Home > Others

Intrusion Step High Web site instance

Source: Internet
Author: User
Tags exit chr file upload include save file
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >
I'm trespassing. Step High website
2004-10-09 13:05
Actually, it's not a new loophole. I have already invaded the website of the step high  just recently study more nervous has not released 

Everybody go to http://www.cnbbk.com/hacked.htm and see  Maybe the page is still

The main idea is to use the injection method to get Admin account number and password  then landed on the Management page  upload ASP Trojan  and then get Webshell

Now  I teach you the methods of large-scale invasion of such systems  hope that we do not destroy !  or I have nothing to do with it!!! £

Preparation: Conditions  calm mind  don't do immoral is the thing


Ok began to  us on Google  search productshow.asp?id=331331 is what number can be seen a lot of  site  Basic can invade  are online mall whole station program system

And then inject the account number and password after  Landing we use injection tool will sweep to the landing address is Login.asp this is False  true is admin/login.asp This is OK to enter after the point upload file upload your ASP Trojan Horse
 upload file name is your Trojan file name  in file/under this simple.



---------------------------Pay: The system uploaded ASP file  Everyone see if there is no way to upload can be uploaded ——---------------

---------addfile.asp---------

<!--#include file= "checkuser.asp"-->
<title> Upload Pictures </title>
<meta http-equiv= "Content-type" content= "text/html; charset=gb2312 ">
<link rel= "stylesheet" href= ". /main.css "type=" Text/css ">

<body bgcolor= "#9CC7EF" text= "#000000" leftmargin= "0" topmargin= "3" >
<br>
<br>
<br>
<br>
<br>
<form method= "POST" action= "savefile.asp" Name= "Form1" enctype= "Multipart/form-data" >
<table width= "80%" border= "1" bordercolordark= #9CC7EF bordercolorlight= #145AA0 cellspacing= "0" cellpadding= "4" align= "Center" >
<tr>
&LT;TD height= "bgcolor=" "#74B0ED" >
<div align= "center" ><font color= "#FFFFFF" > Upload file </font></div>
</td>
</tr>
<tr>
<td>
<div align= "center" >
<input type= "File" Name= "File1" size= ">"
<input type= "Submit" name= "submit" value= "Upload" >
</div>
</td>
</tr>
<tr>
&LT;TD height= "bgcolor=" "#74B0ED" >
<div align= "center" > </div>
</td>
</tr>
</table>
</form>
<table width= "80%" border= "1" bordercolordark= #9CC7EF bordercolorlight= #145AA0 cellspacing= "0" cellpadding= "4" align= "Center" >
<tr>
&LT;TD height= "bgcolor=" "#74B0ED" >
<div align= "center" ><font color= "#FFFFFF" > Use instructions </font></div>
</td>
</tr>
<tr>
<td> 1, this page is to facilitate you to upload some files (such as the link in the news release of the picture);<br>
2, the file uploaded by this page will be saved in the/file/directory, and files with the same name will be unconditionally overwritten, so use some meaningful file names to avoid files being overwritten with files of the same name, such as two files (Pictures), uploaded on November 20, 2001, which is used in the news, the news name is " Jiang Zemin to our company cordial visit ", the picture named Img_news_20011020_jiangzemin_1.jpg and Img_news_20011020_jiangzemin_2.jpg, and then upload;<br>
3, if there are other upload operations, please use the FTP provided by the service provider. </td>
</tr>
<tr>
&LT;TD height= "bgcolor=" "#74B0ED" >
<div align= "center" > </div>
</td>
</tr>
</table>
</body>


------------------checkuser.asp----------------
<%
If not session ("UserClass") >=1 then%>
<script language=javascript>
<!--
Alert ("Your permissions are invalid, please login again!")
Window.history.go (-1);
-->
</script>
<%
Response. End
End If
%>






-----------savefile.asp---------

<!--#INCLUDE file= ". /include/upload.asp "-->
<!--#include file= "checkuser.asp"-->
<%
Set Upload=new Upload_5xsoft
Formpath=formpath
Set File=upload.file ("File1")
Formpath= ". /file/"
If file. Filesize>0 Then ' If FileSize > 0 indicates that there are file data
Filename=file. FileName
File. SaveAs Server.MapPath (formpath&filename)  ' save file 
End If

Set File=nothing
%>
<script language=javascript>
<!--
Alert ("File Upload success!") ");
window.location= "Addfile.asp"
-->
</script>



---------------------upload.asp---------------
<script Runat=server language=vbscript>

'''''''''''''''''''''''''''''''''''''''''''''''''
'
' Please keep this information: Shell Dragon modified http://www.5dgame.com
'
'''''''''''''''''''''''''''''''''''''''''''''''''

Dim Upfile_5xsoft_stream

Class Upload_5xsoft

Dim form,file,version

Private Sub Class_Initialize
Dim istart,ifilenamestart,ifilenameend,iend,vbenter,iformstart,iformend,thefile
Dim strdiv,mformname,mformvalue,mfilename,mfilesize,mfilepath,idivlen,mstr
Version= ""
If Request.totalbytes<1 then Exit Sub
Set Form=createobject ("Scripting.Dictionary")
Set File=createobject ("Scripting.Dictionary")
Set Upfile_5xsoft_stream=createobject ("ADODB.stream")
Upfile_5xsoft_stream.mode=3
Upfile_5xsoft_stream.type=1
Upfile_5xsoft_stream.open
Upfile_5xsoft_stream.write Request.BinaryRead (request.totalbytes)

