Q & A Q: Why write this article? A: Talking in the group that day, there is a guy called Lis0 called me ...
This vulnerability is a half year ago, it is very old, but I have only studied it now, no way, who told me to close it? - Who is a school network like garbage ... (Khan ~~~)
Ok, first find a website to see the vulnerability information. Personally think that the Global Union is good, the information is updated quickly, huh, huh, after all, people have commercial interests. See here: http://www.nsfocus.net/index.php? ACT = sec_bug & do = view & bug_id = 6410 & keyword = asp.net
Big intending is that the "=" server contains the "=" server in the cookie header field that the attacker will leak sensitive information. There are also tools on the Internet. I saw some articles that I could have branched, I also found a few websites to try, and the results didn't. Hey, "I know, I don't know how it happened," I really painfully. So I have to study research.
It turns out that this vulnerability is due to ASP.NET can't access the alignment in the cookie header field. We submit a cookie to the beginning, when IIS reads the cookie, it will be wrong and return "Und Specified Error". Here to trigger conditions: IIS read cookie; IIS supports ASP.NET; IIS's error prompt is turned on.
Oh, reading cookie is not request.cookie (). Ok, then write an ASP file to try.
----------------------- Ys.asp
<% 'Line 1lis0 = request.cookie ("lake2")' line 2%> 'Line 3
-----------------------
IE Access is normal; submit "cookie: =" will get an internal server error: "Error type: (0x80004005) Unidentified error /ys/ys.asp, line 2". Oh, that is, read the cookie's statement error, the server returns the specific file and location. But I really don't know why someone will say that the database path will turn out because the database is impossible to have an ASP statement to read the cookie. Also, if this file adds an error-tolerant statement (On Error Resume Next), you cannot get any information.
Below is an ASP file, with the front YS.asp.
------------------------------ TEST.ASP
'line1 -------------------------------
IE access is still normal; submit "cookie: =" is the same as the previous error message. Here we have emerged in Test.asp's files -Ys.asp. ASPX has not tried, I guess is also a small difference.
Oh, this vulnerability is the most antique file, although the database connection file may also be included, but no one should put the read cookie's statement in the database connection file, even if there is, I can only know that the file path cannot be Branches.
An idea I always like to take the "Cave" Network Forum. My local test system is XP IIS5.1 ASP.NET, submit "cookie: =" to the mobile network forum, violently containing file /bbs/inc/dv_clsmain.asp, open that file to find an error, there is reading Take the cookie statement. But it seems that there is a meaning ... I'm here about this legendary ASP.NET deformed http request information leaks. I finally figured out, I feel that this vulnerability is just a disclosure of some information and there is nothing harm. If you want to prevent you, you turn off you IIS's error prompts or abbreviated before reading the cookie statement.
Full text. Oh, it's really finished.
Lake2,2004-12-29
