Network fun online shopping system fashion version v9. 7 background to really get the shell-vulnerability warning-the black bar safety net

2010-01-19T00:00:00
ID MYHACK58:62201025989
Type myhack58
Reporter 佚名
Modified 2010-01-19T00:00:00

Description

Under the latest 2 0 0 9-1 2-2 2 just came out of the see online are only injected, no real take the shell on! The study of the following~

Web fun contains Forum, the forum for YXBBS it! YxBBs 2.3 For Access version! yxbbs the original Station data on the backup is there, and the fun is removed! So to get the shell to trouble spots, because the back of no-shows to the database path!

The need to combine network fun background to display the absolute path, plus the forum upload+data backup!

======= Note the administrator account password to the original post, the patch author write to get a shell that part of it deflated~I continue! <http://www.nhs8.com/post/983.html> But note shows network fun background get can't shell that! =======

Forum background can execute sql statements, perform a delete nodown and inserted a word, or not, because someone modified the database, depressed to die! However, in local debugging or not.

Problem focus! \bbs\Admin in the data. asp This sub compressdata2() dim dbpath,boolis97,caption,content,fso,dbpath1,bkfolder,bkdbname,dbpath2,backpath caption="compressed database" content="<b>note:</b>enter where the database is located relative to the path, and enter a database name if you are using the database can not be compressed, select the BACKUP DATABASE compress operation<hr size=1>"& "<form xxxxx='margin:0' method='post'action='? action=compressdata2&go=start'>Compact the database:<input type='text' name='dbpath' value='please enter database path'> <input type='submit' value='Start compression'><br /></form>"& "<input type='checkbox' name='boolis97' value='true'>if you use access 9 7 database please select(the default for access 2 0 0 0 database)" call showtable(caption,content) if request("go")="start" then response. flush dbpath = request("dbpath") boolis97 = request("boolis97") if dbpath <> "" then if session(yxbbs. cachename&"fso")="no" then call goback("","space is not support fso,you cannot use this function!") exit sub end if dbpath = server. mappath(dbpath) content=compactdb(dbpath,boolis97) call showtable(caption,content) end if end if

caption="backup Forum data" content="<b>note:</b>to ensure your data is secure, backed up, please do not use the default names to name the BACKUP DATABASE.& lt;hr size=1>"& "<form xxxxx='margin:0' method='post' action='? action=compressdata2&go=starta'>current database path(relative path):<input type=text size=1 to 5 name=dbpath1 value='please enter database path'><br />"& "BACKUP DATABASE directory(relative path):<input type=text size='1 5' name='bkfolder' value='databak'> as the directory does not exist, the program will automatically create a<br />"& "Backup Database Name(fill in name):<input type=text size=1 to 5 name=bkdbname value='"&formatdatetime(now(),2)&". asp'> such as a backup directory with the file, will be overwritten, if not, will automatically create a<br />"& "<input type=submit value=' Start Backup '></form>" call showtable(caption,content) if request("go")="starta" then if session(yxbbs. cachename&"fso")="no" then call goback("","space is not support fso,you cannot use this function!") exit sub end if dbpath1=yxbbs. fun. getstr("dbpath1") dbpath1=server. mappath(dbpath1) bkfolder=yxbbs. fun. getstr("bkfolder") bkdbname=yxbbs. fun. getstr("bkdbname") set fso=server. createobject("scripting. filesystemobject") if fso. fileexists(dbpath1) then if checkdir(bkfolder) = true then fso. copyfile dbpath1,bkfolder& "\"& amp; bkdbname else makenewsdir bkfolder fso. copyfile dbpath1,bkfolder& "\"& amp; bkdbname end if caption="backup successful":content="database backup successful! You backup the database path is " &amp; bkfolder& "\"& amp; bkdbname else caption="error message":content="cannot find your desired backup file." end if call showtable(caption,content) end if

caption="restore the forum data" content="<b>note:</b>recover database is generally used to recover(data lost or destroyed)the current use of the database.& lt;hr size=1>"& "<form method='post' xxxxx='margin:0' action='? action=compressdata2&go=starth'>backup the database(relative paths):<input type='text' size='3 0' name='backpath' value='databak/"&formatdatetime(now(),2)&". asp'> please fill used to restore the backup file<br />"& "The current database(relative paths):<input type='text' size='3 0' name='dbpath2' value='please enter database path'> fill in your current database<br /><input xxxxx=checkclick('are you sure you want to use the backup of the database coverage and of course the use of the database?') type=submit value=' restore data '></form>" call showtable(caption,content) if request("go")="start" then if session(yxbbs. cachename&"fso")="no" then call goback("","space is not support fso,you cannot use this function!") exit sub end if if request("go")="starth" then caption="error message" dbpath2=yxbbs. fun. getstr("dbpath2") backpath=yxbbs. fun. getstr("backpath") if backpath="" or dbpath2="" then content="Please put the full name fill in full!" else dbpath2=server. mappath(dbpath2) backpath2=server. mappath(backpath2) set fso=server. createobject("scripting. filesystemobject") if fso. fileexists(dbpath2) then on error resume next fso. copyfile backpath,dbpath2 if err. number=0 then caption="restore successful":content="successfully restored the database!" else caption="error message":content="not the current use of the database the full name" err. clear end if else content= "the backup directory and not your backup files!!!"end if end if call showtable(caption,content) end if end if

So we directly into the forum backend structure code bbs/admin/data. asp? action=compressdata2&go=start Flew appear the backups page! !

We are in front of the net interest background has got the absolute path d:\wwwroot\nhs8.com\wwwroot\zxxs\admin\admin.asp Then we go to the forum to upload our fake pony picture 如 http://www.nhs8.com.com/zxxs/bbs/uploadfile/topicfile/20101194332725.jpg The sum was? Is this:

d:\wwwroot\nhs8.com\wwwroot\zxxs\bbs\uploadfile\topicfile\20101194332725.jpg

!

Backed up half a day, my day! Relative and absolute paths confused! Then, the sure success!

The current database path(relative path) ..\uploadfile\topicfile\20101194332725.jpg Backup the database directory(relative path): admin [write a exists or does not exist.] Backup Database Name(fill in Name): 1 2 3. asp

BACKUP DATABASE succeed! You backup the database path is d:\wwwroot\nhs8. com\wwwroot\zxxs\bbs\admin\admin\1 2 3. asp

!

Look out!

!