Home > Others

Bypassing validation with%5c

Source: Internet
Author: User
Tags empty iis sql reference relative trim administrator password access
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >
Bypassing validation with%5c

---------------------------------------
Lake2 (http://mrhupo.126.com)
2004-11-27
---------------------------------------

Speaking of%5c, you are not thinking of the current popular%5c Bauku loophole, oh, this article is on the use of%5c exploration (hehe, of course, I put forward the new Dongdong, may be helpful to you oh ^_^).

OK, let's get to the root of the leak. Look at the Green League's 2001-year loophole Bulletin: http://www.nsfocus.net/index.php?act=sec_bug&do=view&bug_id=1429

N years ago This vulnerability can be used to achieve directory traversal, although Microsoft has a patch, but as if the patch is used to restrict IIS access to the virtual directory, so the vulnerability exists, but the use of the way is changed. For IIS, submitting a URL that contains%5c can find the file, but the file in the relative path to reference other files are not found (%5c is \ URL encoding, IIS jump to the previous directory to find, of course, can not find; dizzy, haha, I also dizzy AH).

Later this loophole was dug out by cattle, that is, the legendary%5c Bauku: Due to the relative path of the file reference of the connection database, submitting%5c can not find the file, so the error, IIS will honestly say the path of the database (do not understand?) Looking for Google).

A chance. I find that you can also use%5C to bypass ASP verification; When we Bauku fail, we might as well try.

Less nonsense, look at the following code:

<!--#INCLUDE file= "conn.asp"-->
<%
Guest_user=trim (Request ("Guest_user"))
Guest_password=trim (Request ("Guest_password"))
Set rs= Server.CreateObject ("ADODB.") Recordset ")
Sql= "SELECT * from admin where id=1"
Rs.Open sql,conn,3,2
Readuser=rs ("Guest_user")
Readpassword=rs ("Guest_password")
If Readuser<>guest_user or Readpassword<>guest_password then
Response.Write "Please enter the correct administrator password!" "
Response.End
Else
Session ("admin") =1 ' save in write seesion after login
Response.Write ("Login successful, please return to the Information page")
End If
%>


See, to verify that the user name password in the database must be consistent with the submission; What do you think? Let's look at the database connection file code again:

<%
On Error Resume Next
Set Conn=server.createobject ("Adodb.connection")
DBPath = Server.MapPath ("guestbook.asp")
Conn. Open "Driver={microsoft Access driver (*.mdb)};d bq=" & DBPath
%>

Ah, there are fault-tolerant statements can not Bauku! And so on, if the submission of the%5C database is not found, due to fault tolerance, so the program will continue to execute, so that from the database to get the username password is empty (think sometimes Bauku failure is to see the empty frame, because the data are empty), haha, so we will bypass the verification!

Know how to do it, to save the landing page to the local, modify the submitted URL, the last/change to%5c, the user name password with a space (some programs will check the user name password is empty, the space will be filtered by the program), submitted, OK.

Eh, you do not think I have nothing to write a piece of code to do, in fact, this is a master of our school to do the message board program, hanging on the school's homepage, hehe.

Since understand the principle, of course, to find the actual loophole, naturally is the famous "Hole" Network forum surgery. However, it failed because there was a paragraph in the database connection file:

If ERR Then
Err. Clear
Set Conn = Nothing
Response.Write "Database connection error, please check the connection string. "
Response.End
End If

The database can not find the program is over, hehe, empty happy one.

Then went down to the Bbsxp forum, open the database connection file, Halo, there is no fault-tolerant statement; hehe, but can Bauku oh.

I am not BT, so do not go to trouble, write an article, is to give you a master to provide information.

Summarize the conditions of success of this attack method: 1, the database connection with the relative path and only simple fault-tolerant statements, 2, IIS version of the server 4 or 5; 3, the program does not check the null character or check when the filter space is not filtered when compared to filter spaces; 4, the program cannot be located in the first level directory

As for precaution, hehe, since the attack condition knows, the precaution measure naturally also comes out ^_^




This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
php form validation with database bootstrap form wizard with validation bootstrap form builder with validation html form with captcha validation ajax contact form with validation unlock iphone 5c with fingerprint bootstrap registration form with validation example

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More