rs. addnew rs(\\"fksubject\\")=checkFFSQLStr(trim(request(\\"fksubject\\"))) rs(\\"fkleixing\\")=checkFFSQLStr(request(\\"fkleixing\\")) rs(\\"fkcontent\\")=checkFFSQLStr(trim(request(\\"fkcontent\\"))) ‘look, no dangerous character filtering rs(\\"fkusername\\")=checkFFSQLStr(trim(request(\\"fkusername\\"))) rs(\\"fkemail\\")=checkFFSQLStr(trim(request(\\"fkemail\\"))) rs(\\"fktel\\")=checkFFSQLStr(trim(request(\\"fktel\\"))) rs(\\"fklaizi\\")=checkFFSQLStr(trim(request(\\"fklaizi\\"))) rs(\\"fkdate\\")=now rs(\\"fkip\\")=Request. ServerVariables(\\"remote_addr\\") rs. update rs. close It is not difficult to find, the program on the data stored into the database before only to whether there can be constituted of SI in the character of the filter, the filter just is not necessary, because the parameters are not introduced into the query conditions, and the dangerous characters such as script, etc. is not filtered, the display message page lyb. asp is also not first filtered and then displayed. If we are in the comments submitted in the<script>alert(document. cookie)</script>,it can pop-up the user's cookies information. (Figure a) Examples 1-2: filter bad UBB script insertion A famous Blog program UBB conversion page ubbcode. asp which converts dangerous characters in one piece are as follows:
Str = Replace(Str, \\"script\\", \\"script\\") Str = Replace(Str, \\"SCRIPT\\", \\"SCRIPT\\") Str = Replace(Str, \\"Script\\", \\"Script\\") Str = Replace(Str, \\"script\\", \\"Script\\") We can submit a sCRipt such characters to get around this limitation, such as submission of information
Second, unauthorized attack Unauthorized attack is because the programmer access to the page right of the detection of imperfections caused by that an intruder does not need to give the user or administrator password access to only specific users or administrators can access the page of a vulnerability. This override makes me think of a long, long time ago about 2 0 0 0 years ago, the popular“chat room kicked People's Congress law”, is the use of access some of the user permission to detect the imperfections of the chat program is responsible for kicking people of the page to reach any kick people purposes. However, the more administrator privileges vulnerabilities are usually relatively subtle, especially for non-open source program, most can only use their experience to guess. Then look at a more General user permissions example: a program to modify the user information page through the Get the GET the parameters introduced into the program for processing, display related data, such as: http://targetzone.com/edituser.asp?userid=Daniel it would have been to modify the user Daniel information, but if the program does not add anything else to verify that we can modify the value of the parameter to modify any user's information, such as submission http://targetzone. com/edituser. asp? userid=Kitty to modify the Kitty user's information. Programmers in the production of such a program should verify that session to determine whether the user login, and it should be from session to get the current login username, and the rest such as Get,cookies, etc. data is not credible. Then an override, we can call it“the step-override”, such vulnerability is directed to certain needs N steps to complete the process, the X-step does not detect whether the completion of the X-1 Step leaving the attacker can skip the first X-1 Step. This vulnerability often appear in the password program, the final verification is completed to change the password the page just put you want to modify the username to a hidden field placed in the page, but the next there is no correlation detection result can modify any user's password. Tips 1, The Hidden domain of use. Many programmers prefer to use form hidden fields instead of session in the program to pass some of the steps that appear in the parameters, for certain non-sensitive data, so you can save some server resources, but for some sensitive data, this is very dangerous, because the user while on the page do not see the hidden field, but the user can view the source code to find the hidden field, and you can put a web page saved to local and modify the hidden field value to achieve the ultra vires purpose. Well, let's look at a few examples: Example 2-1: A version of the dynamic Mall to retrieve the user password of the step vulnerability The dynamic marketplace of this version of the vulnerability a lot, which retrieve the password section is divided into 4 pages, getpwd. asp~getpwd4. asp, respectively, corresponding to fill in a user name, fill in the password prompt answer, re-set password, the new password is updated to the database. Wherein getpwd4. the asp part of the code is written so.
