AspProductCatalog vulnerability analysis and exploitation (details)

Author: Spring brother home page: http://riusksk.blogbus.com
This article is first published in the black line of defense. For more information, see the source!
Foreword AspProductCatalog is a database-driven product catalog that combines ASP and MS Access, primarily for enterprise owners to publish their products online. This is a very easy-to-install and use Web application. However, it has two vulnerabilities recently: XSS and database leakage. Let's take a look at them. Vulnerability Analysis 1. XSS vulnerability a cross-site scripting vulnerability exists on the search. asp page of AspProductCatalog. Enter a cross-site statement in the search box to execute malicious scripts. Vulnerability code: ================================ search. asp ==================================== Code omitted ...... ; The following is the search form <form name = "form1" method = "post" action = "">
<Input name = "keywords" type = "text" id = "keywords">; search for keywords in the text input box. The input data is not effectively filtered.
<Input type = "submit" name = "Submit" value = "Search">
</Form> the code is omitted ...... <Td width = "84%" valign = "top"> <p> ASP Product Catalog Search Results </p>
<P> <font color = "# FF0000">
<%
Sqlstring = "Select * From Products Where Details like %" & request. form ("keywords ")&_
"% Or productname like %" & request. form ("keywords") & "%"; enter SQL to search for content similar to keywords rs. close
Rs. open sqlstring, cn, 3,3; Search
If not rs. eof then
Response. write ("Search for <B>" & request. form ("keywords") & "</B>, Total" & rs. recordcount & "records found"); outputs the keywords obtained from the form, resulting in cross-Script Vulnerability generation.
While not rs. eof
%>
</Font> </p> Test Result:

After you click search, the script is executed:

Alternatively, enter the following in the address bar: Http://site.com/aspProductCatalog/search.asp? Keywords = "> <script> alert (1) </script>, Result

2. database download vulnerability the AspProductCatalog database file exists in database/aspProductCatalog. mdb and is directly entered in the address bar: Http://site.com/database/aspProductCatalog.mdbTo download the database file, as shown in:

Vulnerability code: ============================== cn. asp =======================================< %
Connection Strings
Dim Conn
Add full path of database with filename here
CnProvider = "Provider = Microsoft. JET. OLEDB.4.0 ;"
CnDataSource = "Data Source = C: InetpubwwwrootaspProductCatalogdatabaseaspProductCatalog. mdb"
Conn = cnProvider & cnDataSource %> just a few lines. It just connects to the database and does not perform any other operations, resulting in a database download vulnerability. Summary due to the programmer's negligence, the user does not filter the input data submitted by the user. When it returns the data to the user, it can use malicious scripts in the browser, resulting in cross-site. Therefore, in order to generate cross-site vulnerabilities, any data submitted by users should be effectively filtered, including those submitted to SQL, which should also be processed to prevent SQL injection. It is best to use the whitelist method when filtering, so that the effect of XSS and SQL injection is better. The following methods can be used to prevent database download vulnerabilities: 1. modify the Database Name: You can change the database name to a complex and obscure name to effectively prevent the database from being guessed, for example, # % data00base (). mdb. 2. Change the database Suffix: You can change the suffix. mdb to another suffix, such as asp and html. 3. modify the database path: place the database file in a folder with multiple directories. It is best to create some folders on your own and get a complicated name for each folder to prevent the folder from being guessed. 4. Add a break in the database name #: for example Change the databaseDatabase. mdbChange# Database. mdb Www.site.com/file/?database.mdbThe actual access is: Www.site.com/file/ 5.Put the database connection file in another virtual directory: in this way, the database can be called normally, but cannot be downloaded. 6. encryption of database files: This is the last trick. Even if the database file is obtained, intruders must crack the password to view the data. Otherwise, it is futile, at least this has played a defensive role to a certain extent.