Using%5C to bypass authentication

Using%5C to bypass authentication

---------------------------------------
Lake2 (http://mrhupo.126.com)
2004-11-27
---------------------------------------

Speaking of%5c, you are not thinking of the current popular%5c Bauku loophole, hehe, this is the exploration of%5c use (hehe, of course, I put forward the new east, perhaps you have help oh ^_^).

OK, let's go to the roots and find the loophole. Look at the Green League 2001-year loophole announcement: http://www.nsfocus.net/index.php?ac...iew&bug_id=1429

N years ago This vulnerability can be used to implement directory traversal, although Microsoft patches, but as if the patch is to restrict IIS to access only the virtual directory, so the vulnerability exists, but the use of the way changed. For IIS, the submission of a URL containing%5c can find the file, but the file is referenced in the relative path of the other files are not found (%5c is/URL encoding, IIS jump to the previous level of the directory to find, of course, not found; dizzy, haha, I also dizzy AH).

Later this loophole was dug out by cattle, that is, the legendary%5c Bauku: Because the connection database file reference relative path, commit%5c cannot find the file, so cause error, IIS will honestly say the path of the database (do not understand.) Looking for Google).

An occasional chance I found that you can also use%5C to bypass ASP validation; When we Bauku fail, we might as well try.

Talk less, look at the following code:

<!--#INCLUDE file= "conn.asp"-
<%
Guest_user=trim (Request ("Guest_user"))
Guest_password=trim (Request ("Guest_password"))
Set rs= Server.CreateObject ("ADODB. Recordset ")
Sql= "SELECT * from admin where id=1"
Rs.Open sql,conn,3,2
Readuser=rs ("Guest_user")
Readpassword=rs ("Guest_password")
If Readuser<>guest_user or Readpassword<>guest_password then
Response.Write "Please enter the correct administrator password. "
Response.End
Else
Session ("admin") =1 ' log in seesion after writing to save
Response.Write ("Login successful, please return to Information page")
End If
%>


See no, want to pass authentication must make the user name password in the database consistent with the submission; think of something. Let's look at the database connection file code again:

<%
On Error Resume Next
Set Conn=server.createobject ("Adodb.connection")
DBPath = Server.MapPath ("guestbook.asp")
Conn. Open "Driver={microsoft Access driver (*.mdb)};d bq=" & DBPath
%>

Ah, a fault-tolerant statement cannot be Bauku. And so on, if the submission%5c database cannot be found, because of fault tolerance, so the program will continue to execute, then the user name password from the database is empty (think of sometimes Bauku failure is not to see the empty framework, because the data are empty), haha, so we bypass the verification.

Know how to do it, save the landing page to local, modify the URL of the submission, the last/change to%5c, user name password with a space (some programs will check whether the user name password is empty, the space will be filtered by the program), submit, OK.

Eh, you don't think I'm okay. Write a paragraph code to tinker, actually this is our school a master to do the message board program, hanging in the school's homepage, hehe.

Since understand the principle, of course, to find the actual loopholes, nature is to take the famous "hole" network forum operation. But it failed because there was a section in the database connection file:

If ERR Then
Err. Clear
Set Conn = Nothing
Response.Write "Database connection error, please check the connection string. "
Response.End
End If

Database can not find the program is over, oh, empty joy a game.

Then went down to the Bbsxp forum, open the database connection file, Halo, there is no fault-tolerant statement; hehe, but can Bauku oh.

I am not BT, so do not go to the trouble, write an article, is to give you a master to provide information it.

Summarize the successful conditions of this attack method: 1, the database connection with the relative path and only simple fault-tolerant statements, 2, the server IIS version 4 or 5, 3, the program does not check null characters or check the space is not filtered when compared to filter space; 4, the program cannot be in the first level directory

As for the prevention, hehe, since the attack conditions know, the precautionary measures naturally came out ^_^