细说暴库的原理与方法（Elaborate on the principle and method of Mancang）

细说暴库的原理与方法（Elaborate on the principle and method of Mancang） 细说暴库的原理与方法(Elaborate on the principle and method of Mancang) Elaborate on the principle and method of Mancang SQL injection into the epidemic for a long time, we find loopholes in the injection, the purpose is nothing more than to get things inside the database, such as user names, passwords and so on. (of course, the MSSQL database can also be used for permissions.). Wouldn't it be better if we could get the entire database without injection? So a Mancang more simple than injection attacks. Methods the master often Mancang, improve the invasion in the article, but is a passing, some one on the methods, also are discussed. A recent article by "%5c" to talk about the article is to Mancang, Mancang made a summary, which is a widely circulated in the network. But still did not mention the principle, and the conclusion is only from experience, specious, and decided to talk about the principle and rule of mancang. A, a "%5c" Mancang law: This method is considered to be very popular Mancang trick, is a (as many people know, but also to strengthen the guard, less effective). This method, in brief, means that when you open a web page, change the URL to "%5c", and then submit it to the database path. In fact, not all URLs are valid, "ASP? Id=" this page address (expressed call database behavior) if you confirm this page, call the database, this is not behind the can, such as chklogin.asp etc. can also be. (of course, there are other conditions. Talk about it later.) Let's give an example, _blank>_blank> Change second "/" to "%5c"" _blank>_blank> The following results will be obtained after submission: Microsoft JET Database Engine error'80004005' 'D:111adminrds_dbd32rfd213fg.mdb'is not a valid path. Determines whether the pathname is spelled correctly and whether it is connected to the server in which the file is stored. /yddown/conn.asp, (Note: This is a web site, anti black lab is Mancang they deliberately open, because it is not how to obtain shell mark injection, but after entering the background). Now many people know about this method, and I don't give much examples. But clearly the principle of Mancang estimation is not much. Some people succeed, some people do not succeed, "using" talk about a%5c Mancang concluded, "it must transform second /" to "%5c". It's very practical, but this conclusion is just an experience, but it's not true. Let's see how it works first "%5c" is not "Mancang method, it itself loopholes, but the use of a characteristic IIS decoding way, if IIS security is not comprehensive, and web designers did not consider the IIS error, will be used. Why use "%5c"? It is actually the "Sixteen" code of "", another expression of "". In the computer, they are a dongdong. But the submission of "" "" and "%5c" will produce different results. In ie, we put "/" in the first address below "submit": _blank> _blank> The results of the two visits are the same. IE will automatically change "" to "/" so that it can access the same address. However, when we change "/" to "ie" in sixteen, "%5c" does not convert this. The address "%5c" was submitted as it was. This is the result of capture: GET /yddown%5cview.asp? Id=3 HTTP/1.1? When IIS is received, the%5c is reduced to"". Thus, the relative path of the URL in IIS becomes /yddownview.asp. This is very important. That's where the problem started. In the ASP web page, when you call a database, you will use a web page CONN.ASP that connects to the database. It creates a database connection object and defines the database path to call A typical CONN.ASP follows: < Dim conn Dim dbpath Set conn=server.createobject ("adodb.connection") DBPath = Server.MapPath ("admin/rds_dbd32rfd213fg.mdb") Conn.Open "driver={Microsoft, Access, Driver (*.mdb)}, dbq=" & DBPath % > Note that the fourth sentence: DBPath = Server.MapPath ("admin/rds_dbd32rfd213fg.mdb"), the Server.MapPath method is to change the relative path in the web into a physical absolute path. Why so? Because when you connect to the database, Must indicate its absolute path. There may be people who don't understand what is the relative path, the absolute path IIS in order not to let visitors know the actual actual path, and to ensure that the site is not affected by the change of address, it uses a relative path to represent the relationship between the directory and the file. That is, the URL directory represents only the relative position from the root directory. For example: website website, _blank>: the root directory is: "D:111" is the download directory in the root directory (D:111) in the "yddown" website, we visit the station, is to access the D:111yddown directory, and , it only shows the relative relationship between admin and yddown in this directory the site, on the e: drive, the same does not change the admin in the yddown directory. When the Server.MapPath method will be converted to the true path of the relative path, it is actually the three part of the path together get the true path: "the current implementation where the relative path, it is from the root directory of the web site physical relative path, such as CONN.ASP in the example above is from the root directory of the" /yddown/ "; relative the path then call the database is admin/rds_dbd32rfd213fg.mdb, so that you get from the root directory of the complete relative path:" /yddown/admin/rds_dbd32rfd213fg.mdb". These are only relative paths, how do they become real paths? Set the IIS people will know, every site must specify its physical directory on the hard disk, such as in the example above, the physical directory where the root directory of the web site: "D:111", the Server.MapPath method is through the "relative