Analysis of the storm database vulnerability principle and the law-vulnerability and early warning-the black bar safety net

2008-09-13T00:00:00
ID MYHACK58:62200820365
Type myhack58
Reporter 佚名
Modified 2008-09-13T00:00:00

Description

I see the storm library vulnerability principle and the law SQL injectionpopular for a long time, we're looking for vulnerability injection purpose is nothing but want to get the database stuff, such as username, password, etc., further the MSSQL database you can also take this to get permission. The Access-based Foundation to say, if we don't have the injection you can get the entire database, not better? So storm the library became a than the injection more simple invasion means. For storm library methods, master often in the invasion mentioned in the article, but more is in passing, some for just a method to talk about, but also more is on the method to be explored. Recently there was an article the talk then.%5c storm library the use of the article, was to storm the library for some of the summary, and thus in the net is spread very wide. But still no mention of the principles and conclusions also just from experience, plausible, and decided to talk about the storm library principles and laws. Less than, everyone, more advice.

“%5c”storm library law This method is considered the storm the library trick, it was popular for a while, but and other vulnerabilities, as people know more, preparedness has also strengthened, not previously so effective. This method is the simple point that is in the open page, put the URL address in the“/”into“%5c”, and then submit, you can storm out of the database path. In fact, not all URLs are valid, the need to“asp? id=”such a web page address, or that represents a call to a database the behavior of the address. If you confirm this page have calls to the database, the latter is not this also can, such as Chklogin. asp, etc. can also have other conditions, back and then talk about it. The first to include a black anti-the fourth round of the lab example: http://219.237.81.46/yddown%5cview.asp?id=3 Put the second“/”into“%5c”: the http://219.237.81.46/yddown%5cview.asp?id=3 After the submission will get the following returns results: The Microsoft JET Database Engine error '8 0 0 0 4 0 0 5' 'D:\111\admin\rds_dbd32rfd213fg.mdb'not a valid path. Determine the path name is spelled correctly, and whether the connection to the File Storage Server. /yddown/conn. asp, line 1 2

