The origin of Chr (0) in ASP / VBScript and the analysis of its security problems

Time:2019-10-12

This character marks the end of the string, also known as null-terminated. This brings some trouble to scripting, especially ASP programming. Many people may ask why we want to keep this special character. We can trace it back to C language, one of the languages of operating system. Children who have learned C/C++ may know that it is the knot that marks the end of a string in the string. Tail 0 (NULL or 0), otherwise it can not be called a string, but an array of strings. Any function that operates on a string may have an exception if the incoming string loses the end NULL character.

Copy codeThe code is as follows:
char strbuf[] = “Hello”
/ / equivalent to
char strbuf[] = {‘H’, ‘e’, ‘l’, ‘l’, ‘o’, ‘\0’}

One of the simple implementations of the judgment function of string length is:

Copy codeThe code is as follows:
size_t strlen_a(const char * str) {
size_t length = 0;
while (*str++ )
++length;
return length;
}

You can see that the while loop ends with zero, so the end sign here is the 0 character at the end of the string. This kind of string identification method is reasonable, because C language, which is a lower level language, needs the efficiency of execution and better control of storage space. That is to say, we need to master and allocate the space of storage string for string variables. Generally, the space of string allocation is far greater than the length of string, and C language Auto The variable allocated by the way is the garbage value filled before it is initialized. At this time, loading our string into this space requires only simple setting the last character of the string as0, which effectively avoids the operation of the whole space. Another reason is that when you output this string, you must specify where the string ends and you can never output the whole string to store empty space. The value between, ah, may explain a little far-fetched.

Well, let’s see why this feature is retained in ASP/VBScript. We know that VBScript is a subset of Visual Basic. What is VB? VB is developed for Windows applications. Speaking of Windows application development, we may call the API of Windows system. Most of these API functions are written in C language, obviously for VB to be compatible with this. Some APIs must introduce the CHR (0) character, vbNullChar, as well as the C language string processing feature, that is, when CHR (0) is encountered, it marks the end of the string. Whatever the next content, the most classic WinAPI function call using the CHR (0) character is GetLogical DriveStrings. The drive string obtained by this API is similar to that of c: null > d:\ null > < null > < null > < null > < null > < null >. Ll >, every two paths are separated by a null-terminated, that is, CHR (0), so special processing is needed. If VB does not support CHR (0) characters, then this API will not be used, VB application programming will be greatly discounted. But in particular, VBScript, a subset of VB, retains this feature. At present, I am not sure whether Null characters are necessary in VBScript scripts, but it brings some troubles, even security risks, to our scripting.

For example, such a function is used to extract file extensions:

Copy codeThe code is as follows:
‘this function is for demonstration only, not for production
Function GetFileExtensionName(filename)
Dim lastdotpos
lastdotpos = InstrRev(filename, “.”)
GetFileExtensionName = Right(filename, Len(filename) – lastdotpos)
End Function

This function is only used for demonstration. Through this function, we can get an extension of uploaded file, such as sample. jpg, and get JPG through the above function. If a malicious attacker constructs such an uploaded file name as sample. ASP < null >. jpg, that is, “sample. asp” & CHR (0) & “jpg”, then the above function will still get the extension jpg, while ASP owns to the VBScript feature. If the string is truncated according to CHR (0), then the file name becomes sample. ASP after uploading, which is quite dangerous. The usual practice is to filter out CHR (0), such as the following functions:

Copy codeThe code is as follows:
Function filterFileName(fileName)
filterFileName = Replace(fileName, vbNullChar, “”)
End Function

However, if this happens, it means that users may try to attack the system by using upload vulnerabilities, so I think it is more appropriate to find that it contains CHR (0), then prohibit file upload, to avoid malicious file upload after filtering, although malicious files do not work. After inquiring RegExLib.com, I found a better way to judge the validation of file names. Next, I provide a more general function of whether the regular matching file names are legitimate for your reference.

Copy codeThe code is as follows:
Function IsAcceptableFileName(fileName)
Set objRegExp = New RegExp
objRegExp.IgnoreCase = True
objRegExp.Global = False
objRegExp.Pattern = _
“^(?!^(PRN|AUX|CLOCK\$|CONFIG\$|” & _
“NUL|CON|COM\d|LPT\d|\..*)” & _
“(\..+)?$)[^\x00-\x1f\\?*:\””;|/]+$”
IsAcceptableFileName = objRegExp.Test(fileName)
Set objRegExp = Nothing
End Function

The IsAcceptable FileName function can detect whether the file name contains illegal characters such as 0x00~0x1F and?*/ these forbidden path characters. It can also detect special device names under Windows, such as PRN, CON, NUL, etc., to avoid malicious device name file upload.

Updated 20 December 2011

For NULL character upload vulnerability attack implementation code, please refer to “ASP upload vulnerability exploit CHR (0) bypass extension detection script”

Recommended Today

Install and configure Tomcat

Download, install and configure Tomcatone . download Download address: http://tomcat.apache.org/ Choose 32-bit or 64 bit according to your computer You can download the installation free version (zip), or the installation version (. Exe) two . install If you download the installation free version, you can unzip it directly after downloading Start: find the startup.bat Click […]