%5C Bomb Vault

When we Bauku failure, we might as well try to use%5C to bypass ASP validation

Talk less, look at the following code:

<!--#INCLUDE file= "conn.asp"-
<%
Guest_user=trim (Request ("Guest_user"))
Guest_password=trim (Request ("Guest_password"))
Set rs= Server.CreateObject ("ADODB. Recordset ")
Sql= "SELECT * from admin where id=1"
Rs.Open sql,conn,3,2
Readuser=rs ("Guest_user")
Readpassword=rs ("Guest_password")
If Readuser<>guest_user or Readpassword<>guest_password then
Response.Write "Please enter the correct administrator password. "
Response.End
Else
Session ("admin") =1 \ ' Login Write Seesion Save
Response.Write ("Login successful, please return to Information page")
End If
%>

See no, want to pass authentication must make the user name password in the database consistent with the submission; think of something. Let's look at the database connection file code again:

<%
On Error Resume Next
Set Conn=server.createobject ("Adodb.connection")
DBPath = Server.MapPath ("guestbook.asp")
Conn. Open "Driver={microsoft Access driver (*.mdb)};d bq=" & DBPath
%>

If the submission of the%5C database is not found, because of fault tolerance, so the program will continue to execute, then the user name password from the database is empty (think sometimes Bauku failure is not to see the empty framework, because the data are empty), haha, so we bypass the verification.

Know how to do it, save the landing page to local, modify the URL of the submission, the last/change to%5c, user name password with a space (some programs will check whether the user name password is empty, the space will be filtered by the program), submit, OK.

Eh, you don't think I'm okay. Write a paragraph code to tinker, actually this is our school a master to do the message board program, hanging in the school's homepage, hehe.

Since understand the principle, of course, to find the actual loopholes, nature is to take the famous "hole" network forum operation. But it failed because there was a section in the database connection file:

If ERR Then
Err. Clear
Set Conn = Nothing
Response.Write "Database connection error, please check the connection string. "
Response.End
End If

Database can not find the program is over, oh, empty joy a game.

Then went down to the Bbsxp forum, open the database connection file, Halo, there is no fault-tolerant statement; hehe, but can Bauku oh.

I am not BT, so do not go to the trouble, write an article, is to give you a master to provide information it.

Summarize the success criteria for this attack method:

1, the database connection with the relative path and only a simple fault-tolerant statement; \

2, the server IIS version is 4 or 5;

3, the program does not check the empty characters or check the space is not filtered when compared to filter space;

4, the program can not be in the first level directory

As for the prevention, hehe, since the attack conditions know, the precautionary measures naturally came out ^_^