In a brief introduction through the injection vulnerability check and fill, following the coupling re-introduce a vulnerability--upload vulnerability, which is a ratio to inject more lethal vulnerability. By injecting the resultant is often a database of some sensitive information such as administrator name, password etc Note: This injection refers to a MDB database, but upload vulnerability is different, it can be ASP, JSP, CGI, PHP, etc. format Trojan is uploaded to the website within the directory, the resulting permissions are the lowest also is a WEBSHELL, if the encounter is security awareness is not strong Administrator, the hedgehog 2 0 0 5 works huh! It can be a cameo one of the Administrators! The cardiac! OK! Then LET'S GO!
For upload vulnerability find, the still is from the source file to start with, the target has two, one is the FilePath the file path, the other is FileName-file name.
A FilePath Say to the FilePath, some friends may feel strange, but mention to move the network 6. 0 Upload vulnerability, we are no strangers! Its upload vulnerability is due to FILEPath filter is not strict caused. Although the moving mesh does not already exist for this vulnerability, but using this to upload the source code of the program or a lot of people, for example I have this“MARRIOTT download program”, which ADS（ad）section of Upfile. asp（upload, you have the Filepath filter is not strictly a vulnerability, the hedgehog 2 0 0 5 work to analyze which part of the source: <% dim upload,file,formName,formPath,iCount,filename,fileExt '//define the upload variable set upload=new upload_5xSoft '//create the upload object JM test code formPath=upload. form("filepath") '//first, get the file path, here is the key. if right(formPath,1)<>"/" then formPath=formPath&"/" for each formName in upload. file '//use For to read the Upload File set file=upload. file(formName) '//generate a file object jmdcw ........................ '//Omitted part of the code fileExt=lcase(right(file. filename,4)) '//from the file name after the interception of 4 bits, and converted to lowercase characters. if fileEXT<>". gif" and fileEXT<>". jpg" and fileEXT<>". zip" & fileEXT<>". rar" and fileEXT<>". swf"then '//file extension determines response. write "<font size=2>File format is not valid [ <a href=# onclick=history. go(-1)>re-upload</a> ]</font>" response. end end if randomize ranNum=int(9 0 0 0 0*rnd)+1 0 0 0 0 filename=formPath&year(now)&month(now)&day(now)&hour(now)&minute(now)&second(now)&ranNum&fileExt '//the second step, the filename by a commit of the file path + the date the random file name plus the conversion after the extension of the composition if file. FileSize>0 then file. SaveAs Server. mappath(FileName) '//save file jmdcw end if set file=nothing next %> In this section the source code, to be critical on this two sentences: a 1, The formPath=upload. form("filepath") The 2, filename=formPath&year(now)&month(now)&day(now)&hour (now)&minute(now)&second(now)&ranNum&fileExt Advertising spots. Variables and constants: the so-called variable refers to the program of the running process at any time may change the value; and the constant is on the contrary, refers to the program of the running process always remains the same value hedgehog 2 0 0 5 work in.
Let's look at vulnerability is formed. In the first sentence of the code, from the variable filepath to obtain the File Save path, and then in the second sentence, with the PATH variable formPath plus a randomly generated number and after determination of the extension of the synthesis of a new variable, the variable Filename is the uploaded file save path and name. So say some in General terms, the following examples. For example, select “111.jpg”file upload in the upload process, with the file uploaded there is a FilePath variable, assuming its value is“image”, when these values are passed to the upfile. asp, the filename becomes:“image/200512190321944973.jpg”and after a successful upload, the 1 1 1. jpg will be saved to the image folder, the file name is also changed to:“the 200512190321944973.jpg”it. This process, seem invulnerable, but still is a cow who developed a breakthrough method, what method? Very simple, point break is in the variable body, if its FilePath value to“image/aa. asp□”, followed by“□”represents binary 0 0 empty of meaning, and thus, the variables submitted into the upfile. asp after the Filename value into the “image/aa. asp□/200512190321944974.jpg”, the server reads this variable, because of“□”is a binary of 0 0, that the variable statement has the end, then“□”behind the character will be ignored, as a result, the Filename became:“the image/aa. asp”, the program again with the file. SaveAs to save it, this file is saved into aa. asp file, and voila! The vulnerability appeared.
For this exploits, you can use the Guilin veterans of the upload tool, you can also take with WinSock packet capture, and then use Notepad to save the submitted data and add, modify the relevant content, and then use WinHex to modify the spaces of the binary, and finally with the NC submit method. The above two kinds of method of use, see the related articles hedgehog 2 0 0 5 work in.
