Trim () vulnerability cracking and protection + beginning and end of the article

The following code is provided:

<% Dim name, title

Name = trim (request. form ("name "))

Password = trim (request. form ("password "))

If name = "" or password = "" then response. redirect "error. asp? Error = name & name = null"

MyDSN = "DSN = test; uid = test; pwd = test"

Set cn = server. createobject ("adodb. connection ")

Cn. open myDSN

SQL = "insert into test (name, title) values (" & name & "," & password &")"

Cn.exe cute (SQL)

Cn. close %>

The trim function is used to remove spaces at the beginning and end. In general, the program runs normally, but then it turns out that some people can use spaces. That is to say, the name of the user is completely blank, but the attempt to use a space cannot be passed (that is, it is monitored by the Program). The spaces at the beginning and end are removed by the trim function, even if there are spaces in the middle, you can use a function to remove the spaces in the middle, because the user data recorded in the SQL database is used, so I suspected that he had used anything else to make the system invisible, so I checked the SQL database that recorded user data (I used this method to see users with line breaks ), but I still see that the information for changing the user in the database is also Blank, which means that the user can use a way to bypass the monitoring of my user name and password ??? I couldn't find the program vulnerability, and then I suddenly burst into a flash. I thought of it as "Alt + 255". Press the alt key and press "2" on the keyboard in sequence ", "5", "5" will produce a special character "space" (this concept is not clear to the author, it is a control character, in some editors, we can see that word2000 should have other control characters). This space character is different from the traditional character generated by pressing the Space key. Its asc code is 255, the asc code of the space entered by the traditional space is 32, and the trim function can only recognize and remove the code of the asc code 32, so there is a space user situation! In this case, I designed the following two functions to remove the "space" character:

Function xuankong (str)

Dim result

Dim j

J = len (str)

Result = ""

Dim I

For I = 1 to j

Select case mid (str, I, 1)

Case "<"

Result = result + "<"

Case ">"

Result = result + ">"

Case chr (34)

Result = result + """

Case "&"

Result = result + "&" the above Code converts some html tags

Case chr (255) prevents special spaces

Result = result

Case chr (13) prevents carriage returns

Result = result + ""

Case chr (10) prevents line breaks

Result = result + ""

Case else

Result = result + mid (str, I, 1)

End select

Next

Xuankong = result

End function

Then use this function in your asp program, for example:

Name = xuankong (trim (request. form ("name ")))

Because the value of the 0-z asc code is 48-122, you can use the following method for monitoring:

Dim j

J = len (trim (request. form ("name ")))

For I = 1 toj

Ifasc (mid (name, I, 1)> 122 or asc (mid (name, I, 1) <48 then response... redirect "error. asp?

Error = special"

Next

　

Although this "space" is not found to damage the program for the moment, it can make people confused, or it is better to prevent it, but this space also has a benefit, if you have to use your internet password, hey... ... I'm afraid few people can see it! I think it's space, but it's not... ... I am not familiar with php and jsp, so I don't know whether this problem exists in these two things. However, it must be a serious vulnerability because many programmers trust trim. Haha!

(Original) just talk about it... (Analysis of the devil's article)

In fact, I don't want to write about this. It's just the absurd story about a vulnerability discovered by the devil of the mixed worlds: (mobile 4.03 Upload Vulnerability)

Let's see how they wrote it.

Important vulnerability generation

The code is in this sentence

FileExt = lcase (ofile. FileExt) determine the extension

ArrUpFileType = split (UpFileType, "| ")

For I = 0 to ubound (arrUpFileType)

If FileExt = trim (arrUpFileType (I) then

EnableUpload = true

Exit

End if

Next

If FileExt = "asp" or FileExt = "asa" or FileExt = "aspx" or FileExt = "cer" or FileExt = "cdx" then

EnableUpload = false

An error in a variable causes the Upload Vulnerability. The principle is to add a space, because asp (followed by a space) is not equal to asp

Is that true? It's a joke.

Let's take a look at the explanation of the trim () function:

In asp programming, we often use the trim (rtrim, ltrim) function to remove spaces at the beginning and end of some data.

Suppose we submit this. asp (there is a space behind it)

Trim () removes spaces and then removes them from asp asa aspx cdx cer in the array!

Can it still succeed? I bet on my computer, they must have a hot mind before they announced this vulnerability. I talked to the devil for a long time and he still didn't understand it!

Ah... Now we are doing technology.