Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
myhack58佚名MYHACK58:6220069544
HistoryJun 03, 2006 - 12:00 a.m.

Html tag to bring security risks-vulnerability warning-the black bar safety net

2006-06-0300:00:00
佚名
www.myhack58.com
9
JSON

BY Kenshin From http://www.loveshell.net

The WWW service on the Internet is the most important one of the services, to provide customers with a wide variety of information resources, and to put this information resources organized a very important thing is the Html hypertext

Language, and then through the application of development appeared in the other as the UBB and other labels, but ultimately are based on Html code to achieve. After the study found that even the most secure security code already

In addition to the usual saidXssvulnerability, also can not avoid another annoying attack, with less stringent procedures may be used to generate greater threat.
We have to now widely present in the forums, the article system, Blog system, etc. the script in the[img]tag is converted to the<img>tag example to illustrate this is to ignore the security issues.

The title now! First let me talk about myself for this tag and the browser on the label of the process. First take a look at the following UBB code:! [](<br /><br />http://www.cnbct.org/loveshell.jpg), and then by script converted into a<img src=http://www. cnbct. org/loveshell. jpg>.& lt;img>tag

Is in the current page to embed a picture, and now the forum program at the posting and the profile picture there has this feature, when the browser encounters the Html tag when it will according to the src to

Address, where is http://www. cnbct. org/loveshell. jpg go in search of network resources, when found this picture of when it will access and download this resource and then in the local parsing,

In the browser showing the picture, if not this resource will display a Red Cross indicates an error. Here http://www. cnbct. org/loveshell. jpg is a very normal figure

Sheet, so everything goes smoothly, but I do not know you thought not, if this resource is other type of resource such as a web page a eXe file or a asp page, when not

A picture type file, the result will be?
The obvious answer is the picture shows a red X, our Exe file is also not downloaded, the Html page also does not perform this is granted things as IE or other browser will put

Obtain the resource as Image Analysis, so that it will produce an error so display the red X. Here we may also think nothing, but if we put the picture address into the

http://127.0.0.1:88/imgtest/test.asp?user=shell 这样 的 形式 呢 it? Wherein the test. asp in the following words

<%
dim fso,file //define the Fso object

Const ForReading = 1, ForWriting = 2, ForAppending = 8
Set fso = Server. createObject(“Scripting. FileSystemObject”)
path = server. mappath(“imgtest.txt”) //打开 同 目录 imgtest.txt

set file=fso. opentextfile(path, ForAppending, TRUE)
file. write("we got: ") //write the content
file. write(request. Servervariables(“QUERY_STRING”))
file. write vbCrLf
file. close
set file = nothing
set fso = nothing
%>

You can test to see that our visit was recorded, and even get the submitted parameters, but it is for the browser to say is unknown, because we only see a red X. Here I

Who know maybe we can use this thing to do anything! Is Can to the identity of the viewer quietly to access a page, or even support the Get parameters of the request, it is important to understand this

You can later play to our imagination to use this to do what!

1 brush flow, we may be in a high traffic Forum The own image is set to want to brush the page, and then each viewer will go to visit our page, regardless of whether he saw

To, but he visited, isn’t it?

2 the destruction of this people are annoyed, for moving the web forum if your image is set to logout. asp, then, Oh, all your posts will be T, so cool!

Oh, as for the Phantom of the forum, everyone can try, but it is very immoral!

3 hack this is a We are most interested in, you can span the permissions to do something, because now many of the procedures for the front Desk are Defense is better, but the background is not so tight

. If the program is to obtain data is to use request(“id”)in such a way to obtain it, then we can use the label to the Cgi script to submit data, attention must not be

request. form(“username2”)that strictly specifies access to a variable source because of the way our variables only by URL submission that is above that of the QUERY_STRING. This

The wording is not rigorous the program is very deadly, and to be an example while the moving Web is a moving web Sql version background messages. the asp achieved in the way data is request, the code is as follows:


Sub Del()
Dim Dnum
If Request(“username”) = “” Then
Body = Body + “<br>” + “please input you want to batch delete a user name.”
Exit Sub
End If
Sql = “select COUNT(*) FROM Dv_Message where Sender = '” & Request(“username”) & “'”
Set Rs = Dvbbs. Execute(Sql)

It would have been in the background must have admin permissions to access, but we construct such a Url:

http://bbs.dvbbs.net/admin/messages.asp?action=del&amp;user=';update//Dv_User//set//UserEmail=(select//top//1//

[Username]//from//Dv_admin)/**/where[UserName]=‘loveshell’;–

Or a similar statement, and then put the[Img]tag. You may think the Administrators see your post the possibility is not large, but to know that the forum messages are also supported and posting the same

[img]tag, so if you can give administrator send a text message, in it structure we the Img tag as soon as he opened the SMS it will kind of trick Oh! If you can and social engineering associated with a piece, the kill

People without spilling blood Ah, huh! A little regret is as if the moving network to&and other symbols to do the conversion, you can try to break through, not to mention the network on the wording is not rigorous program of any stop million.

4 imagination of everyone making money are so hard, if you put the IMG tags in address change download the attachment address, Oh, I’m just saying, there is no test.

5…

Let me say to the question how to defense, if you want to keep the[IMG]tags but they don’t want to go wrong, then, is to be converted, such as defining the suffix must be a jpg, Oh it can through

URL encode the#JPG spared, anyway, I think if the restricted words are generally can be spared, even if you limit the IMG, that’s good, there are Flash tags?, there is a Rm label?..
Defense and the use of are tough.

JSON