Protection anti is Protection error--Taoyuan disk new vulnerability-vulnerability warning-the black bar safety net

ID MYHACK58:62200819325
Type myhack58
Reporter 佚名
Modified 2008-06-11T00:00:00


Recently I took up the study of“Taoyuan Network Hard security”related tasks. The following operation is the latest of the“Taoyuan Network Hard Disk V3. 1 Personal Edition free version”, so the following is the analysis of vulnerability is possible only for the above version is useful, but the commercial version with the free version the only difference is that the plug-in support, so the inference of the commercial version also exists for this kind of problem. Protection of the system memory defect First recall: if everyone is black anti-loyal readers, you know that black anti-last year there were several loopholes in the article is for Arcadia disk. It is the presence of Directory jump easily lead to the website is compromised of the problem, the official approach is just to discover a malicious data input, or user directories the presence of illegal“ASPX”it will be deleted, this can only be said is palliative. However,“her”logical thinking difference a bit, sometimes your own website program is also deleted(WTF: the MM love cleaning? it. The study found, the problem appear in“text file online editing”module. We can be in the browser's address bar to see the online editing URL it. When I was in URL in the“Path”variable to rewrite a directory jump table“./../”) Then with GET way to start a request, MM will be the implementation of the“cleaning”action. Note that figure 1 in the browser address URL selected part, it was originally“/”, now I put it into“./../” And then carriage return. Page first prompts do not have to modify the file, not authorized to browse the directory, the next is Web site access error, the directory of the file on the disappearance of most of them.“ Taoyuan Network Hard Disk”of the Web application root directory, you can find that directory on all the“ASPX”and“ASP”files are“Taoyuan Network Hard Drive”of the protection module is removed, isn't that a bit scary? Reincarnated wrote back door This was renamed the law and caused quite a few problems, below I put the analysis to the issues one by one interpretation. 1. Space easily transfer In the file renaming process, the“/”and no filtering, so the file is renamed“ / b”“ / A”at the beginning of the string, it will let the file transfer to the site's root directory. This file space transfer is not very funny anyway, but this interesting phenomenon with the network security nothing to do, and WTF:you wasted a 2 0 plurality of Word layout......that At least not delete modified files, not upload files. In fact, it with me the following operation is to many relationship, at least let us know some information. Because“security”is thus from many aspects to think about, whether or not the value you want. 2. Files back and forth to move It is because before the problem exists, let me have the make file in the user file directory and the site directory to move between ideas. Here please out of the two weapons: the“Nc”and“WSockExpert”, the first use of“WSockExpert”the renaming of the packet capture down. Which will be to“POST”submission of the packet extracted is saved as a file, and then modify the“POST”data in the source file name. It was originally “percent 2F”source file name, the full name + The“ % of 7C The” + you want to modify as the file name does not contain extension, the modified with NC submitted. In NC the time of submission will appear error message:“details: the thread is being aborted.”, the This is just the program's logical order has a problem, does not affect use. With NC submitted after will be the Web application root directory in the“About. aspx”transfer to my user file directory. It should be noted that Taoyuan Network Hard Drive protection module is said earlier, find the user directory on a similar“ASPX”the file will put it removed. Here whether you're the Trojan will be deleted. So with NC the file after the transfer do not reuse Taoyuan Network Hard disk file search function, otherwise, the protection module is activated, we are just busy all the white dry. You can use“about. aspx”file, after all, only a Taoyuan Network Hard Drive directory on the class ASPX file is associated, the files go missing after it is no longer available. in. “Online text file editing”of the protection module has a clear class ASPX file function, so we can not use this function anymore, but can directly through“online text file editor”to open yourself to specify the presence of the file. Below I use“a Online text file editor”to edit my Designated“b. aspx”file. Below to the most important moments in this writing ASPX Trojan and then save. As can be seen by this method save ASPX file is not difficult. If we are able to guess to which store the user file relative path, and the directory includes a script execution privileges, you can restructure URL used directly. But sometimes the user directory does not necessarily have the script execute permissions, so I turn leads to the following method: since I can get the Taoyuan Network Hard Drive Program to move to my directory, why not put my directories on the file to have execute permissions for the directory? Again please out NC, the submitted data is modified. Here source file name is changed to your own directory file name, mine is“b. aspx”, the normal case is“%7C%2F”+your new file name, excluding the extension, so it is modified to“%7C/muma”you can, with the NC after the submission of the will in the Network Hard Disk the program directory on the emergence of a“muma. aspx”, we directly use IE access. Is our hard sweat crystallization, remember to use the reincarnated big act to clean up and repair the site. It seems to get to a website WebShell is not difficult, but this problem occurs how to emergency? Actually very simple, as long as in the background in editable file types to some unsafe file type of shield on it, but this is a temporary solution. We can do now is look forward to web site developers a new version of the patch soon.