trim()vulnerability crack and protection+articles the whole story-vulnerability warning-the black bar safety net

2009-04-01T00:00:00
ID MYHACK58:62200922746
Type myhack58
Reporter 佚名
Modified 2009-04-01T00:00:00

Description

With the following code:

<% dim name,title

name=trim(request. form("name"))

password=trim(request. form("password"))

if name=""or password="" then response. redirect "error. asp? error=name&name=null"

myDSN="DSN=test;uid=test;pwd=test"

set cn=server. createobject("adodb. connection")

cn. open myDSN

sql="insert into test(name,title) values('"&name&"','"&password&"')"

cn. execute(sql)

cn. close%>

Use the trim function to remove leading and trailing spaces, in the General case, this section of the program execution is normal, but later turned out to find that someone turned out to be a space, meaning that is, the user's name exactly as spaces, but try to use spaces, but both are not by that is a program to monitor it, and leading and trailing spaces are trim function to remove, even if the intermediate space, if desired can also use a function of the intermediate spaces to remove, due to the use of the sql database record of user information, so doubt he used the other what things to make the system see, so go look at the record of the user information to the sql Database once using this method saw with a newline the user, but still see in the database instead of the user's information is also spaces, which don't tell the user to use a tool can bypass my user name and password monitoring??? It can't find the program on the vulnerability, and later once, suddenly Emmanuel a flash, my own thought, the original is"Alt+2 5 5",Press and hold the alt key and then press the keypad in the"2","5","5"It will have a comparison of something special"space"character of the concept the author is also not quite clear, which is a control character, in some of the editor can be seen in Word 2000, it should be there are other control characters, the space character is different from the traditional pressing the space bar produces the character, it is the asc code is 2 5 5, while the traditional space type of the space of the asc code is 3 2, the trim function can only recognize the asc code is 3 2 of the code and removed, so that a space user! For this case the author has designed the following two functions remove the"space"character:

function xuankong(str)

dim result

dim j

j=len(str)

result=""

dim i

for i = 1 to j

select case mid(str,i,1)

case "<"

result=result+"<"

case ">"

result=result+">"

case chr(3 4)

result=result+"""

case "&"

result=result+"&"'the above code to convert some html tags

case chr(2 5 5) 'to prevent special spaces

result=result

case chr(1 3) 'to prevent the carriage return

result=result+""

case chr(1 0) 'to prevent Line breaks

result=result+""

case else

result=result+mid(str,i,1)

end select

next

xuankong=result

end function

Then in your asp program to use this function,for example:

name=xuankong(trim(request. form("name")))

Because the character 0-z asc code value for 48-122 this one section, so you can use the following methods of monitoring:

dim j

j=len(trim(request. form("name")))

for i= 1 toj

ifasc(mid(name,i,1))>1 2 2 or asc(mid(name,i,1))<4 8 then response..redirect"error. asp?

error=special"

next

Although this“space”temporarily not found will destroy the program of the problem, but it can make people rock the boat, or the defense of the good,however, this space also has a benefit, if as you have Internet access password, Hey, Hey... I am afraid that few people can see it! See are to is space, but not... I'm not familiar with php and jsp so don't know in this two things, whether there will be this problem. But certainly this vulnerability is serious, and now in many places the existence of this vulnerability, because these programmers are very trust trim()with this stuff. Huh!

(Original)casually talk about it. (混世魔王 of articles profiling)

In fact, this I don't want to write, it is about 混世魔王 they found a vulnerability of the absurd: to move-4. 0 3 upload vulnerability

We look at how they are written

Important vulnerability generation

The code in this way

FileExt=lcase(ofile. FileExt) 'determine the extension

arrUpFileType=split(UpFileType,"|")

for i=0 to ubound(arrUpFileType)

if FileExt=trim(arrUpFileType(i)) then

EnableUpload=true

exit for

end if

next

if FileExt="asp" or FileExt="asa" or FileExt="aspx" or FileExt="cer" or FileExt="cdx" then

EnableUpload=false

A variable of an error causes the upload vulnerability. Principle is the use of a space, because the asp (behind the spaces)is not equal to asp

Really? What a joke.

Let us look at the trim()this function is the interpretation of it:

In asp programming, we often use trim(rtrim,ltrim)function to remove some data at the beginning and end of the spaces.

If we submit to such. the asp (behind there is a blank space)

trim()the spaces off, and then another and array in asp asa aspx cdx cer!

Also can be successful? I use my computer to bet, they must be sportbikes before the publication of this vulnerability, I'm looking for a devil said a half day, he also not understand!

Hey.... and Now do technical.