首页    新闻    下载    文档    论坛     最新漏洞    黑客教程    数据库    搜索    小榕软件实验室怀旧版    星际争霸WEB版    最新IP准确查询   
名称: 密码:      忘记密码  马上注册
安全知识 :: 漏洞利用

轻松获得oblog 2.52的WebShell


http://www.gipsky.com/
文章作者:千寂孤城

信息来源:邪恶八进制信息安全团队



一、方法



1、先进后台。利用CheckUserLogined漏洞直接加个后台管理员。关于这个CheckUserLogined漏洞我在《Blog的噩梦》(http://www.eviloctal.com/forum/htm_data/10/0508/13721.html)中有详细的说明,大概就是说可以通过Cookies欺骗搞SQL注入。

2、在后台的“网站信息配置”处有个“普通会员上传文件类型”,给它加一个aaaspspsp类型。

3、用个普通帐号登陆,来到上传文件的页面http://blog.***.com/upload.asp,看到了吗?可上传文件多了个“aaspsp”类型。好,把你的马x.asp改名为x.aaspsp,然后传上去。

4、到你自己的blog后台去看一看,是不是成功上传了x.asp了?:)



二、原理



本来刚开始我是直接在后台的“普通会员上传文件类型”里加了个“|asp”,结果发现上传失败。于是去Down个oBlog 2.52下来。读了读upload.asp的代码,大家一起看看:



[code]'初始化上传限制数据

Sub InitUpload()

……

select Case cint(DecodeCookie(Request.Cookies(cookiesname)("userlevel")))

Case 7

if rs("upfile_user")="true" then

themax=round(user_maxsize-theuped/1024)

sAllowExt = rs("upfile_user_type") '注意这里,得到我们在后台设置的可上传文件的类型,放入sAllowExt变量中

if themax>rs("upfile_user_size") then

nAllowSize = rs("upfile_user_size")

else

nAllowSize = themax

end if

else

sAllowExt = "暂无上传权限"

nAllowSize = 0

end if

……

End select

sAllowExt = filtfilename(sAllowExt) '这里是对sAllowExt进行检查

……

End Sub



[/code]

以上代码是说如果是普通用户,那么就给字符串sAllowExt赋值为我们在后台设定的那个“普通会员上传文件类型”:jpg|png|bmp|rar|zip|asp。但是请注意,sAllowExt然后还必须经过filtfilename()的检查。再接着看:

[code] '保存操作

Sub DoSave()

Set oFile = oUpload.File("uploadfile")

sFileExt = UCase(oFile.FileExt)

osize = oFile.Filesize

Call CheckValidExt(sFileExt) '检查文件扩展名是不是sAllowExt里有的

sFileExt=filtfilename(sFileExt) '哎,filtfilename又来了

……

oFile.SaveToFile Server.Mappath(sUploadDir & "/"& sFileName)

……

End Sub

[/code]

以上代码就是说文件扩展名必须是sAllowExt里有的然后才能上传。上传后保存到目标计算机上时扩展名还要被filtfilename过滤一次。那么那个filtfilename到底是什么东西呢?我们看看:

[code]Function filtfilename(filename)

If IsEmpty(filename) Then Exit Function

filename = Lcase(filename)

filename = Replace(filename,Chr(0),"")

filename = Replace(filename,".","")

filename = Replace(filename,"asp","")

filename = Replace(filename,"asa","")

filename = Replace(filename,"aspx","")

filename = Replace(filename,"cer","")

filename = Replace(filename,"cdx","")

filename = Replace(filename,"htr","")

filename = Replace(filename,"asax","")

filename = Replace(filename,"ascx","")

filename = Replace(filename,"ashx","")

filename = Replace(filename,"asmx","")

filename = Replace(filename,"axd","")

filename = Replace(filename,"vsdiso","")

filename = Replace(filename,"rem","")

filename = Replace(filename,"soap","")

filename = Replace(filename,"config","")

filename = Replace(filename,"cs","")

filename = Replace(filename,"csproj","")

filename = Replace(filename,"vb","")

filename = Replace(filename,"vbproj","")

filename = Replace(filename,"webinfo","")

filename = Replace(filename,"licx","")

filename = Replace(filename,"resx","")

filename = Replace(filename,"resou","")

filename = Replace(filename,"jsp","")

filename = Replace(filename,"php","")

filename = Replace(filename,"cgi","")

filtfilename=filename

End Function



[/code]

是过滤函数,害我们不成功的就是这个东西。

嘿嘿,看完了,基本上也明白了。理一下思路,简单一点说就是后台设定的上传类型要经过Replace(filename,"asp","")检查两次(晕……麻不麻烦)。仔细想一想,这里是有漏洞的!我们可以用“aaaspspsp”来绕过它!

于是我们把“普通会员上传文件类型”那里加上“|aaaspspsp”。然后用个普通用户登陆,来到上传处。可上传文件就多了个“aaspsp”类型。这是因为“aaaspspsp”经过第一次过滤,把中间的那个“asp”过滤掉了,变成了“aaspsp”。

然后我们把马儿的名字改成x.aaspsp传上去,在服务器在保存马儿时把它的扩展名“aaspsp”第二次过滤后就还原成了“asp”,就成功搞到webshell了。



三、漏洞修补



CheckUserLogined漏洞修补方法:在inc/function.asp的CheckUserLogined()函数中加上password=ReplaceBadChar(trim(password))。



upload.asp漏洞修补方法:把filtfilename函数改成循环的:

[code]Function filtfilename(filename)

If IsEmpty(filename) Then Exit Function

filename = Lcase(filename)

do '开始循环

A_len=len(filename) '得到字符串长度

filename = Replace(filename,Chr(0),"")

filename = Replace(filename,".","")

filename = Replace(filename,"asp","")

filename = Replace(filename,"asa","")

filename = Replace(filename,"aspx","")

filename = Replace(filename,"cer","")

filename = Replace(filename,"cdx","")

filename = Replace(filename,"htr","")

filename = Replace(filename,"asax","")

filename = Replace(filename,"ascx","")

filename = Replace(filename,"ashx","")

filename = Replace(filename,"asmx","")

filename = Replace(filename,"axd","")

filename = Replace(filename,"vsdiso","")

filename = Replace(filename,"rem","")

filename = Replace(filename,"soap","")

filename = Replace(filename,"config","")

filename = Replace(filename,"cs","")

filename = Replace(filename,"csproj","")

filename = Replace(filename,"vb","")

filename = Replace(filename,"vbproj","")

filename = Replace(filename,"webinfo","")

filename = Replace(filename,"licx","")

filename = Replace(filename,"resx","")

filename = Replace(filename,"resou","")

filename = Replace(filename,"jsp","")

filename = Replace(filename,"php","")

filename = Replace(filename,"cgi","")

loop until A_len=len(filename) '如果过滤前的长度等于过滤后的长度说明已经过滤得干干净净了,退出循环。

filtfilename=filename

End Function



[/code]
Tags: oblog[/code]
[/code]
<< QQ群BBS跨站漏洞 COCOON Counter统计程序后台写马 >>
API:
gipsky.com& 安信网络
网友个人意见,不代表本站立场。对于发言内容,由发表者自负责任。

系统导航

 

Copyright © 2001-2010 安信网络. All Rights Reserved
京ICP备14013333号-8