Bypassing validation with%5c
---------------------------------------
Lake2 (http://mrhupo.126.com)
2004-11-27
---------------------------------------
Speaking of%5c, you are not thinking of the current popular%5c Bauku loophole, oh, this article is on the use of%5c exploration (hehe, of course, I put forward the new Dongdong, may be helpful to you oh ^_^).
OK, let's get to the root of the leak. Look at the Green League's 2001-year loophole Bulletin: http://www.nsfocus.net/index.php?act=sec_bug&do=view&bug_id=1429
N years ago This vulnerability can be used to achieve directory traversal, although Microsoft has a patch, but as if the patch is used to restrict IIS access to the virtual directory, so the vulnerability exists, but the use of the way is changed. For IIS, submitting a URL that contains%5c can find the file, but other files referenced by relative paths in the file are not found (%5c is URL encoding, IIS jumps to the previous directory to find, of course, can not find; dizzy, haha, I also dizzy AH).
Later this loophole was dug out by cattle, that is, the legendary%5c Bauku: Due to the relative path of the file reference of the connection database, submitting%5c can not find the file, so the error, IIS will honestly say the path of the database (do not understand?) Looking for Google).
A chance. I find that you can also use%5C to bypass ASP verification; When we Bauku fail, we might as well try.
Less nonsense, look at the following code:
<!--#INCLUDE file= "conn.asp"-->
<%
Guest_user=trim (Request ("Guest_user"))
Guest_password=trim (Request ("Guest_password"))
Set rs= Server.CreateObject ("ADODB.") Recordset ")
Sql= "SELECT * from admin where id=1"
Rs.Open sql,conn,3,2
Readuser=rs ("Guest_user")
Readpassword=rs ("Guest_password")
If Readuser<>guest_user or Readpassword<>guest_password then
Response.Write "Please enter the correct administrator password!" "
Response.End
Else
Session ("admin") =1 ' save in write seesion after login
Response.Write ("Login successful, please return to the Information page")
End If
%>
See, to verify that the user name password in the database must be consistent with the submission; What do you think? Let's look at the database connection file code again:
<%
On Error Resume Next
Set Conn=server.createobject ("Adodb.connection")
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
