2. Tech
  3. A school website security test

A school website security test

xiaoxiao2021-03-06  42

Author: angel article in Nature: Original release date: 2004-04-02 preface my students since the school maintain the site, there is no small privilege, I just upload a "Haiyang ASP Trojan top net" can be freely modified Any web page, because all sites in school are placed

Http://www.nothing.com/

Inside, but I don't dare to do this, and I will not do this. Recently, I learned ASP is quite addictive, and I will see what hidden dangers do in my own ASP program. Problem One In addition to a small amount of ASP files in front desk, the user registration (is the school's talent can register), login, forget the password, personal information to modify these ASP files, first look at forgot password, lostpass.asp is a submission page. Without any ASP statement, look at

The target file is lostpass1.asp, then view the original code, no problem (is my level limited), then look at the next lostpass2.asp, huh, I found a problem Statement: SQL = "SELECT PWD, Answer from [MEMBER] where userid = '" & userid & "' and answer = '" & answer & "'" This low-level error will also be made, at this time, you only need to construct a special user according to SQL Name and password, such as 'or' 1 '=' 1, the program will turn this:

Program code: [Copy code to clipboard]

SQL = "SELECT PWD, Answer from [Member] where userid =" & 'or'1' = 1 & "and pass =" & answer "

OR is a logical operator, when two conditions are judged, as long as one of the conditions is established, the equation will be established, and in the language, it is true (established) in 1, then in this line of statement, The "AND" verification of the original statement will no longer continue, but since the "1 = 1" and "OR" statement returns to true value. In this case, we can submit 'or' 1 '=' 1 from the beginning, no matter what text box we are in what text box, we will have to reach the next page smoothly. In this case, we use 'or' 1 '=' 1 as a username and password to log in, what will it? The experiment proves that the landing is successful, because the link to display personal data is changed, and there is no personal information. I found that the real name is not changed, indicating that there is a certain ID to identify the user, so I directly view the web source code to find this important Things: It turned out that this Hiddenfield is used to distinguish the user, then if I have modified the value of Value, can I modify other users? I will take my previous registration, replace my number 2001010XXX, then modify the relative connection in , save as an HTM file, and then submit the information I need to modify. Look at my information, I have been revised. If I know if I know any user's hiddenfield, you can modify its information, still don't mess up? This is put on one side ... This problem can write a function to disable the data from the outside to solve the data. However, this vulnerability is a bit limited, if you want to change a user, you must know the value of Hiddenfield, otherwise you can only change. However, since this file is like this, I think the inlet verification program should be the same. I tried to log in, success, all members of the information, but also add and modify the administrator, and what can be done. The prevention method of this problem is actually very simple. It is possible to handle the input character. I thought I thought I used the replace () function. Please teach the wind, I know that the MID () function can be well solved, add a judgment Yes: program code: [Copy code to clipboard]

US = MID (INPUT, I, 1) IF US = "" OR US = "" or US = "%" or US = "<" 000 = ">" = "&" ten responsponse.redirect " Error_page.asp "Response.end

A few lines of code can check the characters entered by the user. Of course, you should try to check some special characters. This line of code means checking the input characters, if there are spaces, single quotes, percentages, and <","> "to redirect to ERROR_PAGE.ASP this page. Although "Haiyang Top Network ASP Troja" has the ability of the school server, we still have to start from the school's procedure, otherwise it is meaningless, "Haiyang Top Network ASP Trojan" is only acting as a viewing code. Character. Question II usually some data call files will have some SQL INJECTION vulnerabilities, such as Show.asp, ShowAnasp, Shownews.asp, Showuser.asp, etc., because these files are easy to ignore check variables, I see a shownews.asp file . Immediately open, its original code is as follows (because this file is too large, limited to space, I removed a lot of html code): program code: [Copy code to clipboard]

