Shulou(Shulou.com)06/03 Report--

This article shares with you the content of the sample analysis of CHR (0) in ASP/VBScript. The editor thinks it is very practical, so share it with you as a reference and follow the editor to have a look.

This character marks the end of a string, also known as null-terminated, which brings some trouble to script programming, especially ASP programming. Many people may ask why this special character is retained. We can trace it back to C language, one of the languages in which the operating system was written. Children's shoes who have learned about C _ NULL + may know that it is the\ 0 (NULL or 0) that marks the end of a string in a string. Otherwise, it cannot be called a string, it can only be called an array of strings. Any function that operates on a string may have an exception if the passed string drops the ending NULL character.

The copy code is as follows:

Char strbuf [] = "Hello"

/ / equivalent to

Char strbuf [] = {'Haugh,' eBay, 'lump,' lump, 'oval,'\ 0'}

One of the simple implementations of the function for judging the length of a string:

The copy code is as follows:

Size_t strlen_a (const char * str) {

Size_t length = 0

While (* str++)

+ + length

Return length

}

You can see that the while loop ends with a 0, so the ending flag here is the\ 0 character at the end of the string. It can be said that this method of identifying strings makes sense, because lower-level languages such as C language need efficiency of execution and better control of storage space. that is to say, we need to master and allocate the space for storing strings for string variables, and generally the space allocated for strings is much larger than the length of strings. And the variables assigned by the C language auto mode are filled with garbage values before initialization, so when loading our string into this space, we only need to simply set the last character of the string to\ 0 character, which effectively avoids the operation of the whole space. Another reason is that when outputting this string, you must indicate where the string ends, and you can't output the value of the entire string storage space. Maybe the explanation is a little far-fetched.

Okay, let's look at why this feature is retained in ASP/VBScript. We know that VBScript is a subset of VB (Visual Basic), what is VB, and VB is developed for Windows applications. When it comes to Windows application development, it is possible to call the API of the Windows system, while most of these API functions are written in C language. Obviously, in order for VB to be compatible with these API, it is necessary to introduce the CHR (0) character, that is, vbNullChar. At the same time, it should also have the feature of string processing in C language, that is, when you encounter CHR (0), it marks the end of the string. No matter what happens next, the most classic WinAPI function call using the CHR (0) character is GetLogicalDriveStrings. The drive string obtained by this API is similar to c:\ d:\, and every two paths are separated by a null-terminated, that is, CHR (0), so special handling is required. If VB does not support the CHR (0) character, then the API will not be used, and the application writing of VB will be greatly reduced. However, in particular, VBScript, a subset of VB, retains this feature. At present, I am not sure whether Null characters are necessary in VBScript scripts, but this brings us some trouble and even security risks in scripting ASP.

For example, a function like this is used to get the file extension:

The copy code is as follows:

This function is for demonstration only and should not be used in production environment

Function GetFileExtensionName (filename)

Dim lastdotpos

Lastdotpos = InstrRev (filename, ".")

GetFileExtensionName = Right (filename, Len (filename)-lastdotpos)

End Function

This function is only used for demonstration. Through this function, we can get the extension of an uploaded file, such as sample.jpg, and obtain jpg through the above function. If a malicious attacker constructs such an uploaded file name sample.asp.jpg, that is, "sample.asp" & CHR (0) & ".jpg", the above function still gets the extension jpg, while ASP due to the VBScript feature The string is truncated according to CHR (0), so the file name becomes sample.asp after upload, which is quite dangerous. A common practice is to filter out CHR (0), such as the following function:

The copy code is as follows:

Function filterFileName (fileName)

FilterFileName = Replace (fileName, vbNullChar, "")

End Function

However, if this happens, it means that users may be trying to exploit upload vulnerabilities to attack the system, so I think it is more appropriate to find that CHR (0) is included, then file upload is prohibited, and malicious files are still uploaded after filtering, although malicious files do not work. After querying the regular library RegExLib.com, I found a better way to verify the file name. Next, I provide this general regular matching file name function for your reference:

The copy code is as follows:

Function IsAcceptableFileName (fileName)

Set objRegExp = New RegExp

ObjRegExp.IgnoreCase = True

ObjRegExp.Global = False

ObjRegExp.Pattern = _

"^ (?! ^ (PRN | AUX | CLOCK\ $| CONFIG\ $|" & _

"NUL | CON | COM\ d | LPT\ d |\.. *)" & _

"(\.. +)? $) [^\ x00 -\ x1f\? *:\"; | /] + $"

IsAcceptableFileName = objRegExp.Test (fileName)

Set objRegExp = Nothing

End Function

The IsAcceptableFileName function can detect whether the file name contains some illegal characters such as 0x00~0x1F and forbidden path characters such as? *\ /. It can also detect special device names under Windows, such as PRN, CON, NUL, etc., to avoid malicious device name file upload.

Thank you for reading! This is the end of the article on "sample Analysis of CHR (0) in ASP/VBScript". I hope the above content can be of some help to you, so that you can learn more knowledge. if you think the article is good, you can share it for more people to see!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.