It seems that it is popular to change the database of the MDB format to ASP / ASA to prevent being downloaded, but most of it is not possible. Because we use your browser to access the database, you get garbled, OK, where we can easily go to the database with internet express. However, the database is just a little fur, and the invader can also use this ASP database to get WebShell, if you don't know, I suggest you first look at "The disaster caused by the MDB is ASP".
Oh, I am afraid, then you will change the MDB as ASP? The answer is that we can't always waste the waste. The "change" article finally said: "... Join the illegal ASP code such as <% = 'a'-1%> to the database to completely prevent the downloaded database, due to illegal ASP code, insert our WebShell After the code is running, it will only display the error of the previous illegal code, and do not perform our shell code ... ". Online, there is also a new table in the database. The content will fill in the wrong ASP code (such as "<% ASD%>"), then access this ASP database, it will be wrong, and you can't download it with internet express.
really? In fact, the ASP is explained. If we inserted the shell, he will execute the error code before his error code ... Hey, look at me to do a test first.
In the web directory, create a new Access database, add several tables, fields, and content, and the suffix is ASP, browser access, and see garbled. Now add content "<% lake2%>" to a field of the table, visit it, huh, huh, an error! see picture 1.
Continue to add content in the same table "<% EXECUTE (" Lake2 ")%>" (analog Insert WebShell), access the ASP database, still error, see Figure 2, pay attention to the error prompt with Figure 1.
Seeing that there is no, the second error "type does not match: 'execute'" is an empty error in the Execute function parameter, and the first is due to the error in accordance with the ASP syntax. Explain that the WebShell that we will insert is executed before the previous error. You can use UltraEdit to open the database to see "" "Lake2")%> "" <% Lake2%> "is understood.
So now we have obtained the conclusion: the physical location of the new data in the ACCESS database is always before the old data.
We can use this breakthrough to some restrictions. For example, the server required to enter the input data can only be 20 bytes, think about how to inject the shell code? Oh, we can write into two sentences: "<% y = request (" x ")%>; <% execute (y)%>". You think about itself.
Generally, we insert an error code is a new table, then what is the situation in the new table?
You try it yourself, my conclusion is that the content of the new table is physical location after the old table. Haha, that simple newly built a table inserted error code actual location is behind the content of the database, we can submit the shell code to the database and get the WebShell!
The defense method of the above problem is also simple, as long as your error code is in the content of the database, the content of the other fields is. But this seems to be unreal, because this requires you to build a watch that prevents anti-download ... Well, we can learn from the way.
There is a table named DV_NOTDOWNLOAD in the mobile network database, and the table type is "OLE object", and the data inside is long binary data. Look at the name, you know that it is used to prevent download. When I test, I found that even if I was inserted into a table that was created earlier than DV_NOTDOWNLOAD, I can't do it. Is it wrong in the previous conclusion? Later, I only knew that the content in the table was "<%". Because the lack of the Close "%>", the ASP file will first report the error, and do not perform any statements (the problem mentioned in the forefront is a complete sentence). Oh, know how to do it: P
2005-4-1