VBENTER=CHR (&AMP;CHR) (10)
Idivlen=instring (1,vbenter) +1
Strdiv=substring (1,idivlen)
Iformstart=idivlen
Iformend=instring (Iformstart,strdiv)-1
While Iformstart < Iformend
Istart=instring (Iformstart, "name=" "")
Iend=instring (Istart+6, "" "")
Mformname=substring (istart+6,iend-istart-6)
Ifilenamestart=instring (iend+1, "filename=" "")
If Ifilenamestart>0 and Ifilenamestart<iformend then
ifilenameend=instring (ifilenamestart+10, "" "")
mfilename=substring (IFILENAMESTART+10,IFILENAMEEND-IFILENAMESTART-10)
istart=instring (Ifilenameend+1,vbenter&vbenter)
iend=instring (Istart+4,vbenter&strdiv)
if Iend>istart Then
mfilesize=iend-istart-4
else
mfilesize=0
end if
set thefile=new FileInfo
thefile.filename=getfilename (Mfilename)
thefile.filepath=getfilepath (Mfilename)
thefile.filesize=mfilesize
thefile.filestart=istart+4
thefile.formname=formname
file.add Mformname,thefile
Else
istart=instring (Iend+1,vbenter&vbenter)
iend=instring (Istart+4,vbenter&strdiv)

if Iend>istart Then
mformvalue=substring (istart+4,iend-istart-4)
else
mformvalue= ""
end if
form. ADD Mformname,mformvalue
End If

Iformstart=iformend+idivlen
Iformend=instring (Iformstart,strdiv)-1
Wend
End Sub

Private Function subString (Thestart,thelen)
Dim i,c,stemp
Upfile_5xsoft_stream.position=thestart-1
Stemp= ""
For I=1 to TheLen
if Upfile_5xsoft_stream.eos then Exit for
C=ASCB (Upfile_5xsoft_stream.read (1))
if C > 127 Then
if Upfile_5xsoft_stream.eos then Exit for
STEMP=STEMP&AMP;CHR (AscW (ChrB (AscB (Upfile_5xsoft_stream.read (1)) &AMP;CHRB (c)))
i=i+1
else
STEMP=STEMP&AMP;CHR (c)
end If
Next
Substring=stemp
End Function

Private Function instring (THESTART,VARSTR)
Dim i,j,bt,thelen,str
Instring=0
Str=tobyte (VARSTR)
Thelen=lenb (STR)
For I=thestart to Upfile_5xsoft_stream.size-thelen
if I>upfile_5xsoft_stream.size Then Exit Function
upfile_5xsoft_stream.position=i-1
if AscB (Upfile_5xsoft_stream.read (1)) =ASCB (MidB (str,1)) Then
instring=i
for j=2 to TheLen
if Upfile_5xsoft_stream.eos Then
instring=0
exit for
end if
if AscB (Upfile_5xsoft_stream.read (1)) &LT;&GT;ASCB (MidB (str,j,1)) Then
instring=0
exit for
end if
next
if Instring<>0 then Exit Function
end if
Next
End Function

Private Sub Class_terminate
Form. RemoveAll
File. RemoveAll
Set form=nothing
Set file=nothing
Upfile_5xsoft_stream.close
Set upfile_5xsoft_stream=nothing
End Sub


Private function GetFilePath (fullpath)
If fullpath <> "" Then
getfilepath = Left (Fullpath,instrrev (FullPath, "\"))
Else
getfilepath = ""
End If
Endfunction

Private function GetFileName (fullpath)
If fullpath <> "" Then
getfilename = Mid (Fullpath,instrrev (FullPath, "\") +1)
Else
getfilename = ""
End If
Endfunction

Private function ToByte (STR)
dim I,icode,c,ilow,ihigh
tobyte= ""
for I=1 to Len (STR)
c=mid (str,i,1)
icode =ASC (c)
if icode<0 Then icode = Icode + 65535
if icode>255 Then
ilow = Left (Hex (ASC (c)), 2)
ihigh =right (Hex (ASC (c)), 2)
tobyte = ToByte & ChrB ("&h" &ilow) & ChrB ("&h" &ihigh)
else
tobyte = ToByte & ChrB (AscB (c))
end If
next
End Function
End Class


Class FileInfo
Dim Formname,filename,filepath,filesize,filestart
Private Sub Class_Initialize
filename = ""
filepath = ""
filesize = 0
filestart= 0
formname = ""
End Sub

Public Function SaveAs (fullpath)
dim Dr,errorchar,i
saveas=1
if trim (FullPath) = "" or filesize=0 or filestart=0 or filename= "" Then Exit function
if filestart=0 or Right (fullpath,1) = "/" Then Exit function
set dr=createobject ("ADODB.stream")
dr. Mode=3
dr. Type=1
dr. Open
upfile_5xsoft_stream.position=filestart-1
upfile_5xsoft_stream.copyto dr,filesize
dr. SaveToFile fullpath,2
dr. Close
set dr=nothing
saveas=0
End Function
End Class
</SCRIPT>

--------------above is the upload file for the system  let's go see if there's another loophole------



------------by Creek  from cutting-edge alliances






This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
how to web hosting step by step step by step web design tutorial high performance web hosting high contrast web design high speed web hosting high speed web high performance python web server

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More