<%If Cookies(\\"down_Isadder\\")=\\"\\" then%> <script language=\\"Vbscript\\"> msgbox(\\"sorry, you do not have permission to manage users! If you are an administrator, please login!\\") window. close() </script> <%Else%> ............ Really dizzy, you'll detect that cookies is empty, so we use the IECookiesView to put down_Isadder value to any value, of course, in addition to a null value can be log management. Example 3-2: L-blog the cookie override upload spoofing vulnerability: Recently this loophole was destroyed, including many hackers, including a WebLog. L-Blog extract the cookies file there is a logical vulnerability that any user can cross over to the Administrators the privileges to upload files. File attachment. the asp part of the code: IF memStatus="SupAdmin" OR memStatus="Admin" Then IF Request. QueryString("action")="upload" Then You can see, the program detects SupAdmin the value is not an administrator of the corresponding value, if it is allowed to upload, and did not detect the logged in user is who. Look at the validation cookies of the program command. asp, to detect if the memName(cookies made of the username)is empty, then do not perform any operation. If not empty, then verify that save username and password are correct, incorrect, empty of cookies. Here we leave a loophole, if the cookies in the username value(memName)is empty, and the user permissions(memStatus)value is not empty, this command. the asp file will not validate the user name and password, but the upload page is detected memStatus is the administrator, can upload. We can first register the ordinary user, the login and save the cookies, modify the cookies so that the memName value is empty, memStatus value for the SupAdmin or Admin, then you can upload. But you can only upload certain types of files, we cannot upload Asp Trojan, how to do it...... We then look at how to pass asp Trojan. Fourth, the illegal upload vulnerability To a legitimate cause illegal, let's say two simple not exploit the vulnerability. Some program restrictions such as asp,asa, etc extension is not uploaded, but we look at the IIS Settings, found that there is some extension is used by asp. dll explained, such as cer so if certain procedures are not allowed to upload asp file, we can put Trojan in the extension to cer, then upload, then if the server is not the cer's resolve to remove the words, we can run the Trojan. There are some extension that can perform SSI(Server Side Include)directives, such as stm, Upload a seeit. stm file, the content is” <!--# include file="conn. asp" - >”, and then access this file, you can see conn. the asp file's contents. So the programmers made in the upload detection, it should be set like belowMember is allowed to upload and not what kind of file cannot be uploaded. Talking about upload program vulnerabilities. A while ago the emergence of dynamic network Forum upload vulnerability can be described as the UPS and downs Ah, Daniel also used this vulnerability to attack under many obstinate broiler, we first move the mesh in the upload to analyze: Dynamic network was not allowed to upload asp and other dangerous files, but its upload processing there is a certain vulnerability to cause the program to obtain the parameters of an error so that an intruder can upload any file. Look first submit the Upload a page reg_upload. asp:
<form name=\\"form\\" method=\\"post\\" action=\\"upfile. asp\\" enctype=\\"multipart/form-data\\" > <input type=\\"hidden\\" name=\\"filepath\\" value=\\"uploadFace\\"> <input type=\\"hidden\\" name=\\"act\\" value=\\"upload\\"> <input type=\\"file\\" name=\\"file1\\"> <input type=\\"hidden\\" name=\\"fname\\"> <input type=\\"submit\\" name=\\"Submit\\" value=\\"upload\\" onclick=\\"fname. value=file1. value,parent. document. forms. Submit. disabled=true, parent. document. forms. Submit2. disabled=true;\\"> </form> The program is to extract the file1 form and fname in the form of value to make a judgment. That is directly from the page submit to upload the asp files, the program is detected. We can, however, construct their own data packages and the use of NC submission, reaching over the detection purpose. But our main problem is after uploading the file be sure to be asp format, although file1 the value of the legitimate, but eventually reach a save extension is asp object what should I do? Action Network of the non-component upload class in a sentence is written so:
filename=formPath&year(now)&month(now)&day(now)&hour(now)&minute(now)&second(now)&ranNum&\\".\\"& amp;fileExt The filename of the program to generate the saved file name. In the computer to detect the string of the key is to see whether the encounter’characters, if Yes,then that end of the string. In other words, we in the construction of the uploaded file save path,just tricking the computer,let him think something like"uploadfaceDaniel. asp" so that the path parameter has already ended, we can achieve our purpose. This exploits the principle of analysis here, many now upload all the existence of this vulnerability, first capture and then manually submitting just too tired, Daniel recommends that you use online some upload vulnerability use tools to reduce the burden. Then take a look at a My power 3. 5 1 vulnerabilities. Its upload page Upfile_Soft. the asp part of the code is this:
