如何防止查询字符串中的空字节注入
how to prevent null byte injection from querystring
Nessus 漏洞扫描器 运行 针对遗留代码网站。有很多关于如何使用 PHP 防止 空字节注入 攻击的建议,但我找不到任何关于使用 VBScript 在经典 ASP 中修复此问题的方法。
这是扫描器对我们 public 站点的攻击:
http://www.mortgagedataweb.com/mds/marketshare/ParmsV2.asp?Menu=%00<"kzwezl%20>
我尝试为 QueryString
输入添加有效性检查,但我的努力没有奏效。 %00
导致我试图检查正确值的结果被掩盖了。以下是一些相关的代码片段:
Function getUserInput(input)
Dim newString
If Len(input) = 0 Then
getUserInput = ""
Exit Function
End If
newString = input 'this was omitted in original post but was in fact in the code
newString = Replace(newString, Chr(0), "") 'I thought this would fix it !
newString = Replace(newString, "--", "")
newString = Replace(newString, ";", "")
newString = Replace(newString, Chr(34),"'")
newString = Replace(newString, "'", "")
newString = Replace(newString, "=", "=")
newString = Replace(newString, "(", "[")
newString = Replace(newString, ")", "]")
newString = Replace(newString, "'", "''")
newString = Replace(newString, "<", "[")
newString = Replace(newString, ">", "]")
newString = Replace(newString, "/*", "/")
newString = Replace(newString, "*/", "/")
getUserInput = newString
End Function
implied_Menu = UCase(getUserInput(Request.QueryString("Menu"))) 'store Menu value for Fast-Path link
Select Case implied_Menu
Case "FHA_ZP", "C_ZP", "J_ZP", "F_ZP"
implied_SQLName = MARKETSHAREZip
Case "P_ALL", "P_MA", "P_ST", "P_ZP", "P_CT", "P_NATION"
implied_SQLName = PMIMARKETSHARE
Case "FHA_ALL_D", "FHA_MA_D", "FHA_ST_D", "FHA_CT_D", "FHA_ZP_D", "FHA_NATION_D"
implied_SQLName = FHAMARKETSHAREDETAILS
Case ""
implied_SQLName = MARKETSHARE
Case Else
Response.Write("<h2>Invalid Menu parameter</h2>")
Response.End
End Select
正确的菜单值是:
- 完全缺失(即
Menu=
不在QueryString
)
- 上述
Select Case
逻辑中描述的一系列有效值的一部分
在我的开发机器上,我可以将 %00
更改为 %0
,然后使用 Response.Write
消息标记错误,然后 Response.End
,但是关于 %00
越过了我检查它的尝试。
我建议用正则表达式来处理:
function getUserInput(sInput)
Dim obj_regex
Set obj_regex = New RegExp
obj_regex.IgnoreCase = true
obj_regex.Global = true
obj_regex.Pattern = "\W"
getUserInput = obj_regex.Replace(sInput, "")
set obj_regex = Nothing
end function
由于您的所有菜单项都只有字母数字字符和下划线,因此您可以替换所有其他字符。
Nessus 漏洞扫描器 运行 针对遗留代码网站。有很多关于如何使用 PHP 防止 空字节注入 攻击的建议,但我找不到任何关于使用 VBScript 在经典 ASP 中修复此问题的方法。
这是扫描器对我们 public 站点的攻击:
http://www.mortgagedataweb.com/mds/marketshare/ParmsV2.asp?Menu=%00<"kzwezl%20>
我尝试为 QueryString
输入添加有效性检查,但我的努力没有奏效。 %00
导致我试图检查正确值的结果被掩盖了。以下是一些相关的代码片段:
Function getUserInput(input)
Dim newString
If Len(input) = 0 Then
getUserInput = ""
Exit Function
End If
newString = input 'this was omitted in original post but was in fact in the code
newString = Replace(newString, Chr(0), "") 'I thought this would fix it !
newString = Replace(newString, "--", "")
newString = Replace(newString, ";", "")
newString = Replace(newString, Chr(34),"'")
newString = Replace(newString, "'", "")
newString = Replace(newString, "=", "=")
newString = Replace(newString, "(", "[")
newString = Replace(newString, ")", "]")
newString = Replace(newString, "'", "''")
newString = Replace(newString, "<", "[")
newString = Replace(newString, ">", "]")
newString = Replace(newString, "/*", "/")
newString = Replace(newString, "*/", "/")
getUserInput = newString
End Function
implied_Menu = UCase(getUserInput(Request.QueryString("Menu"))) 'store Menu value for Fast-Path link
Select Case implied_Menu
Case "FHA_ZP", "C_ZP", "J_ZP", "F_ZP"
implied_SQLName = MARKETSHAREZip
Case "P_ALL", "P_MA", "P_ST", "P_ZP", "P_CT", "P_NATION"
implied_SQLName = PMIMARKETSHARE
Case "FHA_ALL_D", "FHA_MA_D", "FHA_ST_D", "FHA_CT_D", "FHA_ZP_D", "FHA_NATION_D"
implied_SQLName = FHAMARKETSHAREDETAILS
Case ""
implied_SQLName = MARKETSHARE
Case Else
Response.Write("<h2>Invalid Menu parameter</h2>")
Response.End
End Select
正确的菜单值是:
- 完全缺失(即
Menu=
不在QueryString
) - 上述
Select Case
逻辑中描述的一系列有效值的一部分
在我的开发机器上,我可以将 %00
更改为 %0
,然后使用 Response.Write
消息标记错误,然后 Response.End
,但是关于 %00
越过了我检查它的尝试。
我建议用正则表达式来处理:
function getUserInput(sInput)
Dim obj_regex
Set obj_regex = New RegExp
obj_regex.IgnoreCase = true
obj_regex.Global = true
obj_regex.Pattern = "\W"
getUserInput = obj_regex.Replace(sInput, "")
set obj_regex = Nothing
end function
由于您的所有菜单项都只有字母数字字符和下划线,因此您可以替换所有其他字符。