path" the physical address of the root directory of the web site and complete, in order to get the real physical path. Thus, the physical path of the database on the hard disk is: d:111yddownadminrds_dbd32rfd213fg.mdb. Here, "IIS" represents the directory relation of the real path, and the virtual path is represented by "/", which may be the reason why IE automatically changes the "I" to "/" in our address. Understand this, we come to understand Mancang is not difficult, when we submit _blank>, view.asp after the call to CONN.ASP, the "relative path is such that /yddown (see above), plus the" admin/ rds_dbd32rfd213fg.mdb "," /yddown "will be Admin/rds_dbd32rfd213fg.mdb. In IIS, "/" and "" represent different meanings. When you encounter "", you think that it has reached the physical path where the root directory is, and no longer parsing it. " Later, the entire relative path of the site becomes The physical path: "admin/rds_dbd32rfd213fg.mdb", plus the root directory, into the true path of the "D:111adminrds_dbd32rfd213fg.mdb", and this path does not exist, of course, the database connection will fail, so IIS will be in error, and gives the wrong reasons: Microsoft JET Database Engine error'80004005' 'D:111adminrds_dbd32rfd213fg.mdb'is not a valid path. Determines whether the pathname is spelled correctly and whether it is connected to the server in which the file is stored. /yddown/conn.asp, line 12 This is the origin of Mancang statement. Talk about using "%5c Mancang a paper that must be second web sites can be successful, the first. Let's analyze theoretically and see whether there is any law or not: Also take the above URL as an example, if you change the first "/" to "%5c", the relative path of the website becomes yddows/admin/rds_dbd32rfd213fg.mdb. When you parse to "", you think that you have reached the physical directory and no longer parse it forward. ". In fact, it is also a root directory, so the physical path is: "D:111dydowadminrds_dbd32rfd213fg.mdb."" This path is correct, so there is no error, and of course it doesn't break out of the database path. Second "/" into "%5c" situation, we have analyzed above, that really is second can pop out, in fact, it just because the two level site is more common, is not the truth. If the download system is a three - level directory in a particular site, third can be changed. Sometimes third possibilities are more likely to succeed. That is to say, the first one on the right is a great possibility of success. Don't believe it? Let me give you an example and say the reason: _id=31&log_id=246 "target=_blank>; ASP? Cat_id=31&log_id=246? When this site changes second "/" to "%5c", the site opens slowly, but there is no error. When we turn third "/" into "%5c", submit: _id=31&log_id=246 "target=_blank>, cat_id=31&log_id=246?" As you can see, the database bursts out! : Microsoft JET Database Engine error'80004005' 'H:channelylog_mdb%29dlog_mdb%29.asp'is not a valid path. Determines whether the pathname is spelled correctly and whether it is connected to the server in which the file is stored. /channely/blog/conn.asp, Why so? This is because the website with the virtual directory, that is to say the subdirectory channely this site is not the root directory on the web site, set the IIS people will know that you can set a real physical directory outside of the directory for the virtual directory website. That is, the relative alignment of the web does not always count from the root directory, and is likely to point to the physical directory in a subdirectory. The above result is obvious: channely is already in the root directory of the H: disk, and there is no directory on it. In fact, probably website in the d: disk or e: disk, and by setting in the IIS channely virtual directory to the root directory of sites other than "H:channely", here, we can see more clearly, why didn't Microsoft IIS to the root directory, as long as the case is considered to have been "physical absolute path, no longer to resolve, in order to deal with this virtual directory and website root directory not the case. It gives priority to whether each directory points to the physical path. If it points to it, it is replaced with an absolute path, and the relative address on it is no longer parsed. From the above analysis, we can achieve the goal only if we use the "%5c" ("" "" "" ") between the relative address of the database and the absolute address of its directory. In this example, if used in the second place, it will only affect IIS find the channely directory virtual address, and parse out the CONN.ASP database in H:channelyblog, log_mdb%29dlog_mdb%29.asp is still on, of course not mancang. "Use" on the%5c Mancang also said that a solution to only one category: In fact, a directory we also can be successful, we can construct a multi-level directory to achieve the purpose of mancang. As follows: _blank> So everyone will have a new surprise, ha ha. " Really? Theoretically, this method will not succeed. Because the "%5c" is no longer resolved, so the directory of the middle structure, whether it is true or false, are not working, was abandoned, and the relative path or to the root directory, the path will not go wrong. To prove it, I looked for an example: _Show.asp? ArticleID=481, "target=_blank>, ArticleID=481?" This website we first use CONN.ASP method a database (back talk), the server and site settings can be the mancang. _blank> The following results are obtained _Show.asp? ArticleID=481, "target=_blank>, ArticleID=481?" But not a library, still get a normal page (replaced by the existing path, the results are the same), but the picture can not be displayed. This is because the relative path changed, so you can not find the correct picture path, but the absolute path is resolved