From AD mail to chicken flock (figure) _ Vulnerability Research

My personal mailbox many times received cosmetics advertising mail, it does not feel like a poison, so point open connection to see, originally is a Sales cosmetics business website. Look prettier, just don't know how safe it is? Previously noted Providence Business Network, but this stranger, I do not know what the system (as shown in Figure 1).

Figure 1

Habitually to see whether there is no upload, incredibly did not find any upload pictures or other Dongdong place. Do not forget, register a user, still did not find can upload or publish the article place. To see if there is an injection vulnerability, add "'" at the end of the URL, "Do not enter illegal characters", indicating that the anti-injection processing has been done. Not to mind Ah! Plus "and 1=1" still appear this hint. As shown in Figure 2.

Figure 2

See above there is a forum, is the dynamic network 7.0-sp2, try to upload the page, there is no upload vulnerability. It looks like the site is safe. However, this forum only opened a few columns, the edge of the icon are moving the net did not change. Feel that managers are not too professional, and do not care, will not be installed by default? So try the default database name, sure enough a hit! The database is the default Dvbbs7.mdb. After downloading use the view software to open, looks up in the Dv-log, if the administrator modifies the password, this record may find the plaintext password. Sure enough, the password was found, as shown in Figure 3.

Figure 3

Into the background, because SP2 can not upload the background, so first in the forum to send a post, upload a picture file, and then in the background by backing up the database to obtain a Webshell, and then delete this post, do not leave traces. This method is very familiar to everyone, do not say more, here is the site left the operation Records, as shown in Figure 4.

Figure 4

With the Webshell to do more, with the webmaster to promote 6.0 Online view database, incredibly is plaintext password! Smoothly into the background, still did not find what the system ... Depressed.

Use Webshell to try to browse and traverse the hard drive, but did not expect to find the path, the implementation of the command also did not respond, it seems that the host's security settings are not bad. Originally invaded to here is basically over, but I look at the website file, found this system upload loophole. It is actually uploading files, just not the usual upfile,.asp, but called upload_flash.asp and upfile_flash.asp. As shown in Figure 5.

Figure 5

Looked at its code, found that the path was received from the commit, and did not filter, that is, there is also an upload vulnerability. So take out the veterans of the Universal Upload Tool upload ASP back door, prompt success, but can not find the filename, tried a few possible places are not! Another direct access to the page also prompts success, the original hint is false. As shown in Figure 6.

Figure 6

The veterans ' tools are all messed up? Strange! So I decided to grab a bag and see. The concrete grasping the bag does not say, this is grasps the package result (the preceding section) is as follows:

Post/xshop/upfile_flash.asp http/1.1
Accept:image/gif, Image/x-xbitmap, Image/jpeg, Image/pjpeg, Application/x-shockwave-flash, application/vnd.ms-excel , Application/vnd.ms-powerpoint, Application/msword, */*
Referer:http://www.hzlook.com/xshop/upload_flash.asp
Accept-language:zh-cn
Content-type:multipart/form-data; boundary=---------------------------7d4b89201ec
Accept-encoding:gzip, deflate
user-agent:mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; whcc/0.6. NET CLR 1.1.4322)
Host:www.hzlook.com
content-length:2002
Connection:keep-alive
Cache-control:no-cache
Cookie:aspsessionidsasdrtsd=daceikealocgcepdapnlflji; Boardlist=boardid=show
-----------------------------7d4b89201ec
Content-disposition:form-data; Name= "filepath"/
-----------------------------7d4b89201ec
Content-disposition:form-data; Name= "Filelx"
-----------------------------7d4b89201ec
Content-disposition:form-data; Name= "Editname"
-----------------------------7d4b89201ec
Content-disposition:form-data; Name= "FormName"
-----------------------------7d4b89201ec
Content-disposition:form-data; Name= "Act"
UploadFile
-----------------------------7d4b89201ec
Content-disposition:form-data; Name= "File1"; Filename= "G:\hk\2004\upshow.asp"
Content-type:text/plain
......


......

Next of course is to modify the data package, modify the path parameters, change the ASP to JPG, and the corresponding processing, and then with NC submission, incredibly prompts "the file type can not upload!" "Is it going to judge whether the file is really a picture?" Upload a real picture file, so it is easy to know where the file spread. Accidentally, the real picture It also prompts "the file type cannot be uploaded!" ", this is strange, had never met even true picture can not pass, had to read the code again." The key code was found as follows:

if (filelx<> "SWF") and (filelx<> "JPG") Then
Response.Write " This file type cannot be uploaded! [Re-uploading] "
Response.End
End If
............
If filelx= "JPG" then
If fileext<> "gif" and fileext<> "JPG" then
Response.Write "

can only upload images in jpg or GIF format!
Originally, before judging the type of file, there is a judgment! First look at the file type Filelx, and then look at the extension type Fileext, this than the dynamic network more than a judgment, and my grasp of the bag, Filelx is blank, of course, can not upload, no wonder veterans of the tool is ineffective.

Found the reason to do it, of course, to modify the packet, in the "Content-disposition:form-data;" Name= "Filelx" added "JPG", and the corresponding processing, and finally with NC upload success!

It seems that this is a new loophole, but I really don't know what system it is, keyword search, find a large number of online mall site, see a few, still no hint of what the system, but some look similar to the background of the same moving network, try these sites, also have these two upload files, also can use NC upload ASP files. This is too much trouble, so I wrote an upload tool, find a upload one, and then have a lot of web chicken, as shown in Figure 7.

Figure 7

In particular, there is a virtual server, incredibly can traverse the letter and execute commands, dozens of sites are in the hands, but also opened 3389, I certainly will not let go, as shown in Figure 8.

Figure 8

I wrote this article deliberately to the Internet to find a bit, similar to this site, and some are called Autumn Leaf Mall, and some call the dynamic shopping mall, there is this upload loophole. May be the previous upload tool is not valid, it makes this vulnerability than other uploads found late, but so far, there is no upload tool, my upload tool for everyone! Don't thank me too much, hehe!