I've isolated an odd behavior in ASP Classic, Windows server 2016, IIS 10.0
Run this code:
For Each Item in Request.QueryString
Response.Write Item & ": " & Request.QueryString(Item) & "<br/>"
Next
with this querystring:
?&var1=value1&var2=value2
I'm getting this output:
&var1: value1
var2: value2
So basically ASP Classic is screwing first variable, which should be var1. Because of the first ampersand in the URL, the first variable is not recognized correctly.
Is there a way to configure IIS to enable correct parsing of the URL ? If I take away the first ampersand, var1 is recognized correctly.
Related
I am working on a cyber security course containing a challenge on a SQL Server 2000 host.
I have leaked an asp file containing the source for the login page that contains a hardcoded query that takes the username and password from the user and proceeds to query the db...
sSql = "SELECT * FROM Users where user_name='" & username & "' and user_password='"&password&"'"
Before this is executed the user input is filtered with a loop over a the below method removing...
' " - & % / \ | >
replace(myString, "&", "")
What I am trying to do is to escape the string containing the user or password, break the developing query and interrupt it with my own, then comment out the remainder to keep it 'valid'. In order to evade the blacklist I am trying to pass a SUBSTRING that will decode a series of hex characters into a valid nested query.
I have tested both parts in a sandbox VB script to check handling the encoded string and run the string in an online MSSQL emulator here and it decode the query fine.
NOTE: Emulator is Sql Server 2014 Express Edition not 2K. Couldn't find one for 2K
I hope that makes sense!
Here is what I am trying to pass and what each character is trying to achieve...
Encoded Query:
SELECT CONVERT(VARCHAR(60), SUBSTRING(0x22273B2053454C454354202A2066726F6D207573657273205748455245206E616D65203D2061646D696E3B202D2D20, 1, 96))
Translates to (with trailing space):
"'; SELECT * from users WHERE name = admin; --
What I am envisioning is that the below overall query is formed AFTER the SUBSTRING is processed:
sSql = "SELECT * FROM Users where user_name='""'; SELECT * from users WHERE name = admin; -- & username & "' and user_password='"&password&"'"
My hope is that leading double and single quote formation on my malicious request will break the string and the subsequent semicolon will end the request without causing an exception, then leading to the server processing my query and dropping the unnecessary remainder.
My question then, is is this approach valid from the perspective of SQL Server 2000? or are my assumptions on how the server is receiving and processing the query incorrect?
No - the way it is processed won't allow you to attack in this way. With your payload the string will end up being:
SELECT * FROM Users where user_name='SELECT CONVERT(VARCHAR(60), SUBSTRING(0x2...0, 1, 96))' and user_password='"&password&"'
So the SELECT that you are trying to get executed will be in single quotes and never interpreted as code.
The key to this may be that you have two injections - try passing in a "\" into the first injection to escape the last quote and then use both injections to exploit it.
I'm maintaining an application which sends out E-Mails with a notes url link like this:
noteshref = "notes://" & serverName.Common & "/" & docToLink.Parentdatabase.Replicaid & "/" & viewUNID & "/" & docToLink.Universalid
the viewUNID is calculated thusly:
Dim viewUNID As String
Set nc = db.Createnotecollection(False)
nc.Selectviews=True
nc.Selectionformula={#isMember("Vtousdocuments";#explode($Title;"|"))}
nc.Buildcollection
If nc.Count > 0 Then
viewID = nc.Getfirstnoteid
Dim note As NotesDocument
Set note = db.Getdocumentbyid(viewID)
viewUNID=note.Universalid
Delete note
Else
viewUNID="0"
End If
Delete nc
I've looked at the documentation for the NotesURL:
https://www-10.lotus.com/ldd/dominowiki.nsf/dx/notes-urls
I've seen demonstrations via a remote session when the database icon on the workspace is not created when opening the link. The Document gets opened, but no bananas on the 'create a Workspace icon on the database' behaviour.
I haven't been able to reproduce this on my machine, and I've also noted that, contrary to the documentation, the server 'hint' is not considered - one of the possible replicas is pulled out of thin air and recreated on the workspace.
Am I missing anything? Are there perhaps some combinations of the notesurl that do not create icons on the workspace (i.e. a naming convention for the server)? Or could it be something more obscure, like corrupted desktop.ndks?
I have used this URL format in few places and it has always worked and it opens the right server. One thing I do differently is use /0/ instead of the view UNID "/" & viewUNID & "/". This would directly open the document if its present in the db and its also faster.
But your solution also should work, if the issue is specific for few users you should delete the cache/desktop and try.
When I do enter this in powershell Console
$test=#'
Test
Test'#
And do enter several times, it keeps printing
>>
So I can never finish command.
What to do ?
'# should be first thing in the line or it is considered to be just a part of the string.
$test=#'
Test
Test
'#
This approach also works with #"/"#
As per the section on maximum line length in The PowerShell Best Practices and Style Guide, I would suggest “splatting” the string, like this:
$myStr = ("The family of Dashwood had long been settled in Sussex. Their estate was " +
"large, and their residence was at Norland Park, in the centre of their " +
"property, where, for many generations, they had lived in so respectable " +
"a manner as to engage the general good opinion of their surrounding " +
"acquaintance.")
$test=#'
Test
Test
'#
The important thing to note is that the delimiters include (invisible) carriage returns. There must be one at the end of the starting tag, and one before the closing tag.
I'm not familiar with VB6 , I would like to compile an existing project in a new environment (which mean new desktop) , so do I missed some development tools or references to run the code below ? Because when I running the project it pointed to (Date) .
ExcelSheet.Cells(2, 1).Value = "Printed As At " & ls_now
If optCurrent.Value = True Then
ExcelSheet.Cells(4, 1).Value = "Year : " & Year(Date)
Else
ExcelSheet.Cells(4, 1).Value = "Year : " & cboYear.Text
End If
Please Help , thousand thanks
This is usually a side effect of a missing project reference. Hit the Project->References menu:
Look for anything that is marked as 'MISSING'. Those are the things that need to be installed/registered on your development machine. Once you do so, you'll have to restart VB to reload your project.
If Date is VB6's Date function it needs () after it. In all basics except VB.NET, functions must have brackets, and subs musn't. There is also a Date statement that sets the date. That what yours is being interpreted as, but it makes no sense inside another functions parameters.
You could have pressed F1 and learnt this.
I have an IIS6 web server (on Win2003) is having a strange behavior which I guess is some undocumented "feature" ...
It serves SVG files (extension .svg) without having it registered on the IIS metabase. It does not have the * mime type either.
For this request:
GET /basic/file1.svg HTTP/1.1
the response contains
HTTP/1.1 200 OK
Content-Length: 32817
Content-Type: image/svg+xml
So ... where does IIS got this image/svg+xml mime type?
The only place I found it is in Registry, at HKEY_CLASSES_ROOT\MIME\Database.
But according to all the MS information I found, the source for IIS allowed mime types is it's own metabase.
Does anyone know this behavior? This could lead a IIS admin to a false sense of security...
Best regards everyone!!
IIS merges MIME maps from the Metabase and the registry (HKCR\<extension>) to get the list of allowable Mime Types.
To list the metabase mime times, you can use:
adsutil.vbs get /MimeMap/mimemap
Which, unfortunately, prints out the mime map poorly:
D:\Apps\Scripts>adsutil.vbs get /MimeMap/mimemap
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.
MimeMap : (MimeMapList) ".asx,video/x-ms-asf" ".xml,text/xml" ".tsv,text/tab
-separated-values" ".ra,audio/x-pn-realaudio" ".sv4crc,application/x-sv4crc" ".spc,application/x-pkc
s7-certificates" ".pmc,application/x-perfmon" ".lit,application/x-ms-reader" ".crd,application/x-msc
Changing one line in ADSUtil.VBS fixes this (note the " vbCRLF & ") :
Line 1655:
MimeOutPutStr = MimeOutPutStr & """" & MimeEntry.Extension & "," & MimeEntry.MimeType & """ "
to
MimeOutPutStr = MimeOutPutStr & vbCRLF & """" & MimeEntry.Extension & "," & MimeEntry.MimeType & """ "
Produces output like this:
D:\Apps\Scripts>adsutil.vbs enum /MimeMap
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.
KeyType : (STRING) "IIsMimeMap"
MimeMap : (MimeMapList)
".asx,video/x-ms-asf"
".xml,text/xml"
".tsv,text/tab-separated-values"
".ra,audio/x-pn-realaudio"
".sv4crc,application/x-sv4crc"
".spc,application/x-pkcs7-certificates"
".pmc,application/x-perfmon"
".lit,application/x-ms-reader"
".crd,application/x-mscardfile"