Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
myhack58佚名MYHACK58:62200924531
HistorySep 04, 2009 - 12:00 a.m.

How to hack SSS scanning tools-vulnerability warning-the black bar safety net

2009-09-0400:00:00
佚名
www.myhack58.com
13
JSON

Recently is really too busy, while the countersunk finishing school to the exchange of network security research topics, while in the online to clean up the malicious website. I love machine follow me were non-stop, no how much rest of time okay my machine is a dual Xeon Server, ha in. One day suddenly you want to use to the SSS, immediately to the black-and-white network on the Down a down. The results of a registration dumbfounded, thisSSS turned out to use Network Authentication, the KeyGen to generate the registration file can’t pass the certification. Suddenly remembered the 0 5 The hack Online of ON has an article to introduce SSS, a turn to take a look. This does not look okay, look over I almost didn’t from the 6 floor jump down. The magazine says:“the face of theSSScan not crack the problem, we use a virtual machine to restore law…” I’m really desperate, it seems N much high already for this SSS helpless, what could I do? Is it only this?
However, I just don’t believe evil, have to put thisSSSbroken off. Blasting it? Unlikely. The other method? I’m not reviewing it, when the hack didn’t learn it. Simply yielded, by the SSS to forget.

Nimble crack

First, we still the old method, use the KeyGen to generate a registration file. This registry file is not a panacea, but no it is absolutely not. Fill out the registration information, press the Generate on OK.
Well, we first regardless of it, let it side cool to go to butterflies: whatever it you build it to do what? Jerk…that Not this mean, wait a minute to use it.
In the next step, you must say one thing: the host file. This file wouldn’t everyone know? Its function is to replace the DNS domain name resolution, in order to achieve rapid the purpose of the visit, and it is in the query priority than the network on any DNS server. So, as long as the modified host file, you can“kidnap”a domain name. There are many friends of the machine, even if I entered the correct URL, also on some malicious websites, and mostly this file is modified the reasons. Note that this file has no extension, are located in the%windir%\system32\drivers\etc under Windows 2 0 0 0/XP/2 0 0 3 system, we use Notepad to put this file open, add such line:
127.0.0.1 www.safety-lab.com
This www. safety-lab. com is theSSSofficial site, we do so in order to deceive the SSS, let it connect to your own machine. Because after my Sniffer capture found, the SSS in the certification register, to the http://www. safety-lab. com/update/db/keys. php submits the user data, and the validation fails, the server end returns a 1. Experienced friends at a glance can be seen, the SSS should be is to rely on this return value to determine whether the user is legitimate. That is, as long as this value becomes 0, and we can successfully register.
Someone will ask, How do you know it returns 0, that is, the registration is successful? Impossible to be anything else digital? In fact, this I guess half, the use of social engineering derived half. In fact, sometimes playing the hacker does not necessarily need technology, but also need a little bit of luck.
We start to set up aWeb server, since everyone is a Windows user, you use IIS good the following configuration the IIS process is in 2 0 0 3, 2 0 0 0/XP / Vista may vary, please refer to the relevant. Go to the site properties— > in the main directory— > is configuration— > the mapping for. dat, the. pl and. php three the suffix of the file to add the mapping. The executable file box, your. the asp file is how to set up, does not move on the line.
The purpose of this is to get the three extension files in IIS can be used as the ASP file is executed. In fact, with other language implementations are also possible, but the author will only ASP, no way. Set a good mapping, we’re going to do a few files,“Fudge Fudge”SSS.
The most important thing is to first registration, otherwise what also can not be used. Let’s analyze this keys. the php code is actually asp language, this keys. php in IIS is being used as an asp implementation:
[The following code in the keys. php]
<%
Dim crc,name,founder ‘define a few variables
founderr=true ’in order to prevent the program error, the control error variable is set to true
if request(“crc”)<>“” and request(“name”)<>“” then
founderr=false
end if

if founderr=false then
response. write “<html><body>0” ’if there is input, it returns a value
response. end
end if

if founderr=true then
response. write “<html><body>1” ’handle the unexpected situation, to prevent the SSS does not receive the return value and hang out.
response. end
end if
%>
This code is very simple, just accept the SSS send up of the CRC and NAME the two variables, and returns a value. It may be seen, this returns the value of the<html>and<body>tag has no end, in fact this need not be the end. Because I over-analyze Sniffer caught in the full data package, The found is like this. Perhaps it is Safety-Lab deliberately do a trap bar, whatever, can be registered it is OK.
Our host file is not already changing for the better? 那 就 把 以上 的 代码 保存 成 keys.php into your IIS root directory under the/update/db/if your IIS root directory in E:\inetpub\wwwroot, it is put in E:\inetpub\wwwroot\update\db\in. Then we open the SSS, import the registry file, click Done, and look, it’s not done?

However, just cracked, and can not meet our requirements. Now if you use the online upgrade will still fail. But it will also put you just registered up authorization revoked. What should I do? Hey, then look back don’t you know it?

