A brief talk on cross-station attack (XSS) actual combat and bug patching

Intermediary transaction http://www.aliyun.com/zixun/aggregation/6858.html ">seo diagnose Taobao guest cloud host technology Hall

Send this article or want to explain, the hacker in my opinion is a commendatory, not what everybody thinks of those who steal the villain.

Now do a website, also very simple, buy a domain name, a space, download a set of CMS on the Internet, a station is set up, and a lot of such webmaster friends, in fact, the website script is not understand, so when the site was black, very few people directly to find the source code reasons.

Today's actual case of the "network domain hi-tech industry business-to-business business Platform" as a case, the previous domestic analysis, but only said the application of loopholes, and did not mention if repaired.

Original address:

Http://www.176ku.com/wenzhai/ruqin/200907/10877.html

The article is also relatively long, the so-called layman to see lively, knowledgeable to see the doorway, installed a back to the experts and everyone together to carry out some exchanges.

There are some variables in the leaveword_save.asp file that are not taking into account, and here are 7 to 43 lines of code:

As shown in the figure: 3 variables are not filtered directly into the storage

Because there is no special symbol filtering, the attacker can arbitrarily construct a cross-station statement (the particularity of the cross-station attack, the user name and contact method Place because of restrictions on the length of the character storage, so the attacker chose the storage characters longer "feedback content")

Background display effect after submit

As a result of the previous XSS Cross-site vulnerability, an XSS cross-site attack occurs when an administrator enters the background and clicks the feedback information for viewing.

Of course, cross-site attacks can not directly access the Web site backdoor, so the attacker to the site common "database backup" source code analysis.

This backstage has the database backup function, what we have to do is to use the administrator identity to back up a Webshell for us, first to see his database backup code is how to write, in admin\system\admin_backdb.asp file 108 to 129 code as follows:

Attackers can upload a rar horse, and then fill in the database path, the horse's address is: "/oledit/uploadfile/200712/2007121544821758.rar", where you need to pay attention to the path must be filled, or backup will not be successful. The modified code is as follows:

Save this as a xx.jpg upload to the server, because HTML can be resolved by converting to JPG, the path is: Oledit/uploadfile/200712/200712155756468.jpg, in

The following statements are put in the comments:

This automatically backs up the Webshell when the administrator sees it, as shown in

Knowing the whole process, we will be able to patch the source code, first look at the patch I have given the vulnerability.

When these special symbols are converted and filtered, the information in the storage will not have the cross station effect, which can effectively prevent the generation of the Cross station attack.

If the above is not enough please advise and point out, thank you for watching.