如何防止查询字符串中的空字节注入

how to prevent null byte injection from querystring

Nessus 漏洞扫描器 运行 针对遗留代码网站。有很多关于如何使用 PHP 防止 空字节注入 攻击的建议,但我找不到任何关于使用 VBScript 在经典 ASP 中修复此问题的方法。

这是扫描器对我们 public 站点的攻击:

http://www.mortgagedataweb.com/mds/marketshare/ParmsV2.asp?Menu=%00<"kzwezl%20>

我尝试为 QueryString 输入添加有效性检查,但我的努力没有奏效。 %00 导致我试图检查正确值的结果被掩盖了。以下是一些相关的代码片段:

Function getUserInput(input)    
    Dim newString
    If Len(input) = 0 Then
        getUserInput = ""
        Exit Function
    End If
    newString = input        'this was omitted in original post but was in fact in the code
    newString = Replace(newString, Chr(0), "")  'I thought this would fix it !  
    newString = Replace(newString, "--", "")
    newString = Replace(newString, ";", "")          
    newString = Replace(newString, Chr(34),"'") 
    newString = Replace(newString, "'", "") 
    newString = Replace(newString, "=", "=") 
    newString = Replace(newString, "(", "[") 
    newString = Replace(newString, ")", "]")
    newString = Replace(newString, "'", "''")
    newString = Replace(newString, "<", "[")
    newString = Replace(newString, ">", "]")  
    newString = Replace(newString, "/*", "/") 
    newString = Replace(newString, "*/", "/")
    getUserInput = newString
End Function

implied_Menu = UCase(getUserInput(Request.QueryString("Menu")))  'store Menu value for Fast-Path link
Select Case implied_Menu
    Case "FHA_ZP", "C_ZP", "J_ZP", "F_ZP"
        implied_SQLName = MARKETSHAREZip
    Case "P_ALL", "P_MA", "P_ST", "P_ZP", "P_CT", "P_NATION"
        implied_SQLName = PMIMARKETSHARE
    Case "FHA_ALL_D", "FHA_MA_D", "FHA_ST_D", "FHA_CT_D", "FHA_ZP_D", "FHA_NATION_D"
        implied_SQLName = FHAMARKETSHAREDETAILS
    Case ""
        implied_SQLName = MARKETSHARE
    Case Else
        Response.Write("<h2>Invalid Menu parameter</h2>")
        Response.End
End Select

正确的菜单值是:

在我的开发机器上,我可以将 %00 更改为 %0,然后使用 Response.Write 消息标记错误,然后 Response.End,但是关于 %00 越过了我检查它的尝试。

我建议用正则表达式来处理:

function getUserInput(sInput)
    Dim obj_regex
    Set obj_regex = New RegExp

    obj_regex.IgnoreCase = true
    obj_regex.Global = true
    obj_regex.Pattern = "\W"

    getUserInput = obj_regex.Replace(sInput, "")
    set obj_regex = Nothing
end function

由于您的所有菜单项都只有字母数字字符和下划线,因此您可以替换所有其他字符。