This character identifies the end of the string, also known as null-terminated, which brings some trouble to scripting, especially ASP programming, and many people may ask why this special character should be retained, and we can trace it back to one of the languages of the operating system, C + + Children's shoes may know that identifying a string in a string is the end of the (null or 0), otherwise it cannot be called a string, only a string array, any function for string manipulation if the passed-in string loses this ending null character, an exception can occur.
Copy Code code as follows:
Char strbuf[] = "Hello"
Equivalent to
Char strbuf[] = {' H ', ' e ', ' l ', ' l ', ' o ', ' d '}
One of the simple implementations of the string length judgment function:
Copy Code code as follows:
size_t strlen_a (const char * str) {
size_t length = 0;
while (*str++)
++length;
return length;
}
You can see that while loops are marked with a 0 ending, the end sign here is the character at the end of the string. This kind of string identification method can be said to have its reason, because C language, such as the lower level of the language, the need is the efficiency of execution, and better storage space control, that is, we for the string variable is required to master and allocate the space to store strings, the general string allocation space is much larger than the length of the string , and the C-language auto distribution of variables before the initialization is filled with the garbage value, then to this space to load our string, simply set the string to the last one of the characters can be, effectively avoiding the entire space operation, Another reason is that the output of this string must indicate where the end of the string, the total can not output the entire string storage space value bar, hehe, may explain a bit far-fetched.
Well, let's see why Asp/vbscript retains this feature, we know that VBScript is a subset of VB (Visual Basic), what VB is, VB is doing Windows application development, When it comes to Windows application development, it is possible to call the Windows System API, and these API functions are mostly written in C language, obviously for VB to be compatible with these APIs, the inevitable string to introduce Chr (0) character is vbNullChar, At the same time also have the character of C-language string processing, is encountered Chr (0) on the identification of the end of the string, no matter what the next content, the most classic use of Chr (0) characters WINAPI function call is GetLogicalDriveStrings, This API acquires a drive string similar to C:\<null>d:\<null><null>, and each two paths are separated by a null-terminated, which is Chr (0), so special handling is required. If VB does not support Chr (0) characters, then this API will not be used, VB application writing will be greatly compromised. However, in particular, the subset of VB is reserved for this feature, and I am not quite sure if the null character is necessary in the VBScript script, but it is an ASP that has caused a certain amount of trouble to our scripting, even a security risk.
For example, a function that takes a file extension:
Copy Code code as follows:
' This function is for demonstration only, do not use in production environment
Function getfileextensionname (filename)
Dim Lastdotpos
Lastdotpos = InStrRev (filename, ".")
Getfileextensionname = right (filename, Len (filename)-Lastdotpos)
End Function
This function is only used to demonstrate that by using this function we can get an extension of the uploaded file, such as Sample.jpg, by using the above function to obtain JPG if a malicious attacker constructs such an upload filename sample.asp<null>.jpg, i.e. " Sample.asp "& CHR (0) &". jpg ", the above function still gets the extension jpg, and the ASP is truncated by CHR (0) because of the VBScript feature. Then the file name becomes sample.asp after uploading, which is quite dangerous. The usual approach is to filter out Chr (0), such as the following function:
Copy Code code as follows:
Function Filterfilename (FileName)
Filterfilename = Replace (FileName, vbNullChar, "")
End Function
However, if this happens, the user may be trying to use the upload vulnerability attack system, so I think it is more appropriate to find that contains Chr (0), then prohibit file upload, avoid filtering malicious files are still uploaded, although malicious files do not work. Query the regular library regexlib.com, I found a better way to judge the checksum file name, and then provide this more common regular matching filename is legitimate function for everyone to refer to:
Copy Code code as follows:
Function Isacceptablefilename (FileName)
Set objRegExp = New RegExp
Objregexp.ignorecase = True
Objregexp.global = False
Objregexp.pattern = _
"^(?! ^ (prn| Aux| clock\$| Config\$| "& _
"Nul| con|com\d| Lpt\d|\.. *) "& _
"(\.. +)? $) [^\x00-\x1f\\?*:\ "; |/]+$"
Isacceptablefilename = Objregexp.test (fileName)
Set objRegExp = Nothing
End Function
The Isacceptablefilename function can detect whether the file name contains some illegal characters such as 0x00~0x1f and *\/these prohibited path characters, but also detect the special device name under Windows, such as PRN, CON, nul, etc. Avoid malicious device name file uploads.
Updated December 20, 2011
About the null character upload vulnerability attack implementation code please refer to ASP upload vulnerability using CHR (0) Bypass extension detection script "