Home > Database > Mysql Tutorial > Oblog 4.5-4.6 access&mssql getshell 0day

Oblog 4.5-4.6 access&mssql getshell 0day

WBOY
Release: 2016-06-07 15:05:56
Original
1478 people have browsed it

影响范围:4.5 - 4.6 漏洞需求: IIS6.0\开启会员 挖掘作者:henry 绝对原创,技术含量不高,但影响范围比较广.. 漏洞文件: AjaxServer.asp (372行) log_filename = Trim(Request(filename))//未过滤自定义文件名 AjaxServer.asp (259行)(关键) If (oblog.chkd

影响范围:4.5 - 4.6
漏洞需求: IIS6.0\开启会员
挖掘作者:henry
 
绝对原创,技术含量不高,但影响范围比较广..
 

漏洞文件:
AjaxServer.asp (372行)
log_filename = Trim(Request("filename"))//未过滤自定义文件名
 
AjaxServer.asp (259行)(关键)
If (oblog.chkdomain(log_filename) = False And log_filename "") and isdraft1 Then oblog.adderrstr ("文件名称不合规范,只能使用小写字母以及数字!")
 
逻辑错误,只要有一个条件不满足,则跳过.请看:
 
206行isdraft = Int(Request("isdraft")) //可控
 
isdraft=1 www.2cto.com 则成功跳过
 
漏洞利用:
 
⒈ 注册会员,发表一日志。
⒉ 修改日志,高级选项,文件名称这里写abcdefg,内容为一句话木马源码。然后抓包保存。
⒊ 修改表单数据,将filename改为a.asp;x,isdraft参数为1,提交表单。
⒋ 回到博文管理,选择重新发布日志,日志地址则为SHELL地址。
 
tips: 若博文目录不可, 则可控制filename=../../data/a.asp;x
 
Oblog 4.5-4.6 access&mssql getshell 0day
Related labels:
source:php.cn
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Popular Tutorials
More>
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template