by the "%5c" abandoned, there is no error, of course, the storm does not go out of the library. Two, CONN.ASP library violent law Here, CONN.ASP simply represents the database call file, because most of them are in that name (some websites are renamed and we are considered CONN.ASP). In fact, this method is Mancang first appeared, before many expert are discussed. Just before the "%5c" Law Library violent people mentioned, but less. In fact, individuals believe that "%5c" Dafa Dafa, with the security of server settings to strengthen, the use of less and less. Play CONN.ASP more room Mancang Dafa, artificially constructed, Qitao was the famous dynamic large diversion to achieve Mancang, actually also belong to this category. Top _blank> In one example, "%5c" does not break the database path, because there is no two directory, but second can pop out. It's the power system. We take a to another example of the ASP system: _blank> Submit _blank> The following results are obtained: "Microsoft, JET, Database, Engine, error'80004005'." 'd:Hostingwwwrootuilady_comhtdocsdbdbdownloadwoaini12345.asp'is not a valid path. Determines whether the pathname is spelled correctly and whether it is connected to the server in which the file is stored. /db/user.asp, line 6" One might say that simple Mancang, good! Is it possible for all websites to be like this? Of course not, already made the door certainly not, not for protection, to Mancang is conditional. If the first Mancang method is the use of absolute path error, so this method is the use of the library violent relative path error. In general, this problem occurs as long as CONN.ASP is not in the root directory system and calls the file in the root directory. Of course, this statement is empirical, accurate, that is, CONN.ASP and call it files, if the relative location changed, it will be reported wrong, burst out of the database path. It may not be understood. It doesn't matter. Then you'll see. We start with the power article system: The power system of CONN.ASP system in the Inc directory, and a lot of calling it a file in the system root directory, such as User_ChkLogin.asp, so that when CONN.ASP is executed, it is executed in the system root directory D:wwwrootzyx688wwwroot, therefore, CONN.ASP file, call the database, it takes into account the directory path execution. The relative address database is written as follows: Dim DB Db= "database/fp360609.asp"" Thus, when it is executed under the system root directory, the relative path of the database is within the database directory of the root directory. But when we ask for it directly, the current directory in which it works is in the INC directory in the root directory. At this point, the relative path of the database becomes "inc/database/fp360609.asp", which of course goes wrong. The resulting absolute path is "Inc". In order to let everyone see more clearly, we can give a two methods over storage at site, see the difference compare: Submission: _blank> Get: "Microsoft, JET, Database, Engine, error'80004005'." 'D:Webdatapofen.comscdbdownload.mdb'is not a valid path. Determines whether the pathname is spelled correctly and whether it is connected to the server in which the file is stored. /sc/down/db/user.asp, line 6" Re submit: _blank> Get: "Microsoft, JET, Database, Engine, error'80004005'." 'D:Webdatapofen.comscdowndbdbdownload.mdb'is not a valid path. Determines whether the pathname is spelled correctly and whether it is connected to the server in which the file is stored. /sc/down/db/user.asp, line 6" Two ways to get the absolute path, one less than the actual path, one is more, so the wrong path and wrong, storm out of the database. The two systems are caused by CONN.ASP not in the root directory of the system. (in fact, there are more than two such systems.). Is that what happens when CONN.ASP is placed in the root directory, and the calling file is in a directory? If together, of course. But its own expert can cause cattle to change the relative path by constructing method, can achieve the purpose of mancang. For example, the "network technique, CONN.ASP will shift to mancang. Of course, in practice, the site failed to work because the CONN.ASP was removed, so it was not successful. But this idea has inspired many people. If there is a way to copy rather than move, or move not CONN.ASP, instead of invoking CONN.ASP's other files, such as chklogin, you can theoretically succeed. (of course, if the server and the page for the safe handling of Mancang is another matter). This method, that is, some of the cattle to save the web site to change the local way out. Today, a new approach to the database of riots has just been seen, the principle of which is the construction of errors to achieve the true path. Three, the prevention of violence Library It is because the IIS server will Mancang, details of each execution error are given, and stop the execution, and the default IIS settings and return error information to the user. Therefore, To avoid Mancang, should change the IIS default settings, select error only to an error page, do not give detailed information. Figure "Server error while processing URL. Contact your system administrator. " In fact, as a web site manager, when you can't set up a virtual host, you can only strengthen it in your web pages. Add the word to the page that might go wrong: "On, Error, Resume, Next", especially in the CONN.ASP file. What it means is that after the error has been restored, the following is executed, that is, ignoring the error and of course not giving the wrong information. Yi Yi system version 3.62 plus, it is now out of the way. The God of business network, CONN.ASP is not in the root directory, but because this sentence is added, it can not burst out of the database.