This is the Black anti-lab one system, storm library is xiaobian deliberately open, since it's gateway is not injected, but rather into the background after how to get a WebShell in. You can see we directly access the address database, you can download now. Now a lot of people know this method, I do not for example. But clearly the storm library the principles of the people is estimated to be no more, someone successful and someone unsuccessful, the talk then.%5c storm library the use of the article concluded that, subject to the transform of the second“/”is“%5c”. Very practical, but this conclusion is just an experience, in fact, is not correct, let us first see how it works. “%5c”storm the library law, it is not the web page itself vulnerability, but the use of the IIS decoding mode of a feature, if the IIS security settings are inadequate, and web designers did not consider the IIS error, it will be exploited. Why use the“%5c”for? It is actually a“\”in hexadecimal code, i.e.“\ \ ”another kind of notation. In the computer, they are the same stuff, but submitted to the“\”and“%5c”it will produce different results. In IE, we put below the first address in the“/”WITH“\”to submit: http://219.237.81.46/yddown/view.asp?id=3 http://219.237.81.46/yddown\view.asp?id=3 Both access to the results is the same. IE will automatically put“\”into“/”, so that access to the same address. However, when we put“/”into the hex along the lines of“%5c”, IE will not be converted. The address of the“%5c”is submitted, the capture results are as follows: GET /yddown%5cview. asp? id=3 HTTP/1.1 When IIS received and make a resolution, and will%5c restore to“out\”. Thus, in IIS the URL of the relative path becomes/yddown\view. asp, which is very important, the problem is what starts here. In ASP pages, where the calls to the database, use a database connection to the web Conn. asp, it will create a database connection object defined to call the database path, a typical Conn. asp is as follows: <% dim conn dim dbpath set conn=server. createobject("adodb. connection") DBPath = Server. MapPath("admin/rds_dbd32rfd213fg. mdb") conn. Open "driver={Microsoft Access Driver (*. mdb)};dbq=" & amp; DBPath %> We note that the first 4 sentence:“DBPath = Server. MapPath("admin/rds_dbd32rfd213fg. mdb")”, Server. The MapPath method is the role of a website relative path into a physical absolute path, why so? Because of the connection to the database, you must specify its absolute path in order to read and write. What is relative path and absolute path? IIS in order not to let the visitor know the real actual path, and ensure that the site is not due to the conversion address and affect the use, it uses a relative path to indicate the directory and file relationships. That is, the URL of the directory shows only from the root directory since the relative position. Such as website: http://219.237.81.46的根目录为 to:“D:\111\”and rain download directory is in the root directory D:\111 within the“yddown”, our web site access the station is in the access D:\1 1 1\yddown\directory, http://219.237.81.46/yddown/admin/show only Admin and Yddown this directory is relative to the relationship, put this website put in the E disk, the same does not change the Admin in Yddown directory under the relationship. When the Server. The MapPath method will be the relative path to real path, it is actually the third part of the path are added together to get the real path of a Web The current implementation where the relative path, i.e. from the website's physical root directory from a relative path, such as in the example above Conn. asp in from the root directory from“/yddown/”; and then call the database the relative path is admin/rds_dbd32rfd213fg. mdb, so you get from the root directory from the full relative path:“/yddown/admin/rds_dbd32rfd213fg. mdb to.” These are just the relative path, how to become a true path? Set through the IIS will know, every site must specify it on the hard disk of the physical directory, such as in the example above, the root directory of the site where the physical directory is:“D:\111”That Server. The MapPath method is through the“web root directory the physical address of the + the complete relative path”, so to get the real physical path, the database on the hard disk of the physical path is: D:\111\yddown\admin\rds_dbd32rfd213fg.mdb the. IIS with the“\”represents the real path of the directory relationship, and“/”represents a virtual path, which is probably IE will automatically put our address in the“\”To“/”. To understand these, we then to understand the storm library is not difficult, when we submit: http://219.237.81.46/yddown%5cview.asp?id=3时 View. asp call to Conn. asp, get page relative path like:“/yddown\”, plus“admin/rds_dbd32rfd213fg. mdb”, you get“/yddown\ + the admin/rds_dbd32rfd213fg. mdb to.” In IIS, The“/”and“\”represents a different meaning, encountered“\”, that it has got to the root of the directory where the physical path is no longer to be on the parse(why is no longer to resolve it? Later also analysis, so the site of the full relative path becomes:“admin/rds_dbd32rfd213fg. mdb”, plus the root directory of the physical path, to get the real path becomes:“D:\111\admin\rds_dbd32rfd213fg.mdb”and this path does not exist, the database connection will of course fail, so the IIS will report the error and give the wrong reasons: The Microsoft JET Database Engine error '8 0 0 0 4 0 0 5' 'D:\111\admin\rds_dbd32rfd213fg.mdb'not a valid path. Determine the path name is spelled is Correct, and whether the connection to the File Storage Server. /yddown/conn. asp, line 1 2 This is storm library method of origin. The talk then.%5c storm library the use of a paper said, must be the URL of the second level directory can only be successful, first. We theoretically analyzed, see whether the law. Also the above URL as an example, if the first“/”into“%5c”to get the site relative path becomes“\yddows/admin/rds_dbd32rfd213fg. mdb”, resolve to“\”, that has been to the physical directory, not forward resolve. And the fact that it is indeed the root directory, so get the physical path is:“D:\111\dydow\admin\rds_dbd32rfd213fg.mdb”this path is correct, it is not an error, of course, does not storm out of the database path. The second“/”into“%5c”case, our above analysis, it is not really is just two pages before they can storm out? In fact, just because two pages is more common, is not the truth. If this download system is a website in three directories, then the first three“/”the likelihood of success is greater. In other words, the rightmost first the likelihood of success. I'll give you an example, say why: http://nice.xmu.edu.cn/channely/blog/showlog.asp?cat_id=31&log_id=2 4 6 This URL becomes the second“/”is“%5c”, the site opens very slow, but no errors. When we put the third“/”into“%5c”, submitted to: http://nice.xmu.edu.cn/channely/blog%5cshowlog.asp?cat_id=31&log_id=2 4 6 Database storm out again: The Microsoft JET Database Engine error '8 0 0 0 4 0 0 5' 'H:\channely\log_mdb\%29dlog_mdb%2 9. asp'is not a valid path. Determine the path name is spelled correctly, and whether the connection to the File Storage Server. /channely/blog/conn. asp, line 1 8 Why is this so? This is because a website with a virtual directory, that is this site a subdirectory of the Channely is not in the root directory of the site. Set through the IIS will know, can be a website directory of a real physical directory settings for the web site's virtual directory. That is, the website, the relative path is not always from the root directory the date, probably in a sub-directory points to a physical directory.

