Summary of network horse upload

1. '\ 0' Upload Vulnerability + nc packet capture upload:

The Upload Vulnerability of the entire process is mainly caused by the '\ 0' character vulnerability.

Is used as a string end sign.
The basic principle is that, although network programs prohibit the upload of. asp and other extension files,

However, all of them will allow the upload of. jpg. GIF files. In this way, if you construct data packets by yourself

FormPath = UploadFile/shell. asp '\ 0 '.jpg, the characters After' \ 0' will be truncated because the computer encounters

To the '\ 0' character, the string is considered to be over. So we uploaded an asp Trojan program named shell. ASP to the server, which will not be mentioned later,

The webshell function is very powerful, and the intrusion process is as follows:
Condition: At least NC, WinSock Expert, and UltraEdit tools and a webshell program are required.
Nc.exe (netcat)-a deformed telnet, Sniffer, and cyber security army knife! WinSock Expert-packet capture tool, which can intercept data streams of network communication
UltraEdit-... Don't say it, no one knows -_-! Webshell-trojan programs such as ASP and PHP 1. Step 1: Open the target system
Upload the webshell. asp file through WinSock Expert Monitoring, open WinSock Expert, and save the intercepted data stream as a text file
(All content under two send statements, including blank lines generated by carriage return)
2. Use UltraEdit to modify the key code in the text file:
Filename = "C: \ test \ webshell. asp", add: 1 blank space and .jpg after webshell. asp, then jump to the hexadecimal editing status, modify the hexadecimal Space
The 20 is 00, and the Content-Length is increased by 5. (One character is counted as one byte, '. jpg' is a five byte) 3. nc appears ~!
Command: nc-vv www.xxx.com 80 <1.txt
Note: This method seems to be applicable to earlier versions of iis.

Ii. Upload the file: Needless to say, tool party's favorite. Easy to upload and online upload. The key is to find the vulnerability page,
. The upload type is usually asp page. (Php, aspx, and so on) a few major cms vulnerabilities can be killed, so you cannot underestimate them.

Iii. Local Upload Vulnerability. Js filtered? It doesn't matter. Create an upload page exp locally, and the action is directed to the upload page. Sometimes it verifies the cookie.
It doesn't matter. If wireshark or Tamper data is used to capture packets and modify the packet, encryption is useless. It is not as good as modifying webpage code in a browser or nc.

Iv. Upload Filtering: filtering of the upload type, which is generally based on the file suffix

Row filtering. The upload type is jpg | png | gif | rar | tar | doc | txt |

And so on ..

I have summarized the following methods (You are welcome to add them ):

1. iis6.0 Truncation Vulnerability.

Example: the name of the Trojan or pony to be uploaded is 1.jpg;. asp or 1.jpg;. 2. asp ~ Some people say that 1.asp;.jpg and so on .. But I have never succeeded. That one.

. Let me explain it. Because ";" is truncated when it is parsed by iis6.0. Do not read backward. Therefore, the judgment type is jpg.

2. Determine the upload type using the binary file header.

UE .. I don't know which bastard said that. It is not more convenient to open and add files directly in notepad...

However, it is still attached with the identification of an uncertain file header.

{

1. JPEG/JPG
-File Header ID (2 bytes): $ ff, $ d8 (SOI) (JPEG file ID)
-End ID (2 bytes): $ ff, $ d9 (EOI)

2. TGA
-Uncompressed first 5 bytes 00 00 02 00
-RLE: first 5 bytes compressed 00 00 10 00

3. PNG
-File Header ID (8 bytes) 89 50 4E 47 0D 0A 1A 0A

4. GIF
-File Header ID (6 bytes) 47 49 46 38 39 (37) 61
G I F 8 9 (7)

Gif89a is transparent

Gif87a transparent

5. BMP
-File Header ID (2 bytes) 42 4D
B M

6. PCX
-File Header ID (1 bytes) 0A

7. TIFF
-File Header ID (2 bytes) 4D 4D or 49 49

8. ICO
-File Header ID (8 bytes) 00 00 01 00 20 20

9. CUR
-File Header ID (8 bytes) 00 00 02 00 01 00 20 20

10. IFF
-File Header ID (4 bytes) 46 4F 52 4D
F O R M

11. ANI
-File Header ID (4 bytes) 52 49 46 46
R I F

Based on the collection of these file header identifiers, I can write an identification image Lattice

Module. However, before writing this module, you can mark the collected File Header

To minimize the number of string comparisons in the program.
1. JPEG we know we need to compare the $ ff and $ d8 characters in the file header, instead

Read the last two ending identifiers.
2. For TGA, ICO, and CUR, you only need to compare the third and fifth characters.
3. Compare PNG to [89] [50.
4. Compare GIF with [47] [49] [46] and the fifth character.

I don't need to talk much about it. I use the memory stream to determine the file format. In fact, I used to determine the file format.

The first few bytes of the file can be used to determine the type of the file,

For example

The jpg file is FFD8 (from the low position to the high position, the opposite D8FF is

Same)

The BMP file is mongod --- 4D42

}

Modify the binary file header. Or add the Code directly in notepad.

. Most of the time, this upload check does not check the suffix. But there are also some abnormal websites ..

3. Upload backups in the background.

If you have obtained the background and have backed up the database path. Congratulations!

, Half done. Upload first. I will not talk nonsense about uploading swollen files. See the preceding section. Find the backup database and change the backup path to the path of our horse.

You can change the suffix of the backup file name. OK. You know what to do next ..

4. Modify the background template on a single page.

Or the iis6.0 Truncation Vulnerability. However, this is to modify the content of a single page. You can change the file name.

For example. 1.asp;1.html...

5. insert a sentence into a normal file?

In general, insert a sentence in the background. If the database extension is asp, then insert the database, but if there is a configuration file that can be inserted, it must be inserted.

The configuration file is deleted, but there is a big risk of inserting the configuration file, that is, once an error occurs, All the disks are lost, it may not only cause the background to be unable to log on, or even

This may be because the entire website system crashes. Therefore, please be careful when inserting the configuration file. Sometimes there is filtering during insertion, and the source code of the webpage is divided. Single quotation mark Filtering

Or <> close or other issues. Here we will not make a detailed analysis.

PS: if the database inserts a sentence, sometimes the files are too large to be connected. It hurts.

6. remote command execution using oday

This. There is no way to give an example. I will give it a chance later.

7. Editor Upload Vulnerability

Editor for common websites:

Ewebeditor
Ewebeditornet
Fckeditor
Editor
Southidceditor
SouthidcEditor
Bigaccessories ditor

For detailed vulnerabilities, find Gu Ge and Du Niang after seeing the version based on experience .. Not explained.