Recently, since some sites still have a vulnerability of the UBB cross-station script attack. Although the cross-station script attack is rarely caused for some more affected the server, for a site, there is such a vulnerability. It is worth it! Small, there is something in the east; the medium will change the home page; he will steal the cookies information of the user, and it will gly off the browser's hard drive. One site is turned into a malicious website, who else Dare to come? If you add "blind", it is not a chaotic set.
The little piece of code really can make a site so? So let us see what kind of attack mode will become a so-called cross-station script attack. Enter a site containing UBB features, such as message board, Forum, or the site containing submission procedures. First, talk about the simplest malariaromeproof?
Log in to a CGI production site. Looking at the CGI site with the original ASP, I feel that the filtering of the script should be very good. So I first test. Fill in
Simple script attacks, such as
Primary question: Filtering of [URL], can build a malicious code for the OnMouseOver function when submitting the code, since ONMOUSEOVER can take effect, what else does it still do? Some original programs are simply submitted to S2 "Target = _BLANK> S2" TARGET = _BLANK> S2 "TARGET = _BLANK> S2" TARGET = _BLANK> S2 "TARGET = _BLANK> S2 . To so that we can use & # 34; in the corresponding ASCII code, we can use it more "and then use" and then build the ONMOUSEOVER function, consequences? You should know!: P
[IMG] filtering, this is really an old difficult problem. I used to attack the script attack in [IMG] very early. In this test, many sites still still exist this vulnerability. There is no filtering at all. Especially some of the free message boards provide a lot of problems. Below we will mainly [IMG] tag questions:
Simple [img] java script: alert (); [/ img] Submitted code for the code to convert the code for , good, here we can see Java Script : Alert (); is activated by
tag. The performance is the pop-up dialog. It is written in () to submit something. Such like Documents.cookie .. Most people should know this. What is doing. What is even more, use the document.write (); function, you can write a web page. Write what? Of course, malicious code, such as [IMG] Java script: Document.write (); [/ img]. ) In the middle, add you to add, write you to write, think more dangerous.
Advanced Problem: Due to [IMG] to harass a lot of sites to filter a sensitive character. Such as JA connection, DO connection, WR connection, automatically divided into Ja, Do, W R. Or filter characters Java, Document, and so on. These can only be difficult to fall a small number. We can still use the ASCII code to replace. Maybe someone will still not display the instead of the code still not properly displayed. Ok, let's take a complete Example Introduction: A certain site UBB filter code segment is as follows:
<%
Function code_ssstrers)
DIM STRER: STRER = STRERS
If STRER = "" or isnull (strover ":": exit function
STRER = Replace (STRER, "<", "<")
STRER = Replace (STRER, ">", ">")
STRER = Replace (STRER, "", "" "
STRER = Replace (STRER, CHR (9), "") 'TABLE
STRER = Replace (STRER, "'", "'") 'single quotes
STRER = Replace (STRER, "" "" "" ") 'Double quotes
DIM RE, RE_V
RE_V = "[^ / (/) /; ';" "" "/ [] *"
'RE_V = ". [^ / [] *"
Set re = new regexp
Re.ignorecase = true
Re.global = TRUE
Re.pattern = "(JavaScript"
STRER = Re.Replace (STRER, "JavaScript:")
Re.pattern = "(JavaScript)"
STRER = Re.Replace (STRER, "JavaScript")
Re.pattern = "(jscript"
STRER = Re.Replace (STRER, "JScript:")
Re.pattern = "(js"
STRER = Re.Replace (STRER, "JS:")
Re.pattern = "(value)"
STRER = Re.Replace (STRER, "Value")
Re.pattern = "(About"
STRER = Re.Replace (STRER, "about:")
Re.pattern = "(file"
STRER = Re.Replace (STRER, "File &:")
RE.PATTERN = "(Document.)
