Grand 180-day penetration documentary Chapter 5. Unintentional plug-in Liu chengmeng (a website upload vulnerability caused the server..., involving some user files)

Wondering, is there also an xss vulnerability ..?

 

With a try, I came to Shanda customer service.

 

Select network reception ..

 

In the queue, the hands shake .. Click to view the source file...

 

In the process of turning down, a line of shiny upload code was suddenly displayed ..

 

So followed the code to the http://chjd.sdo.com/uploadimage.aspx

Select an image named genimg.jpg and upload it successfully. The returned address is:

Picture File Uploaded to http://img. OS .sdo.com/

 

So let's take a look at the win2003 system.

 

Enter the file name after the address and add the suffix asp for access without any restrictions.

When you return to the image, you can see the upload rules. The original file name is .jpg.

 

A malformed file name is constructed to test whether the IIS parsing vulnerability exists ..

 

After uploading the file, go to img. OS .sdo.com and check whether the cute execute error is returned ..

Kitchen Knife connection...

Database Information

 



It seems that this is the data upload site for gamers to consult customer service. It contains a large number of users to upload information, such as ID cards.

Once obtained by criminals, the consequences will be severe...
 

Solution:

It seems that this is the data upload site for gamers to consult customer service. It contains a large number of users to upload information, such as ID cards.

Once obtained by criminals, the consequences will be severe...

 

· The upload server strictly sets the execution permission

· Find and confirm whether there are web trojans on the server

· Modify the Database Password in this example

· Pay attention to naming rules for uploaded files