Fot i=0 to ubound(arrUpFileType) If fileEXT=trim(arrUpFileType(i)) then Enableupload=true Because My power used to upload class can upload multiple files, We from the above code can be seen, if you upload multiple files, the first N-1 of the file extension is not legal, and the N-th file extension is legitimate, then, is by testing. So we just have to construct their own pages, upload the two files, and the second extension is the program can be uploaded, you can. But My power system is a Prohibited form of external submission, how to bypass this limit?, link-a form of attack and Defense。 Small tricks: 1, The use of database backup and recovery functions of the legal becomes illegal. After all there are many system does not exist the upload of logical vulnerabilities, then how do we upload the script Trojan. This know-how requires you can login the backend, and the site system to have backup and Restore Database functions. Now through legitimate channels put the Trojans renamed as legitimate extension to upload, and then in the backup and Restore Database page, the upload after the file name written in the backup and restore of the path, and then restore, since the app is the database with the asp extension store, so the Trojan can also be normal parsing. Five, forms of attack and Defense Earlier in this article some of the places already mentioned something about the program in the form of insecurity, now let us summarize. For the form of the attack, the main idea is to contain the form of the page to save to your local, modify and remove the related restriction, and its action submitted to the address completion is available on the website address, then submit. It is not difficult to see, on the form of all, if the server does not verify that the words are dangerous and untrustworthy. Recommendations of the programmers on the client to do the form to check the legality at the same time try on the server side again to verify and on the server side plus the corresponding prohibition of external submission of the code.：
<%server_v1=Cstr(Request. ServerVariables(\\"HTTP_REFERER\\")) server_v2=Cstr(Request. ServerVariables(\\"SERVER_NAME\\")) if mid(server_v1,8,len(server_v2))<>server_v2 then response. write \\"<br><br><center><table border=1 cellpadding=2 0 bordercolor=black bgcolor=#EEEEEE width=4 5 0>\\" response. write \\"<tr><td style=’font:9pt Verdana’>\\" response. write \\"your path is wrong, banned from the site outside the submitted data please do not mess this parameter!\\" response. write \\"</td></tr></table></center>\\" response. end end if%>
We have to think about what forms of restrictions: Js validity check, hidden field, can not be modified(ReadOnly)domain. Don't know if you remember ofstar Forum the forum group, using a readonly field to display a group of members, we can put the web download down, remove the readonly attribute, and then yourself plus you want to join this forum of members, and then submit...... Small tricks: 1, bypass is prohibited external submission: You can write yourself a socket program to modify the http_referer value, but this method is more trouble, I introduce a simple. This trick requires that you have upload image permissions. IE to open the pictures, if the picture is html code, just like web as you can run its code. So we can put the structure of the page change extension pictures, and upload, visit this page and submit is in the server-side submission. (Note:This method in the constructor of the page must be such as<html>those basic tags are written in full.)
Example 5-1: nine cool network individual homepage space management system 3. 0 to any directory upload vulnerability: After landing, click on the”Upload File”button, pop up a web page, which can be set to upload every number, there is an Upload Directory text box, but not modified, in IE in this page, save it, and then find the file of the first 4 line 4, The code is: <LI>upload: <INPUT class=INPUT style="WIDTH: 200px" ReadOnly...we put the ReadOnly deleted, and then locate the file the first 3 line 7, the form tag action attribute values in the complement(that is, put the website address plus) ,and then in the local open this page, then”upload”text box has to be modified, we will change it to:../, select the file to upload, you can find that this file has been passed to the upper level directory.
Six, storm Gallery, storm of the contents of the file vulnerability We've all heard the%5c storm library vulnerability is for the operation of the database the page the address bar closest to the filename of the”/”with”%5c”, if the following conditions are met, you can see the path to the database: General error return to the page is local to the IE,so we have turned off the Local the error page,specifically under the menu item‘tools->internet Options->advanced->display a friendly information’; the other database if the Access type; the%5c in the storm library need is the secondary directory, the primary directory can not be successful; the other pages are not fault-tolerant statements. The principle is more complex, please your Google. Some programmers like to include the page extension, write to inc, and many tutorials are also recommended, but this makes the program the presence of a large loophole, since the inc default not by asp. dll resolution, so it is directly in the text mode display, so if others can directly access your database define the page(such as conn. inc)to a known address database or the SQL account password. Some sites in order to prevent the software download of hotlinking, for the download software are with a page read, then the output stream is transmitted to the client, the file name parameter is usually to GET additional on the address, 如http://targetzone.com/down.asp?path=Daniel.zip we can probably guess its a Data Link file with respect to the Software Library location, and change the path parameter value and, if lucky, will be able to download without asp. the dll parses the data link file. Part III summary and PostScript The time is early morning, the sun rises, the sun bathed the earth, it took about 3 days of spare time to write this article here basically is over, but I would like to emphasize is that the Web application in Central Africa SI of vulnerabilities far more than that, and many unknown logic vulnerabilities alsoIs not to be found, the topic due to space and time limitations, only now some of the more common means for a simple introduction, I hope Daniel can serve to initiate the effect, everyone if really seriously to study online some of the program code, you can find many not be someone else found the vulnerability appeared. Vulnerability is not terrible, terrible of is that the programmer is not a rigorous approach and a complete, comprehensive way of thinking. Chief potatoes had asked me how I thought of this topic, in fact I just about only use NBSI disorder injection site of the rookie, including my own behavior feel deep regret and concern, will only use the tools the hackers are not hackers, we must learn to use their thoughts to discover vulnerabilities, patched vulnerabilities, in order to do real art on the increase. !