<% OPTION Explicit%> <% DIM SQL, RS, RSC, THEDATE DIM REVIEWABLE, ABOUTNEWS SET RS = Server.createObject ("AdoDb.Recordset") ' Find the number of related news and whether to open comment rights rs.open "Select * from news_parameter where parameterid = 1", conn, 1 ,1 if not rs.bof and not rs.eof damoutnews = rs ("Aboutnews") IF = RS ( "reviewable") = 1 then reviewable = 1 else reviewable = 0 end if else aboutnews = 5 reviewable = 1 end if rs.close set rs = nothing set rs = server.createobject ( "adodb.recordset") sql = "update News set hits = hits where newsid = "& cstr (" newsid "))) Conn.execute SQL IF session (" purview ") =" "Then Rs.Open" Select * from news where newsid = "& cstr (Request ("NEWSID")) & "And Audit = 1", CONN, 1, 1 Else Rs.open "Select * from news where newsid =" & cstr (Request ("newsid"), conn, 1, 1 end if If Err.Number <> 0 Then Response.write "Database Error" Else if rs.bof and rs.eof the rs.close response.write "This news does not exist or have not reviewed" else%> <% = rs ("Topic")%> </ Title> <meta http-equiv = "content-type" content = "text / html; charset = GB2312"> </ head> <body bgcolor = "# ffffff" text = "# 000000" TopMargin = 0 Leftmargin = 0 Right Margin = 0> <table width = "92%" border = "0" cellspacing = "0" cellpadding = "0" align = "center"> <tr> <TD height = "36"</p> <p>Valign = "middle"> <div align = "center"> <br> <font size = 3> <b> <% = RS ("Topic")%> </ b> </ font> <HR size = 0 Width = 100%> </ div> <tr> <td> <div align = "center"> <% = rs ("ntime")%> <% if Trim (RS (" NFROM ")) <>" "" "" "" & TRIM ("NFROM")) End IF%> <% IF TRIM (RS ("Writer") <> "". ". write "author:" & trim (rs ( "writer")) end if%> Views: <% = rs ( "hits")%> <hr size = 0 width = 100%> </ div> </ td > </ Tr> <tr> <td valign = "TOP"> <% DIM Content Content = RS ("Content") content = replace (content, "../../../", "../ news / ") response.write content%> </ td> </ tr> <tr> <td valign =" top "> <br> <br> <br> <b> --------- - Guan Xin Wen ---------- </ b> <br> <% SET RSC = Server.createObject ("AdoDb.Recordset") IF session ("purview" = "" "the RSC. Open "SELECT TOP" & AboutNews & "* from news where keys like '%" & TRIM (RS ("Keys") & "%' and newsid <>" & cstr (RS ("newsid") & "and Audit = 1 Order By NTIME DESC ", CONN, 1, 1 Else Rsc.Open" SELECT TOP "& Aboutnews &" * from news where keys like '% "& trim (rs (" keys ") &"%' and NewsID <> "& CSTR ("newsid") & "Order by ntime desc"</p> <p>, CONN, 1, 1 End if if rsc.bof and rsc.eof kilite.write, "else response.write" <ul type = circle> "do while not rsc.eof response.write <li > "THEDATE =" ("" ("NTIME"))) & "-" & cstr (Month ("NTIME"))) & "-" & cstr (day (RSC ("NTIME "))) &") "Response.write" <a href='shownews.asp?newsid=" & cstr(RSC ("Newsid ") & Trim (RSC (" Topic " )) & "<Font color = '# 6365ce' size = '1'>" & theirdate & "</ font>"))) = month ("NTIME"))) = Month (now ()) and clng (TRIM ("NTIME"))))))) 1)> = clng (DAY ())) ")")) ").. GIF> <br> "end if rsc.movenext loop end if rsc.close set RSC = Nothing%> </ ul> </ td> </ tr> </ table> <! - # include file =" Function / Copyright.inc "-> </ body> </ html> <% end if End if%> <! - # include file =" function / dbclose.asp "-> Have you seen it? The file did not check any variables at all, so how this file is used to use, huh, huh, see this sentence.</p> <p>Program code: [Copy code to clipboard]</p> <p>Rs.open "Select * from news where newsid =" & cstr (Request ("newsid"), conn, 1, 1</p> <p>Since the program does not have any changes to any variables at all. We can directly construct a NewsID to launch SQL INJECTION attacks. We can submit such a code to perform system commands with the permissions owned by users who connect this SQL database. The solution to this file is to filter with the Replace function, see the following code:</p> <p>Program code: [Copy code to clipboard]</p> <p><% Function CHECKSTR (STR) IF Isnull (STR) THEN CHECKSTR = "" EXIT function Endiffstr = Replace (STR, "'", "") Checkstr = Replace (STR, ";", "") Checkstr = Replace (Str, "," ") End function%> This function means replacing single quotes, sections, and two horizontal lines empty. Our school server system vulnerabilities have not been found, but due to the problem of web programs, the server is controlled, how do you think about the technical staff? Although the article is short, the problem has been clear. It seems that the problem of the web program is not ignored. The focus of Web program is to check the character check - check. I am really limited, I can't write any high-tech articles, now there is ugly.