Second, the FileName
Introduced FilePath（upload path filter is not strictly a vulnerability, and then take a look at the FileName（Upload File name filtering is not strict result of the vulnerability, the Upload File name filtering is not strict the form is varied, the coupling is presented here in two ways:
2, the dynamic business 2 0 0 5 Said movable-upload vulnerability, and then to introduce dynamic business 2 0 0 5 upload vulnerability today, what a coincidence, moving mesh, dynamic and easy, dynamic, full of drive, ha ha! Move easy is due to the upload multiple files cause of the vulnerability, and the dynamic is because the file name filter does not strictly appear upload vulnerability. （Hedgehog 2 0 0 5 works the following is Action 2 0 0 5 upload upfile. asp in the part of the source: <% Private Sub SaveFile_0() '//no component upload ........................ Set File = UploadObj. File(FormName) '//get uploaded file name cw's files FileExt = FixName(File. FileExt) '//first, use the FixName function of filtering the Upload file extension If CheckFileExt(FileExt) = False then '//the second step, with CheckFileExt check for filtered file extension ErrCodes = 5 EXIT SUB '//exit the upload End If FileName = FormatName(FileExt) '//meet the conditions, then use the FormatName function by date to generate the file name ........................ If File. FileSize>0 Then File. SaveToFile Server. Mappath(FilePath & FileName) '//save the file path and name is the Filepath+FileName ........................ End Sub %> The following look at the upload relates to some of the parameters. A, FixName()function: Private Function FixName(Byval UpFileExt) '//the first step of the filtering function, the filter special extension. If IsEmpty(UpFileExt) Then Exit Function '//such as extension of the empty on exit interactive FixName = Lcase(UpFileExt) '//the filename is converted to lowercase characters. FixName = Replace(FixName,Chr(0),"") '//the binary 0 0 null character filter is empty FixName = Replace(FixName,".","") '//The single quotation mark the filter is empty, the same below. jmdcw FixName = Replace(FixName,"'","") FixName = Replace(FixName,"asp","") FixName = Replace(FixName,"asa","") FixName = Replace(FixName,"aspx","") FixName = Replace(FixName,"cer","") FixName = Replace(FixName,"cdx","") FixName = Replace(FixName,"htr","") FixName = Replace(FixName,"shtml","") End Function From which, we can be seen, the application asp. dll is mapped to the type all of the filter, in addition, there is a decimal point, the single quotes are also filtered, or even Chr(0)filter, Chr(0)? It is the 1 6 hexadecimal 0x00, expressed as binary is 0 0 0 0 0 0 0 0, that is, in front of the FilePath upload vulnerability in the reduced space character. B, CheckFileExt()function: Private Function CheckFileExt(FileExt) '//the second step of the determination function, to determine whether the file type is desirable Dim Forumupload,i CheckFileExt=False '//defined CheckFileExt the initial value is false, If FileExt="" or IsEmpty(FileExt) Then '//first time, empty then exit CheckFileExt = False Exit Function End If If FileExt="asp" or FileExt="asa" or FileExt="aspx" or FileExt="shtml" Then '//second, if you belong to these four types also backThe interaction CheckFileExt = False Exit Function End If Forumupload = Split(InceptFile,",") '//third, from InceptFile extract backend upload extension For i = 0 To ubound(Forumupload) '//use a For Loop test If FileExt = Trim(Forumupload(i)) Then '//if and a background in any one upload the extension identifier, the CheckFileExt = True. CheckFileExt = True Exit Function Else CheckFileExt = False End If Next End Function This function on the FixName()function after filtering extension again to judgment, of which there are three checks, the first is the judgment passed to the extension is empty, is empty then exit the upload, the second is to determine the extension belongs to asp, asa and other four limit of the Transmission Type, belonging to the also quit the upload, the third is to use the extension with a background within custom upload extension for contrast, consistent with allowing the upload. C, FilePath value: They use the filepath in the upload. asp, its values are as follows: if info_name="bbs" then FilePath = "/bbs/upload/" else FilePath = "/uploadpic/" end if FilePath is a constant, from this road looking for vulnerabilities is not feasible. OK! Following uploading a file to look at its validation process, such as the upload of a file named“1 1 1. cer”, with“FileExt = FixName(File. FileExt)”filter extension, because the cer belongs to fixName()function of the filter range, so the extension cer became empty, when the empty filename passed to CheckFileExt (), in which the proceeds to the“If FileExt="" or IsEmpty(FileExt)”statement, it will be because of FileExt is null and exits the interaction, the return format is incorrect, reject the upload. How to break through? Its breaking point in FixName()function, above, we also see that when you upload the cer will be filtered is empty, but if we take the uploaded file extension to ccerer, while, in the background of the custom upload type“ccerer”and“cer”, so that the extension ccerer the file after the first step FixName()after filtration, ccerer it becomes a cer（intermediate of cer of characters to be filtered is empty, and passes this value to the CheckFileExt()function, by its first non-null level, and then through second restricted types of levels, and finally to contrast the background upload type levels, because in the front we have added a“ccerer”, the“cer”of the two types, then also by CheckFileExt()the third judgment, CheckFileExt = True, also put the extension ccerer the file uploaded to the server, and after upload the extension is cer. Some friends may ask, if the upload extension aaspsp□or aaspsp. The format of the file, after FixName()function of the filter, not into the asp□or asp. While the two formats are not limiting of the scope, as long as in the background plus the several types, not you can put the uploaded files are saved as asp format? Actually I had also this idea, but after careful research and analysis, found no exit, and why? Be the first to say the decimal point, in the FixName (), so the sentence FixName = Replace(FixName,".",""), the The decimal point filter is empty, and voila! The decimal point of the channel cross-section. Then look at the space, although FixName()is not filtering spaces, but in CheckFileExt()to read the background to upload types when there are so sentence:“If FileExt = Trim(Forumupl oad(i)) Then”, which has a Trim () on the Trim's role is to remove the string start and trailing spaces. Although in the background can write the asp□type, but when reading, but it will be Trim()filter into the asp, and the aaspsp□through the layers of checkpoints by here, has turned into the asp□asp□<>asp, the document does not match all! Sorry, refused to enter