ASP database plugging by lake2 (http: // lake2.0 × 54. org)

By lake2 (http://lake2.0x54.org)

 

With the development of technology, ASP database plug-in is nothing new. I believe you have also played this. Well, have you ever encountered the case where the inserted ASP code is split by spaces (that is, there is a space between each character inserted )? Now let's solve this problem.

After analyzing the actual situation of multiple cases, I found that as long as the code is separated by spaces, the Unicode compression attribute of the corresponding field is always "no ". On the contrary, if the Unicode compression attribute is "yes", you can use this field for horse insertion.

After searching, Microsoft officially described Unicode compression: "Microsoft Access 2000 or later uses the Unicode character encoding scheme to represent data in text, remarks, and hyperlink fields. Unicode represents each character as two bytes ...... You need more storage space than Access 97 or earlier ...... You can compensate for the effect caused by the Unicode Character Expression by setting the default value of the Unicode compression attribute of the "text", "Remarks", or "HYPERLINK" field to "yes"

If Unicode compression is enabled, the database automatically stores Latin characters (such as English, Spanish, or German) in one byte. If Unicode compression is disabled, the database uses two bytes (one byte is 0x00, and the text will be automatically converted to spaces) to store Latin characters, the inserted ASP code is separated by spaces.

In this case, how can we insert a trojan?

The breakthrough lies in Unicode compression. Since the database does not compress us, let's compress it by ourselves. It is easy to convert ASP code into Unicode before inserting it into the database. I used VB to write a small software program to implement this function. Note that during conversion, non-printable characters are easily generated (will appear ?), Therefore, we need to carefully construct the code. Of course, you can also take advantage of the pipeline _^ I constructed in the figure.

 

 

For VB, the length of the converted code has been reduced by half. Hey hey, isn't that a breakthrough for the smallest ASP backdoor?

The program can be downloaded here: http://www.0x54.org/lake2/program/a2u4hack.exe,, enjoy it in one go!