</p></div><div class="text-center mt-3 text-grey"> 转载请注明原文地址:https://www.9cbs.com/read-70157.html</div><div class="plugin d-flex justify-content-center mt-3"></div><hr><div class="row"><div class="col-lg-12 text-muted mt-2"><i class="icon-tags mr-2"></i><span class="badge border border-secondary mr-2"><h2 class="h6 mb-0 small"><a class="text-secondary" href="tag-2.html">9cbs</a></h2></span></div></div></div></div><div class="card card-postlist border-white shadow"><div class="card-body"><div class="card-title"><div class="d-flex justify-content-between"><div><b>New Post</b>(<span class="posts">0</span>) </div><div></div></div></div><ul class="postlist list-unstyled"> </ul></div></div><div class="d-none threadlist"><input type="checkbox" name="modtid" value="70157" checked /></div></div></div></div></div><footer class="text-muted small bg-dark py-4 mt-3" id="footer"><div class="container"><div class="row"><div class="col">CopyRight © 2020 All Rights Reserved </div><div class="col text-right">Processed: <b>0.039</b>, SQL: <b>9</b></div></div></div></footer><script src="./lang/en-us/lang.js?2.2.0"></script><script src="view/js/jquery.min.js?2.2.0"></script><script src="view/js/popper.min.js?2.2.0"></script><script src="view/js/bootstrap.min.js?2.2.0"></script><script src="view/js/xiuno.js?2.2.0"></script><script src="view/js/bootstrap-plugin.js?2.2.0"></script><script src="view/js/async.min.js?2.2.0"></script><script src="view/js/form.js?2.2.0"></script><script> var debug = DEBUG = 0; var url_rewrite_on = 1; var url_path = './'; var forumarr = {"1":"Tech"}; var fid = 1; var uid = 0; var gid = 0; xn.options.water_image_url = 'view/img/water-small.png'; </script><script src="view/js/wellcms.js?2.2.0"></script><a class="scroll-to-top rounded" href="javascript:void(0);"><i class="icon-angle-up"></i></a><a class="scroll-to-bottom rounded" href="javascript:void(0);" style="display: inline;"><i class="icon-angle-down"></i></a></body></html><script> var forum_url = 'list-1.html'; var safe_token = '4B0eNmMLCFOmEdeFNj_2BulXeHxpLpB04TNT_2F5vmAgC4wDG_2Bwr09LvIai03LsEfQsn0RRbMmHm713RIMcOzRzwlA_3D_3D'; var body = $('body'); body.on('submit', '#form', function() { var jthis = $(this); var jsubmit = jthis.find('#submit'); jthis.reset(); jsubmit.button('loading'); var postdata = jthis.serializeObject(); $.xpost(jthis.attr('action'), postdata, function(code, message) { if(code == 0) { location.reload(); } else { $.alert(message); jsubmit.button('reset'); } }); return false; }); function resize_image() { var jmessagelist = $('div.message'); var first_width = jmessagelist.width(); jmessagelist.each(function() { var jdiv = $(this); var maxwidth = jdiv.attr('isfirst') ? first_width : jdiv.width(); var jmessage_width = Math.min(jdiv.width(), maxwidth); jdiv.find('img, embed, iframe, video').each(function() { var jimg = $(this); var img_width = this.org_width; var img_height = this.org_height; if(!img_width) { var img_width = jimg.attr('width'); var img_height = jimg.attr('height'); this.org_width = img_width; this.org_height = img_height; } if(img_width > jmessage_width) { if(this.tagName == 'IMG') { jimg.width(jmessage_width); jimg.css('height', 'auto'); jimg.css('cursor', 'pointer'); jimg.on('click', function() { }); } else { jimg.width(jmessage_width); var height = (img_height / img_width) * jimg.width(); jimg.height(height); } } }); }); } function resize_table() { $('div.message').each(function() { var jdiv = $(this); jdiv.find('table').addClass('table').wrap('<div class="table-responsive"></div>'); }); } $(function() { resize_image(); resize_table(); $(window).on('resize', resize_image); }); var jmessage = $('#message'); jmessage.on('focus', function() {if(jmessage.t) { clearTimeout(jmessage.t); jmessage.t = null; } jmessage.css('height', '6rem'); }); jmessage.on('blur', function() {jmessage.t = setTimeout(function() { jmessage.css('height', '2.5rem');}, 1000); }); $('#nav li[data-active="fid-1"]').addClass('active'); </script>