邪恶八进制信息安全团队技术讨论组's Archiver

金州 2006-5-10 15:44

[转载]ASP数据库插马小议

<p>原始连接:<a href="http://blog.csdn.net/lake2/archive/2006/05/02/705362.aspx">[url]http://blog.csdn.net/lake2/archive/2006/05/02/705362.aspx[/url]</a><br />文章作者: lake2 <br /></p><p><u><font color="#800080">ASP数据库插马小议<script language="java script"></script></font></u> </p><div class="postText"><p class="MsoNormal" style="MARGIN: 0cm 0cm 0pt; TEXT-INDENT: 198pt"><font size="2"><span lang="EN-US"><font face="Times New Roman">By lake2 </font></span><span style="FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">(</span><font face="Times New Roman"> <span lang="EN-US"><a href="http://lake2.0x54.org/">[url]http://lake2.0x54.org[/url]</a> </span></font><span style="FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">)</span></font></p><p class="MsoNormal" style="MARGIN: 0cm 0cm 0pt; TEXT-INDENT: 198pt"><span lang="EN-US"><p><font face="Times New Roman" size="2"></font></p></span></p><p class="MsoNormal" style="MARGIN: 0cm 0cm 0pt; TEXT-INDENT: 36pt"><font size="2"><span style="FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">随着技术的发展,</span><span lang="EN-US"><font face="Times New Roman">ASP</font></span><span style="FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">数据库插马也不是什么新鲜的东东了,相信阁下也玩过这个的吧。呵呵,那你有没有遇到过插入的</span><span lang="EN-US"><font face="Times New Roman">asp</font></span><span style="FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">代码被空格拆开的情况呢(即插入的每个字符之间都出现了空格)?现在,就让我们来解决这个问题。</span></font></p><p class="MsoNormal" style="MARGIN: 0cm 0cm 0pt; TEXT-INDENT: 36pt"><font size="2"><span style="FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">经过对多例实际情况的分析,我发现只要出现代码被空格隔开的数据库,相应的字段的</span><span lang="EN-US"><font face="Times New Roman">Unicode</font></span><span style="FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">压缩属性总是“否”。相反,如过</span><span lang="EN-US"><font face="Times New Roman">Unicode</font></span><span style="FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">压缩属性为“是”,则可以通过该字段进行插马。</span></font></p><p class="MsoNormal" style="MARGIN: 0cm 0cm 0pt; TEXT-INDENT: 36pt"><font size="2"><span style="FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">经过搜索,发现微软官方对</span><span lang="EN-US"><font face="Times New Roman">Unicode</font></span><span style="FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">压缩的描述:“</span><span lang="EN-US" style="FONT-SIZE: 9pt"><font face="Times New Roman">Microsoft Access 2000 </font></span><span style="FONT-SIZE: 9pt; FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">或更高版本使用</span><span style="FONT-SIZE: 9pt"><font face="Times New Roman"> <span lang="EN-US">Unicode </span></font></span><span style="FONT-SIZE: 9pt; FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">字符编码方案来表示文本、备注和超链接字段中的数据。</span><span lang="EN-US" style="FONT-SIZE: 9pt"><font face="Times New Roman">Unicode </font></span><span style="FONT-SIZE: 9pt; FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">将每个字符表示为两个字节……需要的存储空间比在</span><span lang="EN-US" style="FONT-SIZE: 9pt"><font face="Times New Roman"> Access 97 </font></span><span style="FONT-SIZE: 9pt; FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">或更早版本中要多……可通过将</span><span lang="EN-US" style="FONT-SIZE: 9pt"><font face="Times New Roman">“</font></span><span style="FONT-SIZE: 9pt; FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">文本</span><span lang="EN-US" style="FONT-SIZE: 9pt"><font face="Times New Roman">”</font></span><span style="FONT-SIZE: 9pt; FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">、</span><span lang="EN-US" style="FONT-SIZE: 9pt"><font face="Times New Roman">“</font></span><span style="FONT-SIZE: 9pt; FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">备注</span><span lang="EN-US" style="FONT-SIZE: 9pt"><font face="Times New Roman">”</font></span><span style="FONT-SIZE: 9pt; FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">或</span><span lang="EN-US" style="FONT-SIZE: 9pt"><font face="Times New Roman">“</font></span><span style="FONT-SIZE: 9pt; FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">超链接</span><span lang="EN-US" style="FONT-SIZE: 9pt"><font face="Times New Roman">”</font></span><span style="FONT-SIZE: 9pt; FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">字段的</span><span lang="EN-US" style="FONT-SIZE: 9pt"><font face="Times New Roman">“Unicode </font></span><span style="FONT-SIZE: 9pt; FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">压缩</span><span lang="EN-US" style="FONT-SIZE: 9pt"><font face="Times New Roman">”</font></span><span style="FONT-SIZE: 9pt; FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">属性的默认值设为</span><span lang="EN-US" style="FONT-SIZE: 9pt"><font face="Times New Roman">“</font></span><span style="FONT-SIZE: 9pt; FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">是</span><span lang="EN-US" style="FONT-SIZE: 9pt"><font face="Times New Roman">”</font></span><span style="FONT-SIZE: 9pt; FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">来弥补</span><span lang="EN-US" style="FONT-SIZE: 9pt"><font face="Times New Roman"> Unicode </font></span><span style="FONT-SIZE: 