Magic spring [B .S.N] Follow Script Security sites.google.com/site/bsnguanzhujiaobenanquan
In the "Mining vulnerabilities in message books" article, I wrote a paragraph, that is, for the study of writing a sentence Trojan into the database, you can use the Request. serverVariables does not filter and bypasses writing a sentence to insert a database Trojan.
At that time, however, I only guessed that some php injection vulnerabilities caused by no filtering of ip addresses. However, learning is based on technical rigor. No matter what vulnerabilities are, they must be tested in person. Otherwise, the theoretical preaching is not convincing.
There is also such a message book. Let's test it.
Test code: Hua Mulan message book
Official Website: www.77f77.com
First, let's see what the submitted code filters out.
If there are few files, just list the structure of the message book.
Hua Mulan message book
| ___ Index. asp the main file contains the main code for submitting and displaying information.
|____ Gustbook_Conn.asp message book calls database files
| _____ Gustbook_sub.asp Function
| _____ Dqe_gustbook.asp database file
Here we mainly look at index. asp, because it has been confirmed that the database files are not protected against downloading and can be accessed directly.
Index. asp important code
Code:
Filter code
Function htmlencode (fString)
If not isnull (fString) then
FString = replace (fString, ">", "> ")
FString = replace (fString, "<", "<")
FString = Replace (fString, CHR (32 ),"")
FString = Replace (fString, CHR (9 ),"")
FString = Replace (fString, CHR (34), "") '"
FString = Replace (fString, CHR (39 ),"")''
FString = Replace (fString, CHR (13 ),"")
FString = Replace (fString, CHR (10) & CHR (10), "</p> <p> ")
FString = Replace (fString, CHR (10), "<br> ")
Htmlencode = fString
End If
End Function
Function uhtmlencode (fString)
If not isnull (fString) then
FString = Replace (fString, "", CHR (32 ))
FString = Replace (fString, "", CHR (9 ))
FString = Replace (fString, "", CHR (34 ))
FString = Replace (fString, "", CHR (39 ))
FString = Replace (fString, "", CHR (13 ))
FString = Replace (fString, "</p> <p>", CHR (10) & CHR (10 ))
FString = Replace (fString, "<br>", CHR (10 ))
Uhtmlencode = fString
End If
End Function
.......
Submit data
Books_mingzi = htmlencode (Request. form ("mingzi "))
If Books_mingzi = "" then Books_mingzi = "anonymous" End If
Books_biaoti = htmlencode (Request. form ("biaoti "))
Books_neirong = htmlencode (Request. form ("neirong "))
......
Set mRs = Server. CreateObject ("adodb. recordSet ")
MRs. open "Select * from dqe_gustbook", conn, 1, 3
MRs. addnew
MRs ("who") = Books_mingzi
MRs ("biaoti") = Books_biaoti
MRs ("neirong") = Books_neirong
MRs ("lanmu") = lanmu
MRs ("zhiding") = 0
MRs ("shijian") = now ()
UserIP = Request. ServerVariables ("HTTP_X_FORWARDED_FOR ")
If UserIP = "" Then userip = Request. ServerVariables ("REMOTE_ADDR ")
MRs ("ip") = UserIP
MRs. update
MRs. close
Set mRs = nothing
Response. Write "<script> alert (the message is successfully added to the http://www.77f77.com of the official website of Hua Mulan); this. location. href =" & Url & "; </SCRIPT>"
Response. End
With this useful code, the author filters the form information submitted by the user using htmlencode. It seems that the author still has some defense against the vulnerability.
However, the obtained HTTP_X_FORWARDED_FOR during update addition is not filtered, so we can use it.
Practical application:
You can directly use the post Submission Tool written by Hedgehog to submit the job, or you can capture the package and use nc to submit the job.
If 200ok is returned to prove that the request is submitted successfully, you will find that the request is successfully inserted when you access the database.