Broken the software cannot be upgraded, that just like with the D Version XP a feeling-a very bad mood. So, spent another point Kung Fu, the upgrade restriction is also lifted, though not quite perfect, but it can detect an upgrade.
Or the old method, with Sinffer the upgrade process of packages grip down, analyze it. We see the SSS upgrade program visit the following surfaces: a front is http://www. safety-lab. com/, the omitted
\update\db\keys.php or to verify the identity of, insidious…
\update\sss\update. dat this is a data file of unknown function; the
\update\db\getdbaudits.pl a boot data file, for generating an update list.
First up for analysis, and then each break. This keys. php just talked about, I will not say. update. dat file is like a primer index file, according to my observation, it’s still in fluctuation, but it is not through the server of the analysis, can be downloaded directly down, but in order to keep the data up to date, we still use dynamic methods to deal with it. First look at a piece of code to it:
[The following code in the update. dat]
<%
On error resume next ’no other meaning, to prevent errors and to
Dim sURL

Dim Retrieval

Function GetURL(url)
Set Retrieval = Server. CreateObject(“Microsoft. XMLHTTP”)
With Retrieval
. Open “GET”, url, False, “”, “”
. Send
GetURL = . ResponseText
End With

Response. BinaryWrite retrieval. responseBody ’output of the binary to the browser
Set Retrieval = Nothing
End Function

sURL = “http://safety-lab.com/update/sss/update.dat” ’this is to get the address
Response. Write GetURL(sURl)
%>
This is ASP programming is very classic of a function application. This surface effect is to allow IIS to another site, made a face, and then back to the client. Assuming that this exists in the host A on the surface of the point is on host B, but host A customer by accessing this page, you can on host A sees host B is on something. However, this and the General network to Use JavaScript to achieve the surface redirection is different: the JavaScript is to allow the client to re-orientation, this is the IIS as the intermediary Server redirection.
Especially for a program request to the surface. Because the program does not identify those by the JavaScript language consisting of the redirect statement, and such a method you do not need the client’s support. Oh, almost forgot one thing, if your machine has a similar VisNetic Firewall category with the IDS function of the firewall, take it off, otherwise it will error. I was debugging this update. dat how access has a problem, later found to be VisNetic filtering request to the filtering.
Then look at another file code:
[The following code in getdbaudits. pl]
<%
On error resume next
Dim outformat,sURL
outformat=request(“outformat”)

Dim Retrieval

Function GetURL(url)Set Retrieval = Server. CreateObject(“Microsoft. XMLHTTP”)
With Retrieval
. Open “GET”, url, False, “”, “”
. Send
GetURL = . ResponseText
End With
Response. BinaryWrite retrieval. responseBody ’output of the binary to the browser
Set Retrieval = Nothing
End Function

sURL = “http://safety-lab.com/update/db/getdbaudits.pl?outformat=” & amp; outformat
Response. Write GetURL(sURl)
%>

This file and the previous file is similar, except that one of the variables of the process. Understand that ASP friends at a glance you can see not too clear, to the expert for advice about it. The surface of the request should be to update the list, but not too large, all of the returned data is 8-10KB. Soon we will be able to see the results.
See? It’s got the updated list. I guess there are a lot of people may soon go to click on that Next button? Don’t worry, here are the issues need to be addressed. The first pocket a circle, for everyone to talk about my original idea, the following process is merely a concept to explain, everyone need not follow the operation.
I’m still using a Sniffer capture of the method, see upgrade procedure access\update\db\getaudits. pl file, and back foot heel A A 8 2 5 character variables! I’m not in the articles listed, that take up space in the discs: 数据.txt in. These variables, although many, but to program The processing or ease. So, I wrote a corresponding surface:
[The following code in getaudits. pl]
<%
On error resume next
Dim outformat,sURL
outformat=Request. ServerVariables(“Query_String”)
’Note: the Request. ServerVariables(“Query_String”)for obtaining the url? Something behind
Dim Retrieval
Response. Buffer = True
Function GetURL(url)

Set Retrieval = Server. CreateObject(“Microsoft. XMLHTTP”)
With Retrieval
. Open “GET”, url, False, “”, “”
. Send
GetURL = . ResponseText
End With

Response. BinaryWrite retrieval. responseBody ’output of the binary to the browser
Set Retrieval = Nothing
End Function

sURL = “http://safety-lab.com/update/db/getaudits.pl?” & outformat
Response. Write GetURL(sURl)
%>
This page is used to download the update data. Due to this request there is no variable name, the network behind the direct addition of data, I also very embarrassed. Later Internet access to find information, the original with the Request. ServerVariables(“Query_String”)you can directly access the“?” Something behind. Theoretically, this surface can be completely return to the upgrade procedure requires the data, but theory is always there and the actual from Place.
SSS upgrade program in order to prevent the network fault and allow the program to long-lost response, setting a connection timeout, probably in 1 0 seconds or so. Safety-Lab. com is a Russian website, and to download the data, every turn requires hundreds of KB to the current connection speed, simply can not be in 1 0 seconds to complete the download I used, but 2M Netcom ADSL, this surface also does not support so-called instant transfer of data is the next point, the transmission, and the like IIS put all the data from Safety-Lab. com download back of time, the SSS of the upgrade program already Timed Out. Of course, there is a connection Russian site super-fast friends, you can also use this method.
So what do we do? Way to be there. I later found that access to Safety-Lab on getaudits. pl is do not need authorization. How? Think? In the upgrade program appears to update the list when as shown in Figure 4, in the host file“127.0.0.1 www.safety-lab.com”preceded by a“#”without the quotes, so Windows will ignore this line. Next, click on Next, you can download the upgrade data. May have a friend look over the article will pay attention to all my face in the steering address is written: http://safety-lab.com/the. We feel this address with the previous www address is the same, then by DNS resolution time, in the host file even if the difference between a character too. We are in the host file, settings is http://www. safety-lab. com/analysis to the local, is not equal to http://safety-lab. com/also resolves to the local. Further emphasizing the point, the SSS is generally the upgrade data is downloaded to the C:\Program Files\Common Files\Safety-lab\Download, you to the SSS of the installation directory is not found.