9pt; FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">字符表达方式所造成的影响</span><span style="FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">”</span></font></p><p class="MsoNormal" style="MARGIN: 0cm 0cm 0pt; TEXT-INDENT: 36pt"><font size="2"><span style="FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">哦,原来开启了</span><span lang="EN-US"><font face="Times New Roman"> Unicode </font></span><span style="FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">压缩的话,数据库会自动把拉丁字符(西欧语言如英语、西班牙语或德语)用</span><span lang="EN-US"><font face="Times New Roman">1</font></span><span style="FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">个字节来存储;如果没开启,数据库就会用</span><span lang="EN-US"><font face="Times New Roman">2</font></span><span style="FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">个字节(</span><span lang="EN-US"><font face="Times New Roman">1</font></span><span style="FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">个字节为</span><span lang="EN-US"><font face="Times New Roman">0x00</font></span><span style="FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">,作为文本将被自动转换为空格)存储拉丁字符,也就造成了插入的</span><span lang="EN-US"><font face="Times New Roman">asp</font></span><span style="FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">代码被空格隔开的情况。</span></font></p><p class="MsoNormal" style="MARGIN: 0cm 0cm 0pt; TEXT-INDENT: 36pt"><span style="FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'"><font size="2">那么,在这种情况下如何插马呢?</font></span></p><p class="MsoNormal" style="MARGIN: 0cm 0cm 0pt; TEXT-INDENT: 36pt"><font size="2"><span style="FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">突破口就在</span><span lang="EN-US"><font face="Times New Roman"> Unicode </font></span><span style="FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">压缩那儿,既然数据库不给我们压缩,那么就让我们自己来压缩吧。很简单,就是把</span><span lang="EN-US"><font face="Times New Roman">asp</font></span><span style="FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">代码先转化为</span><span lang="EN-US"><font face="Times New Roman"> Unicode </font></span><span style="FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">然后再插入数据库。我用</span><span lang="EN-US"><font face="Times New Roman">VB</font></span><span style="FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">写了个小软件来实现这个功能,注意由于转换的时候容易产生不可显示的字符(将会出现</span><span lang="EN-US"><font face="Times New Roman">?</font></span><span style="FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">),所以要精心构造代码咯,当然你也可以捡便宜用图中那个我构造的</span><span lang="EN-US"><font face="Times New Roman">^_^</font></span></font></p><p class="MsoNormal" style="MARGIN: 0cm 0cm 0pt; TEXT-INDENT: 36pt"><span lang="EN-US"><p><font face="Times New Roman" size="2"></font></p></span></p><p class="MsoNormal" style="MARGIN: 0cm 0cm 0pt; TEXT-INDENT: 36pt"><span lang="EN-US"><font face="Times New Roman"><font size="2"><shapetype id="_x0000_t75" stroked="f" filled="f" path="m@4@5l@4@11@9@11@9@5xe" o:preferrelative="t" o:spt="75" coordsize="21600,21600"><stroke joinstyle="miter" /><formulas><f eqn="if lineDrawn pixelLineWidth 0" /><f eqn="sum @0 1 0" /><f eqn="sum 0 0 @1" /><f eqn="prod @2 1 2" /><f eqn="prod @3 21600 pixelWidth" /><f eqn="prod @3 21600 pixelHeight" /><f eqn="sum @0 0 1" /><f eqn="prod @6 1 2" /><f eqn="prod @7 21600 pixelWidth" /><f eqn="sum @8 21600 0" /><f eqn="prod @7 21600 pixelHeight" /><f eqn="sum @10 21600 0" /></formulas><path o:connecttype="rect" gradientshapeok="t" o:extrusionok="f" /><lock aspectratio="t" v:ext="edit" /></shapetype><shape id="_x0000_i1025" style="WIDTH: 217.5pt; HEIGHT: 110.25pt" type="#_x0000_t75"><imagedata o:title="a2u" src="file:///C:\DOCUME~1\lake2\LOCALS~1\Temp\msohtml1\01\clip_image001.jpg" /></shape></font></font></span></p><p class="MsoNormal" style="MARGIN: 0cm 0cm 0pt; TEXT-INDENT: 36pt"><span lang="EN-US"><p><font face="Times New Roman" size="2"><img src="http://blog.csdn.net/images/blog_csdn_net/lake2/a2u.jpg" /><br /></font></p></span></p><p class="MsoNormal" style="MARGIN: 0cm 0cm 0pt; TEXT-INDENT: 36pt"><font size="2"><span style="FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">对</span><span lang="EN-US"><font face="Times New Roman">VB</font></span><span style="FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">来说,转换之后的代码的长度已经减少一半,嘿嘿,那这个可不可以说是对最小的</span><span lang="EN-US"><font face="Times New Roman">ASP</font></span><span style="FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">后门的一种突破呢?</span></font></p><p class="MsoNormal" style="MARGIN: 0cm 0cm 0pt; TEXT-INDENT: 36pt"><font size="2"><span style="FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">程序可在这里下载之:</span><span lang="EN-US"><a href="http://www.0x54.org/lake2/program/a2u4hack.exe"><font face="Times New Roman">[url]http://www.0x54.org/lake2/program/a2u4hack.exe[/url]</font></a></span><span style="FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">,呵呵,</span><span lang="EN-US"><font face="Times New Roman">Enjoy It </font></span><span style="FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">!</span></font></p></div><p><a href="http://blog.csdn.net/images/blog_csdn_net/lake2/a2u.jpg"></a></p>

页: [1]
© 1999-2008 EvilOctal Security Team