The above results obviously, Channely has been located on the H: disk on the root directory of the above then there is no directory. In fact, it is likely the website is in D: drive or E: drive, and through the IIS set Channely virtual subdirectory to the site root directory other than“H:\channely\” it. Here, we can more clearly see, Microsoft IIS, why not go to the root directory, as long as the encounter on the“\”is considered to have been to physical absolute path, no longer to resolve the reason, that is, in order to deal with this web site virtual directory and the root directory are not together. It is a priority search each directory is pointing to a physical path, if directed, put it into the absolute path, and above it the relative addresses no longer resolve the conversion. From the above analysis, we are only in the database relative to its directory to the absolute address used between“\”and“ % of 5c”to achieve the purpose. In the example above, if in the second use, it only affects IIS find the virtual Channely directory address, and the Conn. asp to parse out the database“H:\channely\blog\log_mdb\%29dlog_mdb%29.asp”is still right. The talk then.%5c storm library the use of said method for only one level of Directory solutions:“in fact, the primary directory we also can be successful, we can construct a multi-level directory to reach storm library purposes. Such as: http://www.target.com/noexists/..%5clist.asp?id=1 So we'll have new surprises, huh.” Really? From the theoretical analysis, this method is not successful. Because it encountered“%5c”, the page no longer resolves, so the intermediate structure of the directory whether it is true or false, are of no effect and is discarded, a relative path or to the root directory, the path will not go wrong. In order to demonstrate, I deliberately looked for an example: http://www.om88.com/Article_Show.asp?ArticleID=481 In this website we use first Conn. the asp method storm out of the database(later will explain this method, the description of the server and website settings are can storm the library. Submitted to: http://www.om88.com/inc/conn.asp Can see is the storm database, we then submit: http://www.om88.com/abc/..%5cArticle_Show.asp?ArticleID=481 But the storm is not out of the library, still get the normal page into the presence of the path results are the same, but the pictures cannot be displayed. This is because the relative path is changed, it is impossible to find the correct image path, but absolute path when parsing is“%5c”discarded, no error, of course, the storm is not out of the library.

