%5C Bomb Vault

Source: Internet
Author: User
Tags administrator password

When we Bauku failure, we might as well try to use%5C to bypass ASP validation

Talk less, look at the following code:

<!--#INCLUDE file= "conn.asp"-
<%
Guest_user=trim (Request ("Guest_user"))
Guest_password=trim (Request ("Guest_password"))
Set rs= Server.CreateObject ("ADODB. Recordset ")
Sql= "SELECT * from admin where id=1"
Rs.Open sql,conn,3,2
Readuser=rs ("Guest_user")
Readpassword=rs ("Guest_password")
If Readuser<>guest_user or Readpassword<>guest_password then
Response.Write "Please enter the correct administrator password. "
Response.End
Else
Session ("admin") =1 \ ' Login Write Seesion Save
Response.Write ("Login successful, please return to Information page")
End If
%>

See no, want to pass authentication must make the user name password in the database consistent with the submission; think of something. Let's look at the database connection file code again:

<%
On Error Resume Next
Set Conn=server.createobject ("Adodb.connection")
DBPath = Server.MapPath ("guestbook.asp")
Conn. Open "Driver={microsoft Access driver (*.mdb)};d bq=" & DBPath
%>

If the submission of the%5C database is not found, because of fault tolerance, so the program will continue to execute, then the user name password from the database is empty (think sometimes Bauku failure is not to see the empty framework, because the data are empty), haha, so we bypass the verification.

Know how to do it, save the landing page to local, modify the URL of the submission, the last/change to%5c, user name password with a space (some programs will check whether the user name password is empty, the space will be filtered by the program), submit, OK.

Eh, you don't think I'm okay. Write a paragraph code to tinker, actually this is our school a master to do the message board program, hanging in the school's homepage, hehe.

Since understand the principle, of course, to find the actual loopholes, nature is to take the famous "hole" network forum operation. But it failed because there was a section in the database connection file:

If ERR Then
Err. Clear
Set Conn = Nothing
Response.Write "Database connection error, please check the connection string. "
Response.End
End If

Database can not find the program is over, oh, empty joy a game.

Then went down to the Bbsxp forum, open the database connection file, Halo, there is no fault-tolerant statement; hehe, but can Bauku oh.

I am not BT, so do not go to the trouble, write an article, is to give you a master to provide information it.

Summarize the success criteria for this attack method:

1, the database connection with the relative path and only a simple fault-tolerant statement; \

2, the server IIS version is 4 or 5;

3, the program does not check the empty characters or check the space is not filtered when compared to filter space;

4, the program can not be in the first level directory

As for the prevention, hehe, since the attack conditions know, the precautionary measures naturally came out ^_^

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.