in a side-by-side robots.txt file, it is found that the side-by-side background is the background of domain name format, so is the main station the same? Do it!

I didn't expect that it was xx.xx/xx.xx...

Then go backstage.

A strong taste of the south station, just like eating old Ganma, so first look for the database function.

Well, without the function of database backup, it seems that the method of using shell for database backup is not possible...

However, this site is iis6.0, which has a parsing vulnerability. Fortunately, you can find the upload point.

Find an upload point, first pass a normal picture to see if the upload point is bad and if it will come out of the path.

Since it's not bad, upload an ASP Dama.

It seems that you can't upload directly. OK, grab the bag and upload.

Because we know the upload path / bookpic / in advance, we directly exploit IIS 6.0's parsing vulnerability, which is

(1. ASP;. XX) {XX is the name of the uploaded file} add 1. ASP after the folder; try to upload successfully and parse it.

Grab the bag, change the bag, let's have a look first.

Let's see if we can connect to this Dama.

The result is not bad. It's parsed, so I'll take this station.

Client detection:

Programmers usually use JavaScript to reject illegal file uploads.

Bypass method:

Firebug plug-in: delete the onsubmit event used to verify the file extension.

Man in the middle attack: use burp suite. First, change the extension of Trojan horse to the extension of a normal picture, such as JPG extension. When uploading, use burp suite to intercept the uploaded data, and then change the extension JPG to PHP to bypass client authentication. (content length may also need to be modified accordingly)

Any client authentication is not secure. Client-side authentication is to prevent user input errors and reduce server overhead, while server-side authentication can really defend against attackers.

Server side detection

Whitelist and blacklist verification

Blacklist filtering method: define file extensions that are not allowed to be uploaded

Bypass method of blacklist:

1. The attacker can find the extension ignored by the web developer from the blacklist, such as cer

2. Change the case of the suffix name of the file. For example, if there is PHP in the blacklist, you can change the suffix of the file to PHP, only for Windows platform

3. In Windows system, if the filename ends with "." or space, the system will automatically delete "." and space. This feature can also bypass the blacklist verification. (ASP. Or ASP

Whitelist filtering method: define the file extension allowed to upload

The bypass method of white list: combining with the analysis vulnerability of web container

MIME verification

Check by $_file ['File '] ['type'] in PHP

Bypass method: the content type can be changed to image / jpeg in burp suite

Directory verification

When uploading a file, the program usually allows the user to put the file in the specified directory. If the specified directory exists, the file will be written to the directory. If it does not exist, the directory will be established first and then written.

For example, in the front-end HTML code, there is a hidden tag < input type = "hidden" name = "extension" value = "up" / >

There is the following code on the server side:

If (! Is_dir ($extension)) {/ / if the folder does not exist, create the MKDIR ($extension);}

The attacker can use the tool to change the value of the form from "up" to "pentest. ASP", and upload a sentence picture Trojan file.

After receiving the file, the program judges the directory. If the server does not have the pentest.asp directory, it will establish this directory, and then write the password file in the picture sentence to the pentest.asp directory. If the web container is IIS 6.0, the web Trojan will be parsed.

00 truncate upload

In ASP programs, the most common is that% 00 truncates the following characters. For example, the upload file name is 1.asp% 00xxser.jpg.

In practice, you can do this by using the hex tab in the repeater of the burp suite.

Truncation upload vulnerability not only appears in ASP programs, but also in PHP and JSP programs.

0x00 is not able to bypass all suffix checks based on white list. There must be a truncated upload vulnerability in the code implementation process.

Cheat password recovery function (any password reset, etc.)

According to a verification code, the program determines that it is the user himself, and the attacker can bypass it by means of packet grabbing, packet changing, brute force cracking, etc. (cause of vulnerability: front end verification, code included in data package, etc.)

Thinking: using fuzzy test to mine loopholes

Example: a college has an arbitrary password reset vulnerability

Step 1 (retrieve password first) > view source code

Follow nextdo2

The key is to jump to the second step

If data.status is equal to 0, skip to step 2. If it is not equal to 0, you will be prompted that the verification code is incorrect!

As long as the status is equal to 0, it will jump to the second step, and then modify its response through burp

After the package is put, it will be found that the authentication is bypassed and the password is changed directly, thus forming an arbitrary password reset vulnerability.

Prevention idea: the response data does not contain the verification code, and the verification method mainly adopts back-end verification.

Any amount modification

The price of the purchased goods can be negative by tampering with the datagram (the amount data can be transmitted in clear text without back-end verification and a series of loopholes for any amount modification can be generated)


Sign up to place an order, pay, choose lacala to pay

Truncate HTTP request and change post amount data.

Found on the payment page,

It is found that the amount has been modified, and it is not prompted that the modification is invalid.

Prevention method: back end verification, data packet encryption and transmission.

Ultra vires vulnerability

The main reason is that the developer is too trusting to the data requested by the client when adding, deleting, modifying and querying the data, thus missing the determination of authority (only limited to the data corresponding to the vulnerability function)

Train of thought:

Where there may be ultra vires vulnerabilities (it is OK to operate the database).

Check the code. If the number in the id = array is, the account password will be displayed. Otherwise, the output information will be in error.

When you know the ID of the administrator, you can change the URL to query the account password.

Of course, there are many kinds of cookies bypassing the ultra vires vulnerability and so on.

All right, it's over!

It's so hard for me to post more than 1m articles, and the page still has one card and one card. Finally, I'll appease,

226safe team official group: 2399210.