In the general web procedure, demonstrated data for browser's time can assign a character repertoire, uses the character repertoire in domestic usually us to have utf-8, GBK, gb2312 and so on, the character repertoires had instructed how the browser should treat the returns the data. And gb2312 and the GBK character repertoire uses widely, but passes through the proof, IE in processes these width character repertoire time has the problem, causes the possible procedure some safety precautions to fall by Bypass, initiates the serious cross station script security crack. In IE, if it meets a character, it is assigns in the character repertoire the first time, will think that its following character and the current character constitute a legitimate character, like this it when the analysis including the html label, processes javascript, Css can do so considered, the test edition is ie6 and ie7.
1 Bypass certain js inspection rule
HTML]
[HEAD]
[TITLE]80sec test[/TITLE]
[meta http-equiv= " Content-Type " content= " text/html; charset=gb2312 "/]
[/HEAD]
[BODY]
[script]
window.onerror=function() {
alert ('Vul');
return true;
}
[/script]
[script]x='[? php echo chr(0xC1);?]'; y=' [User_IN_PUT] `; [/script]
[/BODY]
[/HTML]
Even if here filtered <> ' characters and so on \ to be possible to use the illegal character repertoire sequence equally to realize the \ function, because it ' to will unify the original existence, then front ' could not find closed, behind [User_IN_PUT] might use for to carry out the js code.
2 Bypass certain attribute inspection rule
In order to avoid using html to cause directly to present the crack, some forums and the procedure have used the UBB label, but in gbk and so on under many byte codes, equally easy to have the problem, take easiest to have the problem a UBB label as the example:
color=xyz [? php echo chr(0xC1);?]] [/color] [color=abc onmouseover=alert
(/xss/) s= [? php echo chr(0xC1);?]] exploited[/color]
0xC1 will be the gb2312 first byte, above result will transform will be:
font color= " xyz?][/font] [font color= " abc onmouseover=alert(/xss/) s=?]
exploited[/font]
And
alert(/xss/)
Will make an event to carry out, even if therefore the UBB label will also become unsafe, can forgive” protection. Many forums have not paid attention to this, phpwind, moves forums and so on net easily to come under this kind of attack. But Discuz through after transforming the result attaches a blank space, has patched this security problem. Here uses the ubb label to have interesting tips actually in inside, because some databases will get rid with assign the character which the character repertoire will not match, must therefore draw support from following] and so on characters to form an effective Chinese character to be able to save to the database, certainly will look like ACCESS this kind not to have the question, moreover some languages in processing string of character time will force the string of character the character repertoire type, the illegal character will cause to transfer the code the defeat or encounters the abandonment, therefore cannot use this type the attack.
Other pages: : 1 * 2 * Next>>
|
You are here: hacking technology
> crack analyzes
> Content
Category: Home
> crack analyzes