Solve the 6, ASP Program Password Verification Vulnerability
Vulnerability Description:
Many web sites put passwords into the database and use the following SQL for login verification (for example, ASP)
Sql= "SELECT * from user where username= '" &username& "' and Pass= '" & Pass & ' "
At this point, you simply construct a special username and password based on SQL, such as: Ben ' or ' 1 ' = ' 1
You can go to a page where you don't have the privilege. Let's take a look at the above statement:
Sql= "SELECT * from user where username= '" &username& "' and Pass= '" & pass& ' "
At this point, you simply construct a special username and password based on SQL, such as: Ben ' or ' 1 ' = ' 1
In this way, the program will become like this: sql= "Select*from username where username=" &ben ' or ' 1 ' =1& "and pass=" &pass& "
An OR is a logical operator that, if one of the conditions is true, will be set when the two conditions are judged. In the language, it is to represent the true
). In this line of statements, the "and" validation of the original statement will no longer continue, and because "1=1" and "or" return the statement to the truth value ...
Alternatively, we can construct the following user name:
Username= ' AA ' or username<> ' AA '
pass= ' AA ' or pass<> ' AA '
The corresponding User name box in the browser end is written to: AA ' or username<> ' AA Password box is written: AA ' or pass<> ' AA, note that both ends of the string are
No '. So you can successfully cheat the system and enter.
Although this latter method theory, but to practice is very difficult, the following two conditions must have.
1. You need to be able to know exactly which two fields the system uses in the table to store user names and passwords, so that you can accurately construct this offensive character
String. In fact, it's hard to guess.
2. The system does not check the validity of the string you have entered.
Problem solving and suggestions:
The content validation for the input and the processing of the "'" number.
7, IIS4 or IIS5 install the Index Server Service vulnerability ASP source program
Problem Description:
In the index Server running IIS4 or IIS5, enter a special character format to see the ASP source program or other pages of the program. Even and Tim hit the nearest off
Yu Xin A system that looks at the source-code patch, or a system that does not have a. htw file, has the same problem. Get the ASP program, even Global.asa file source code, no
The suspect system is a very significant security risk. Often the code contains the user's password and ID, and the source path and name of the database, and so on. This is for attackers to collect
System Information, it is very important to proceed with the next intrusion.
You can refer to the program source code by building the following special program:
Http://202.116.26.38/null.htw?CiWebHitsFile=/default.asp&CiRestriction=none&CiHiliteType=Full
This simply returns some HTML-formatted file code, but when you add%20 to the CiWebHitsFile argument, the following:
Http://someurl/null.htw?CiWebHitsFile=/default.asp%20&CiRestriction=none&CiHiliteType=Full
This will get the source code for the program.
(Note:/default.asp is calculated as the root of the web.) such as the http:///welcome/welcome.asp of a site
Then the corresponding is:
Http://someurl/null.htw?CiWebHitsFile=/welcome/welcome.asp%20&CiRestriction=none&CiHiliteType=Full
)
Because the ' null.htw ' file is not a real system mapping file, it's just a virtual file stored in system memory. Even if you've removed it from your system,
All the real. htw files, but because the request to NULL.HTW files is handled by the Webhits.dll by default. Therefore, IIS still receives the threat of this vulnerability.
Problem solving or suggestion:
If the functionality provided by the webhits is required by the system, download the appropriate patch. If it is not necessary, simply remove it by using the IIS MMC Administration tool. HTW image
File.
The patches are as follows:
Index Server 2.0:
Intel:
http://www.microsoft.com/downloads/release.asp?ReleaseID=17727
Alpha:
http://www.microsoft.com/downloads/release.asp?ReleaseID=17728
Indexing Services for Windows 2000:
Intel:
http://www.microsoft.com/downloads/release.asp?ReleaseID=17726