By using% 5C to bypass the verification
--------------------------------------- Lake2 (http://mrhupo.126.com ) 2004-11-27 ---------------------------------------
Speaking of% 5c, do you think of the current popular% 5C branches, huh, this article is an exploration of% 5C (Oh, of course, there is a new stuff I proposed, maybe it is helpful to you ^ _ _ ^).
Ok, let's chase the roots, find the old bottom of the vulnerability. Look at the vulnerability announcement of the Great League 2001: http://www.nsfocus.net/index.php? ACT = sec_bug & do = view & bug_id = 1429
N years ago, this vulnerability can be used to realize the directory traversal, although Microsoft has a patch, but it seems that the patch is used to limit IIS to only access the virtual directory, so the vulnerability is still existed, but it is only available. For IIS, submit a URL containing% 5C can find files, but other files referenced in the file are not found (% 5c is / URL encoding, IIS jumps to the previous directory to find Of course, I can't find it; dizziness, haha, I am dizzy).
Later, this vulnerability was excavated by the cattle, but also the legendary 5C branches: due to the relative path of the file references to the database, submit% 5C can't find the file, so IIS will be old and old. Path of the database (do not understand? Looking for Google).
An accidental opportunity I found that you can also use% 5C to bypass the ASP verification; try it when we fails in the branches.
Stapless, look at the following code:
<% guest_user = trim (Request ("Guest_USER")) guest_password = trim (Request ("Guest_password")) SET RS = Server.createObject ("AdoDB. Recordset ") sql =" select * from admin where id = 1 "rs.open sql, conn, 3,2readuser = rs (" guest_user ") readpassword = rs (" guest_password ") if readuser <> guest_user or readpassword <> guest_password "Please enter the correct administrator password!" response.endelse session ("admin") = 1 'After logging in, it is written in Seesion to save response.write ("Successful, please return the information page") End if% >
Seeing that there is no, if you want to verify that you must make the username password in the database and submit; what? Let's take a look at the database connection file code:
<% On error.createObject ("adodb.connection" dbpath = server.mappath ("guestbook.asp") conn.open "driver = {Microsoft Access Driver (* .mdb)}; DBQ = "& Dbpath%>, there is a fault-tolerant statement that cannot be treasure! Wait, if the submission% 5C database can't be found, due to fault, the program will continue, then the username password you get from the database is empty (thinking that sometimes the branches fail is to see the empty frame, because The data is empty), haha, so we will bypass the verification!
Know how to do it, save the landing page to the local, modify the submitted URL, put the last / change to% 5c, username password space (some programs check if the username password is empty, space will be filtered by the program ), Submit, OK.
Hey, you don't think that I have nothing to write to the code. In fact, this is a message board program made by our school, just hanging at the home page of the school, huh, huh.
Since understanding the principles, of course, I have to find the actual vulnerability, naturally the "hole" network forum opened by the famous name. But there is a failure because it has such a paragraph:
If Err Then Err.clear set conn = Nothing response.write "Database connection error, please check the connection string." Response.Endend IF
The database is not found, huh, huh, empty.
Then go to Down's BBSXP Forum, open the database connection file, halo, there is no tolerant statement; huh, but you can burn.
I am not BT, so I don't look for it, write articles, I will give you a master.
Summarize this condition for this attack method: 1. The relative path for database connection is only a simple fault-tolerant statement; 2. Server IIS version is 4 or 5; 3. If you do not check empty characters or check, filter spaces When compared, the space is filtered; 4, the program cannot be in the first class
As for the prevention, huh, since the attack conditions know, the prevention measures have naturally come out ^ _ ^
PS: You may not find the management page after bypassing the verification, you can change the URL yourself :)
