Using% 5C to bypass the verification ----------------------------------- Lake2 (http: / /MRHUPO.126.com) 2004-11-27 -------------------------------------- - Speaking% 5C, do you think of the current popular% 5c branches, huh, this article is the exploration of% 5C (Of course, there is a new stuff I proposed, perhaps help you ^ _ ^). Ok, let's chase the roots, find the old bottom of the vulnerability. Look at the vulnerability announcement of the Great League 2001: http://www.nsfocus.net/index.php? Ac ... IEW & BUG_ID = 1429N Previous Utilization This vulnerability can realize the directory traversal, although Microsoft has a patch, but it seems to patch It is used to limit IIS to only access the virtual directory, so the vulnerability is still present, but it is only changed. For IIS, submit a URL containing% 5C can find files, but other files referenced in the file are not found (% 5c is / URL encoding, IIS jumps to the previous directory to find Of course, I can't find it; dizziness, haha, I am dizzy). Later, this vulnerability was excavated by the cattle, but also the legendary 5C branches: due to the relative path of the file references to the database, submit% 5C can't find the file, so IIS will be old and old. Path of the database (do not understand? Looking for Google). An accidental opportunity I found that you can also use% 5C to bypass the ASP verification; try it when we fails in the branches.
Less nonsense, look at the following code: <% guest_user = trim (Request ("Guest_USER")) guest_password = trim (Request ("Guest_Password") SET RS = Server.createObject ("AdoDb.Recordset") SQL = "Select * from admin where id = 1" RS.Open SQL, CONN, 3, 2READUSER = RS ("Guest_user") Readpassword = RS ("Guest_password") IF Readuser <> Guest_User or readpassword <> guest_password thenponse.write "Please enter the correct administrator password!" Response.EndelSESSSION ("admin") = 1 'After logging in Save Response.write ("Login success, please return Information Page ") END IF%> See no, if you want to verify that you must make the username password in the database and submit; Let's take a look at the database connection file code: <% on error resume next set set = server.createObject ("adodb.connection") dbpath = server.mappath ("guestbook.asp") conn.open "Driver = {Microsoft Access Driver (* .mdb)}; dbq = "& dbpath%> Wait, if the submission% 5C database can't be found, due to fault, the program will continue, then the username password you get from the database is empty (thinking that sometimes the branches fail is to see the empty frame, because The data is empty), haha, so we will bypass the verification! Know how to do it, save the landing page to the local, modify the submitted URL, put the last / change to% 5c, username password space (some programs check if the username password is empty, space will be filtered by the program ), Submit, OK. Hey, you don't think that I have nothing to write to the code. In fact, this is a message board program made by our school, just hanging at the home page of the school, huh, huh. Since understanding the principles, of course, I have to find the actual vulnerability, naturally the "hole" network forum opened by the famous name. However, there is such a paragraph in the database connection file: if Err thenerr.clearset conn = NothingResponse.write "Database connection error, please check the connection string." Response.Endend IF database can't find a program, Oh, empty. Then go to Down's BBSXP Forum, open the database connection file, halo, there is no tolerant statement; huh, but you can burn. I am not BT, so I don't look for it, write articles, I will give you a master.
