Bypassing validation with%5c
---------------------------------------
Lake2 (http://mrhupo.126.com)
2004-11-27
---------------------------------------
Speaking of%5c, you are not thinking of the current popular%5c Bauku loophole, oh, this article is on the use of%5c exploration (hehe, of course, I put forward the new Dongdong, may be helpful to you oh ^_^).
OK, let's get to the root of the leak. Look at the Green League's 2001-year loophole Bulletin: http://www.nsfocus.net/index.php?act=sec_bug&do=view&bug_id=1429
N years ago This vulnerability can be used to achieve directory traversal, although Microsoft has a patch, but as if the patch is used to restrict IIS access to the virtual directory, so the vulnerability exists, but the use of the way is changed. For IIS, submitting a URL that contains%5c can find the file, but the file in the relative path to reference other files are not found (%5c is \ URL encoding, IIS jump to the previous directory to find, of course, can not find; dizzy, haha, I also dizzy AH).
Later this loophole was dug out by cattle, that is, the legendary%5c Bauku: Due to the relative path of the file reference of the connection database, submitting%5c can not find the file, so the error, IIS will honestly say the path of the database (do not understand?) Looking for Google).
A chance. I find that you can also use%5C to bypass ASP verification; When we Bauku fail, we might as well try.
Less nonsense, look at the following code:
<!--#INCLUDE file= "conn.asp"-->
<%
Guest_user=trim (Request ("Guest_user"))
Guest_password=trim (Request ("Guest_password"))
Set rs= Server.CreateObject ("ADODB.") Recordset ")
Sql= "SELECT * from admin where id=1"
Rs.Open sql,conn,3,2
Readuser=rs ("Guest_user")
Readpassword=rs ("Guest_password")
If Readuser<>guest_user or Readpassword<>guest_password then
Response.Write "Please enter the correct administrator password!" "
Response.End
Else
Session ("admin") =1 ' save in write seesion after login
Response.Write ("Login successful, please return to the Information page")
End If
%>
See, to verify that the user name password in the database must be consistent with the submission; What do you think? Let's look at the database connection file code again:
<%
On Error Resume Next
Set Conn=server.createobject ("Adodb.connection")
DBPath = Server.MapPath ("guestbook.asp")
Conn. Open "Driver={microsoft Access driver (*.mdb)};d bq=" & DBPath
%>
Ah, there are fault-tolerant statements can not Bauku! And so on, if the submission of the%5C database is not found, due to fault tolerance, so the program will continue to execute, so that from the database to get the username password is empty (think sometimes Bauku failure is to see the empty frame, because the data are empty), haha, so we will bypass the verification!
Know how to do it, to save the landing page to the local, modify the submitted URL, the last/change to%5c, the user name password with a space (some programs will check the user name password is empty, the space will be filtered by the program), submitted, OK.
Eh, you do not think I have nothing to write a piece of code to do, in fact, this is a master of our school to do the message board program, hanging on the school's homepage, hehe.
Since understand the principle, of course, to find the actual loophole, naturally is the famous "Hole" Network forum surgery. However, it failed because there was a paragraph in the database connection file:
If ERR Then
Err. Clear
Set Conn = Nothing
Response.Write "Database connection error, please check the connection string. "
Response.End
End If
The database can not find the program is over, hehe, empty happy one.
Then went down to the Bbsxp forum, open the database connection file, Halo, there is no fault-tolerant statement; hehe, but can Bauku oh.
I am not BT, so do not go to trouble, write an article, is to give you a master to provide information.
Summarize the conditions of success of this attack method: 1, the database connection with the relative path and only simple fault-tolerant statements, 2, IIS version of the server 4 or 5; 3, the program does not check the null character or check when the filter space is not filtered when compared to filter spaces; 4, the program cannot be located in the first level directory
As for precaution, hehe, since the attack condition knows, the precaution measure naturally also comes out ^_^