STRER = Re.Replace (STRER, "Document:")
Re.pattern = "(vbscript"
STRER = Re.Replace (STRER, "VBScript:")
Re.pattern = "(VBS"
STRER = Re.Replace (STRER, "VBS:")
Re.pattern = "(ON (mouse | exit | error | click | key)"
STRER = RE.REPLACE (STRER, "On $ 2") can understand asp's friends, you can see that the above code segment is performed on JavaScript, JScript:, JS:, About; Value, Document., OnMouse, and Onexit. Filtering and replacement. Some special characters are replaced. Such as ".", ";" ("," [Replace code is "" middle ".. carefully observe the code carefully, we will find its filtering mechanism ⒎ 胂胂蟮 胂胂蟮 胂胂蟮 ? Submit: [MG] & # 176 & # 93 & # 118 & # 97 & # 115 & # 79rip & # 106 & # 57documen & # 115 & # 76write & # 30 & # 29 Haha and Black & # 29 & # 61 & # 29 [/ mg] Similar code to achieve more advanced script attacks. Note: Since this problem is still existing, the code is modified, no aggressive.
Open your FT2000, use text editing, you can find the ASCII code to which you belong to any special characters. Such as: a semicolon; can be replaced by & # 59, a period. Can be replaced by & # 46, in such a form, we will submit the code again. Sure enough, the entire filtering mechanism above is almost completely complete. I didn't play any defense role.
I have seen the above attack method, is it very depressed? If you can avoid the above problem?
1. If your site program includes forum, message board, and other programs, there is no good filtering mechanism, please download the upgrade program immediately or stop using it. Avoid more problems.
2. All the free forums, freely apply for the message board, please close the UBB format. Or find better parsing the Ubb.asp program page.
3. For some friends who will write ASP, I suggest that you will filter the characters all characters will be written in []) such as:
["|] |: | / | / | & | $ | # |` |) |, | '| | | - | ~ | [||] Note: Where | for the split
4. For some sites, it is recommended to remove the message board, or other procedures that are submitted. Such as: former www.sangel.net, some? ...
5. I also revised a foreign message board. The front desk has been revised. The background is rushing in the past few days. After the revision, I feel very good when the text is submitted and input, and the message is very good. Originally used in English Interface, but considering N more chinese is not too close, I still will be part of the program. Interested friends can go to http://www.e3i5.com/guestbook/ test. We welcome the good test.
The following is a problem with the address of some of the message boards that have been tested, (please pay attention to the webmaster, timely patching from causing unnecessary trouble), the test time is short, there may be some sites. There may be more serious problems.
http://www.sangel.net/
http://www.shu163.com/
Http://www.lanho.com/
http://www.mysega.com/
http://www.xinxing.org/
http://www.enkj.net/
http://www.exang.com/
http://www.wx-e.com/
http://www.leleba.net/
http://www.newtide.net/
http://www.newok.net/
http://www.sxamp.com/
http://www.itleague.org/
http://tj.desktopcool.com/
http://www.nubiyang.com/
Http://www.emmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm.net/
http://www.5inet.com/
http://www.cnzz.net/
http://www.ik68.net/
http://www.tx-studio.net/
http://www.dznh.net/
http://czytxx.czonline.net/http://www.xinyer.com/
http://www.nuowei.net/
http://lulufa.net/
http://www.4808.com/
http://www.21east.net/
http://ly.szxz.net/
http://www.chemcity.net./
Http://333.lm365.com/
http://www.inbuy.com/
http://www.hulalacon.com/
http://fm818.tancd.com/
http://xingying.net/
http://www.loveofstar.net/
http://www.krdak.com/
http://www.netwin.com.cn/
http://www.9seek.com/
http://www.lsxxtd.com/
http://www.ltpc.net/
http://www.ku68.com/
Http://www.joekoe.com/ ---> Since the date of spontaneus, the station has made repatriate
Http://www.longker.com/ ---> From the date of spontaneous purposes, the station has made repairable
The above is the full content of this script attack test. Looking at all sites, it seems that safety is really not thinking about it. There are a lot of problems.
Although it is just a problem that can be solved, it will cause a big problem. Don't underestimate the power of cross-station script attacks, if you really perfuse malicious code, then ... YY ~ Khan
Published this article is just a reminder to all kinds of domestic sites. A secure site is safe, makes it comfortable. This will apologize for friends who have a small crime during this test. To http://www.e3i5.com/ Find. Welcome everyone to visit and guide. In this article, there is no place to visit, please prawn guidance. Thank you.
----------------------- Reprinted please keep this information ---------------------- -
Writer: Feng Qingyang from: http://www.ttian.net/ http://www.e3i5.com/
-------------------------------------------------- ----------------