Conn. asp storm library law Here the Conn. asp just indicates that the database call the file, because most of them are this name some sites renamed, we also equate Conn. asp is. In fact, this storm library law is the first to appear, before many of the cattle are carried through to explore, I remember the Black anti-also in the special early was devoted to this method. Just in the“%5c”storm the library law that appears after the pour the less someone mentioned. In fact, personally believe that the“%5c”storm large act as the server set the security to strengthen, the place will be less and less. And Conn. asp storm the library Law of the play room for more, can be artificially constructed, smelly bum of the year of the famous action network great diversion to achieve storm the library, in fact, also belong to this class. In the above, http://www. om88. com/is an example, with“%5c”storm is not out of the database path, because there is no secondary directory, but with the second they can storm out, it is the power system. We'll see another Pirates of the handsome example: http://www.51see.org/ Submitted to: http://www.51see.org/db/user.asp The following results were obtained: the in. “The Microsoft JET Database Engine error '8 0 0 0 4 0 0 5' 'd:\Hosting\wwwroot\uilady_com\htdocs\db\db\downloadwoaini12345.asp'not a valid path. Determine the path name is spelled correctly, and whether the connection to the File Storage Server. /db/user. asp, line 6 ” Someone might say, so simple to just storm the library, okay cool! Not all sites can do this? Not, of course, has made the protection of the site, certainly not, not for protection, to storm the library is also conditional. If the first storms of the library method is the use of an absolute path error, then, this storm library method is the use of a relative path error. In General, as long as the Conn. asp is not in the root directory of the system, and call the file in the root directory, it will appear this problem. Of course, this argument is also empirical, accurate, Conn. asp and call it the file if the relative position is changed, it will report the error, and storms out of the database path. To say so may be someone don't understand, it doesn't matter, and then see you will understand. We are the driven force of the post system to start. The power post system of the Conn. asp is located in the system under the INC directory, and many call it the file in the system root directory, such as User_ChkLogin. asp, etc., so that when the Conn. asp executes, it is in the system root directory“D:\wwwroot\zyx688\wwwroot\”under execution. Therefore, Conn. asp file, the calls to the database when it takes into account the execution time of the directory path, thus the database of the relative address written as follows: db="database/fp360609. asp" Thus, when it is in the system root directory under execution, the database path relative to the root directory under the“database”directory, but when we directly request it, it is the work of the current directory is in the root directory of the INC directory, then the database relative path becomes“inc/database/fp360609. asp”, so it is of course an error, give the absolute path in the“inc”in. In order to let everyone see more clearly, we include a can use two methods to storm the library website, and compare to see how different. Submitted to: http://www.pofen.com/sc/down%5cshow.asp?id=437 Get: “The Microsoft JET Database Engine error '8 0 0 0 4 0 0 5' 'D:\Webdata\pofen.com\sc\db\download.mdb'not a valid path. Determine the path name is spelled correctly, and whether the connection to the File Storage Server. /sc/down/db/user. asp, line 6 ” Then submit: http://www.pofen.com/sc/down/db/user.asp Get: The Microsoft JET Database Engine error '8 0 0 0 4 0 0 5' 'D:\Webdata\pofen.com\sc\down\db\db\download.mdb'not a valid path. Determine the path name is spelled correctly, and whether the connection to the File Storage Server. /sc/down/db/user. asp, line 6 Two ways to get the absolute path, a ratio of the actual path a little, one is more, these two systems are because of the Conn. asp is not in the system root directory under caused. That is not Conn. asp placed in the root directory, and call the file in a directory under it no? If together, of course it's okay, but the cattle owned cattle way, you can by constructing a method to caused by relative path changes, the same can achieve the storm library purposes. For example, the dynamic network of a large diversion tactics, the Conn. asp shift, so the storm library. Of course, the actual operation, because Conn. asp is removed, the site can not work, so there is no success, but this idea still gives many people inspiration. If there is a way to copy instead of move, or that move is not Conn. asp,but to call the Conn. asp of other files, such as Chklogin like, in theory, can succeed. Today just saw a riot-the system path to the latest method, its principle is to construct an error while reaching to get the real path of the object.

Prevent storm library Plainly, the storm library is because the IIS server for each implementation error to a detailed description, and stop the execution, the IIS default settings is the error message returned to the user. Therefore, to avoid the storm library, you should change the IIS default settings, select the errors only give an error notice, do not give detailed information. In fact, some virtual host in order to facilitate webmasters to debug, generally do not turn off the information returned, as the site Manager, and not the virtual host settings, can only be in a web page strengthen the prevention. Is in possible error page with this sentence:“On Error Resume Next”. It's meant to be an Error, Resume execution of the following statement, which is to ignore the error, of course, will not give an error message. Action-system 3. 6 version 2 Add this sentence after, now the storm is not out of the path, and the Providence business network Conn. asp also is not in the root directory, but because of this sentence, also the storm is not out of the database.