Home | hacker invade | crack analyzes | hacker course | Exploit | encryption decipher | network management | System crack | the virus to be related | invades the examination | firewall
You are here: hacking technology > invades the examination > Content
Hot Articles
Based on CallStack count
Only opens 80 port's saf
Bypasses the web key wor
pcshare official net exa
pcshare official net exa
To the Image File Execut
The invasion examination
Serv-U bounce attack and
IDS invasion examination
Bypasses the CallStack f
Security precious book m
Omni-directional examina
Making network security
Prevents the hacker to i
Under the Linux 9 system
Recommend Articles
Only opens 80 port's saf
Bypasses the web key wor
Bypasses the CallStack f
Security precious book m
Based on CallStack count
pcshare official net exa
SQL Server SA idle talk
Honey jar and honey net
The invasion examines th
Four next generation inv
An accidental invasion e
The invasion examines (I
How to use IDS to invade
The invasion examination
A winding safe examinati
New Articles
To a blue shield master
Ten big invasion examina
Ten big invasion examina
Five big most famous inv
To Win2000 server invasi
Protection skill - IDS i
The invasion examination
IDS: The signature exami
Invasion examination
IDS invasion examination
LIDS all captures
How to examine the VMwar
Tomcat invasion examinat
[splendid] invades exami
Introduction invasion ex
To a blue shield master station secure examination
  Add date: 10/08/2008   Publishing date: 10/08/2008   Hits: 1
Total 5 pages, Current page:1, Jump to page:
 
Was preparing to join the blue shield couple days ago, therefore has pasted the posting above theirs BBS, had not thought that the day wave agreed unexpectedly. Since has agreed that even if were the blue shield's person. For us from already website security, therefore the decision carries on a secure examination to the website.
First, I knew that this definitely is the hypothesized main engine which rents. Says from main engine's loophole, believed their company from already the human should do very well. Therefore I do not have the choice to obtain to the main engine, but begins in WEB the CGI procedure. I look at BBS first, moves net's BBS. The edition already quite had been now high, may say that procedure itself any loophole, has not had a look at the database, also had changed name to http://www.landun.org/bbs/data/, the returns response code was already 403, database folder has not changed (in here, returns response code 403 meanings are refuse to visit, generally visit to table of contents is rejection, if is 404 is folder or document existence). However I saw at the WAWA forum he said may change the random user directly the password. But myself to ASP am not too ripe, before has analyzed, also does not have any result. Is only knew that /bbs/reg_upload.asp has not undergone any confirmation, may upload the picture document. Also does not have any use value probably now. Then, I change to the main page, has a look to have any CGI procedure not to have. Knew that they have used a dawn jan news, the article issue system. Therefore down had a look on-line down one, to analyze for a long time, has discovered that if inputs /xiaoran/cgi-bin/xiaoran/data/user.cgi, may expose some average consumers the user name and the password. The result is as follows:
Number found where operator expected at d:\inetpub\wwwroot\xiaoran\cgi - bin \ xiaoran \ data \ user.cgi line 1, near “aaa 111”
(Do you need to predeclare aaa?)
Has seen? The user name is aaa, the password is 111. Such question has come, this condition wants the CGI procedure mapping to use perl.exe %s %s only then to be possible. If uses perlis.dll not to have this problem. Comes out to make a mistake the script is: .........(front abbreviation) script produced no output. What but home station CGI procedure mapping use is precisely perlis.dll, therefore does not have this loophole, has only known the script physical way. Therefore I also do not have to study again.
Has a look again, but also some message originally is CGI writes. Comes up looks that the discovery is AGB¢ò V1.3 (1.2 editions also have this problem). I searched in google.com, discovery on-line use this message this website also many, is very popular. Therefore has looked for a same edition, starts to analyze the source code. Has analyzed for a long time, it does to the admin use's procedure's confirmation very good, has used COOKIE or carries on the confirmation directly with the password, confirmed this pass to be possible saying that was does not have any loophole (I not to discover at least, myself level was limited, if which position has discovered that hoped that could compare notes). As soon as after will turn the defeat from now on, also reads gbook/user/this catalog. , This table of contents was precisely has deposited the application message this various moderators' user name and the password. From already in has tested from the loom on, discovers may use, using method with BBS3000 and LB5000 before that uses the system function the loophole to be similar. Therefore, come up the application I to the landun message book, the day wave simply erased register.cgi. Then no way to do something. Has experienced these many defeats from now on, I look that message this database, is deposits under gb/data/$username (the attention: Here $username I am to write the convenience quotation inside the perl variable mode of writing, must transform in the actual operation, for instance message center's moderator is “the day wave”, then $username= day wave), I from already the loom on has kept a word randomly, discovered that each message is by $num.pl (the $num meaning with $username, but here was not moderator's name, was the current message marking, for instance the current message was the 97th message, then the current message's marking on possibly had is 97, but possibly had is also not, for instance has been deleted by the moderator, in any case almostIn 97 about this scope. Therefore in here $num.pl is possibly 97.pl. ) as filename depositing, the form is:

 
Other pages: : 1 * 2 * 3 * 4 * 5 * Next>>
Prev:Ten big invasion examination system high risk event and handling countermeasure

Comment:

Category: Home > invades the examination
Home