Finally, I do for some common questions answered, and also easy for everyone to reference.
Q: my. dat or. pl,. php why can not perform, or just see the source file?
Answer: there is no give on the document set up in IIS mapping. The above three extensions of the mapping, are provided with. asp files are mapped the same, you can. If your IIS is 6. 0, in Web service extension to open the asp support.

Q: my other settings exactly right, but the upgrade program prompt“Download Error, HTTP Error Disconnect server”is going on?
A: due to safety-Lab. com is an offshore website, access is not necessarily open. A connection failure is when there is happening, please try again or disconnection reconnection. In addition, please check whether the firewall restricts the IIS process w3wp.exe access to the network.

Q: Why can’t I register SSS for? Why I update it prompts me for the registration invalid?
Answer: this is because you do not have to modify the host file. In accordance with the above, modify the host file and in the upgrade program displays the updated list as shown in Figure 4 and then back.

So far, one in the industry has a fairly high rating of the scanner, it has been fully cracked. Really difficult to understand, a anti-crack up and down by power, security audit software, but planted in this little trick, I remember MS programmers call this a Hack is. I think this is what WTF says“flexible intrusion thinking”. In fact, according to this idea go, very much with the network registration authentication function, was once considered to be“uncrackable”software can also be easily lifted use restrictions.

Practical protection
Above I have described how to use Web enrollment authentication flaw to hack the software, we have an insight into the on the Web registration certification this new registration of the means of attack method. In the following article, I come and we talk about how to block Web registration notch on the following articles in the code examples, complete with the ASP language.
From the above examples to see, to determine registration information for legality and returns a value of Keys. php file the surface, in the design there is one very serious logical errors. The designer is most likely the idea is this:
[The following code in the keys. asp]
<!–# include file=“conn. asp” - >
<%
Dim CRC,Name,err
err=true

if request(“crc”)<>“” and request(“name”)<>“” then
crc=request(“crc”)
name=request(“name”)
err=false
end if

if Not IsNumeric(crc) or Not IsNumeric(name)then
err=true
response. write “<html><body>1”
response. end
end if

if err=false then
Set rs=Server. CreateObject(“ADODB. Recordset”)
sql=“select * from users where ucrc=”&crc &" & uname = " & amp; name ’we assume that the name and the crc of the data are stored in the database
rs. open sql,conn,1,1
if rs(“id”)=“” then
response. write “<html><body>1”
response. end
else
response. write “<html><body>0”
response. end
end if
end if
%>
Everything seem perfect, right? I realize it may not as people, but you can still see the filter SQL Injection attack statements. However, as judged by the identifier returns two results, 0 and 1 is very inappropriate. Generally there experience of the attacker, the resulting error is returned when a“1”, It is natural to associate to the correct time returns“1”, Thus, the network authentication protection is useless.
The best way is: first, you must modify your program, do not let it alone determines the return is“0”OR“1”to determine whether the user is legitimate. You can give the program to add a module, the Web authentication server returns the information processing, if performance and user-submittedInformation form a particular kind of relationship, it is determined as a legitimate user, otherwise it is illegal.
Secondly, your Web the authentication server end of the surface, must also be changed. Your Web authentication server, you can follow the steps below to process user-submitted information:
1. The information submitted by the user into the database query;
2. If the query is less than the relevant data, then directly return a failure code such as“1”; and
3. If the query is successful, then the user-submitted data to make a deal, and returned to the client;
4. In order to prevent user abuse of the genuine registration number of each registration number should be set a registration limit the number of times such as 1 0.
Finally, you need to give your software to be a powerful anti-crack protection, allow the General Cracker essential to your software is unable to start. Otherwise, if you Web a registered certification of how closely, are meaningless. Because, the Cracker will be directly by modifying the program, skip your Web registration certification.
In addition, the upgrade is also a need to protect the place. You can put on top to verify the user’s code, added to the display to update the list of programs, so that both will not take up too much of your resources, and can prevent non-authorized users access to update the list. Customer upgrade program in the upgrade list before, but also to the authentication server to submit about the user’s identity information.
In fact, in accordance with my above described method of view, the implementation is not very complex. It is also not too esoteric technology at all. However, this is a little tips, it can be difficult for a large number of want to eat white rice? I’m not refers to the study of crack peers)

JSON