Universal Upload ASPPHPJSP Script System

xiaoxiao2021-03-06 43

Text / Tu Yong Ge

This article has been published in the hacker X file, reproduced please indicate

Since the opening of the mobile network 7, the upload vulnerability of various systems came one after another. Their vulnerability principle is basically almost similar, and it is slightly different in the method. In short, the brief can be summarized as a few steps: first capture the package, then modify the file type, then add space after the upload path, use the hex editor Change the space to 00 and finally submitted with NC. Of course, it is best to find a specific UPFILE file comes from yourself, which helps to improve the understanding and memory of vulnerabilities!

There is no very deep technology in this article, but it is only the system that has discovered the upload vulnerability by programming language, and through a software of Guilin veterans, combined with examples explain the vulnerability utilization method of various systems. Upload a variety of popular WebShells in specific examples for reference! At the same time, I hope that I can remind some of the programmers to pay attention to the strictness of thinking when programming, avoiding a thousand miles of embankments to collapse! Let's start with this tool from the veterans!

Briefly introduce this program of the veteran, the interface is shown in Figure 1 below:

In order to facilitate explanation, we will explain two files of DVBBS's Upfile.asp and Reg_upload.asp (do not necessarily understand all, probably knowing). The UPFILE.ASP file is a file with the upload vulnerability, and the REG_UPLOAD.ASP file is the parameters used when filling the pattern tool, that is, the parameters used in the execution of this file are from REG_UPLOAD. The content submitted by the form in the ASP file!

Upfile is uploaded by generating an Form table (in the REG_UPLOAD.ASP file). code show as below:

Small knowledge: The variables used therein are as follows:

FILEPATH: The default is UPLoadFace, which is the uploaded default storage directory, attribute hiden;

File1: This is the file we want to pass;

Combine the above code, let's fill in the upload tool:

Enter the URL of the upload vulnerability file in the action:

http://target.net/bbs/upfile.asp

The filepath in the first text box in the UPPATH is the filepath in the form, that is, the upload path, the equal number is filled in the name /shell.asp uploaded to the back door on the other party server; enter a web program to allow upload types The default jpg in the text box can be (the general website allows uploading the JPG image file); File1 in the first text box in the file is the file1 in the form, the equal number is completed, and the Trojan path uploaded by the unit. Cookies Mid fill the cookies value that we grabbed the data package tool such as WSockexpert, remember that it is best to be the cookies value you registered in the system. Liu Liu: Use wsockexpert to catch the cookies a bit of a small matter, the author is a tourist called TouchNet Browser, with a cookies feature, which is very convenient, you can also consider other programs that can catch cookies.

Ok, "knife" we have grinded sharp, now you can go to cut wood! The actual start, the following demonstrates the upload vulnerability of the scripting system written by ASP, PHP, JSP!

ASP system upload vulnerability

1. [Mobile Network Forum]

All versions of DVBBS 7.0 SP2 (this test uses DVBBS 7.0 SP1 versions). Since the upload vulnerability of the mobile network is the most common, it is also the most familiar, here is not more introduced. Fill in the actual data in each box in each box, waiting for OK after submitting! as shown in picture 2.

Action: Fill in

http://www.***.com/bbs/upfile.asp

UPPATH The first text box fill in: filepath; second fillement: / cmd.asp (you can also write /bbs/cmd.asp) After the upload is successful, it will be transmitted to the / bbs directory!)

Enter a web program allows the default jpg in the type text box to be uploaded.

File first text box input: file1; second fill in: D: /HackTools/muma/cmd.asp (this is cmd.asp with path on your machine)

Cookies: Yes I use TouchNet Browse this browser! Its main function is used to verify! No, it will report an error! Fill it! Let's click on the "Submit" button! !

After submitting, use the browser to see if it is successful, successfully uploaded! As shown in Figure 3.

Back door introduction: Used a very old back door, after entering the DOS command "netstat -an" point in the text box, you will see which ports have opened, and the connection with the remote host is ^ _ ^

Tip: The file has been uploaded successfully, but there is no "Upload Success" Tips dialog box, you can test whether the WebShell path on the target site directly in the browser is successful, and the program sometimes positively positively.

2. [Dust News System]

Dust News System 0.45 FINISH below (test version V1.0 access finish). First search in Google Keywords: v1.0 access finish, will see a large pile of websites that use dust-boy-like systems, and they are our goals!

First analyze how to fill in the parameters: For example, a website is

Http://www.xx.com/asfq/index.asp, then fill in this:

Action:

http://www.xx.com/asfq/admin/uploadfaceok.asp

Vulnerability catalog: / asfq / admin (Note Be sure to add admin) to find the corresponding parameters in UploadFace.asp; UPLoadFace.asp as follows:

Fill in the parameter is similar to moving the net!

Submitted data, the result of success is shown in Figure 4, 5.

Back door introduction: Use a web page Trojan with a shark, before performing DOS, you have to upload C: /Winnt/System32/cmd.exe to the same directory as the webpage Trojan, otherwise the command will not be executed! Many websites do a security policy. Use the top of the top Trojan DOS commands that can not be executed, sometimes using the Shark's ASP Trojan can do some DOS commands!

Tip: The vulnerability file is generally not changed, but some old version of the dust-opening system is UPLOADOK.ASP, if UploadFaceok.asp is unsuccessful to change to UPLoadok.asp

3. [Dynamic download system]

Dynamic Download System XP Professional V1.3 Build 0112 and below. Search in Baidu: SoftView.asp? Softid =, find the N multi-set system. There is a form below in its UPLoad.asp:

file location:

file Type: GIF / JPG / ZIP / RAR, Size Limits: 3000k Subject to friends probably see the problem? The article here is not to analyze the specific vulnerabilities, and do not make a detailed explanation, novice friends will directly study the specific vulnerabilities after submitting the following parameters first, then slowly study the specific vulnerability! As shown in Figures 6, 7.

Back door introduction: _BLANK> Ice Fox Langzi Mini ASP Back Door, very small back door only one sentence, can also be inserted into other web pages, it integrates the common functions together, write the existing file, environment detection, disk information, Search network neighbors sharing

Tip: Search in Baidu: SoftView.asp? Softid = found version is an Access version of the program, if search / SoftView / SoftView, find the SQL version of the program.

4. [DXXO Forum]

DXXO Forum published in January 2004. There is a form below in its uploadface.asp file:

Here and the previous vulnerabilities are a bit different. In the first text box of the UPPATH, it is changed to UPLOADFACEY instead of the FilePath in the previous example, and the value of cookies should be registered, otherwise it will not succeed! The specific parameters are shown in Figures 8, 9 below.

Back door introduction: A very good Trojan, let you write the file on the target machine! In the text box in the absolute path of the saved file, enter the storage location and file name on the target machine, and the absolute path is already given! We can refer to it; copy the contents of the Trojan in the content of the input horse! Point is saved. OK!

Tip: Here you don't have the file name (underline portion) displayed after the upload of the top text box appears in the left text box of Figure 8: