The utilization of various vulnerabilities and some search parameters
When it comes to vulnerabilities, the first thing that should be mentioned is the upload vulnerability of Dongwang.
The "Dongwang" vulnerability kicks off the prelude to uploading vulnerable files, and other systems are on the
Breakthroughs follow!
Asp Dynamic Network Forum Vulnerability Analysis
1. This vulnerability is not too serious. Anyone who has used the Dynamic Network forum knows that writing JavaScript directly when posting will be filtered and split, and writing http will automatically add links. The vulnerability is here. Modify in these two places, change a letter of the two words into a coding form, and then the system decodes the letters correspondingly, achieving the purpose of avoiding filtering. For example, write [img]javascript:('http://','’)[/img]. It is clear that the letter decoded by #x63 is "c", and the letter decoded by #x70 is "p", and the role of "& is connected, and finally add [img] to make JS trigger. If the forum supports flash insertion, use [swf]. Using this loophole can make some pranks, write tempting topics, click in, and then click on it to his homepage (scam click-through rate, use advertisements), or even more amazing. It connects to a webpage with viruses and *s, making you want to curse. This vulnerability exists in various versions of Dongwang, including the newer version 0519, and the coverage area is astonishing. Everyone believes that certain illegal characters should be detected and eliminated, rather than simply splitting them up. I really hope that Dongwang developers can make up for this vulnerability as soon as possible.
2. Compared with the former, the second vulnerability is a big problem. Using this vulnerability can crack the passwords of all registered members on the forum (horrible~~~). Since the forum administrators usually directly load the forum program and use it as an artist, the image convenience directly leads to the occurrence of the vulnerability. We also load one back. Just look at the database of the Dynamic Network and you will know that the password field is userpassword. Then, for example, to break a user password called abc, first check the user information of abc, and the connection given is http://xx xxx/?name=abc , in which the statement that reads the parameters is: username=trim(request("name")), the statement that the database query is: sql="select * from [user] where username=’"&username&"’”, it can be seen that abc is directly used as a parameter username of the detector. In addition, if the user does not exist, the program will give a prompt , Since this is the case, we will write a condition to query the password, add and userpassword="******" after where username=abc. In theory, this can achieve the cracking of the password. However, in what year and month to break it, it is now the VBS function that shows its skills. You can first use the len function to try out the number of password digits of the user, and write the address http://xxxxx/?name=abc’%20and%20len(userpas sword)=5%20and%20’1’=’1. It may be difficult to understand this way. It actually looks like this in the SQL statement: sql="select * from [User] where username=’abc’ and len(UserPassword)=5 and ’1’=’1’”. Now I understand, %20 is a space. The single quotes after abc and the single quotes in '1’=’1 are all for matching with the SQL statement. Strange, this user does not exist, oh? That means that the user who meets this condition does not have. Continue and replace 5 with 6, 7, 8, and so on. As long as the user information can be displayed, it means that the password digits are guessed correctly. The next thing to do is to test the password for each bit. Continue to use VBS. You can use left or right or mid functions, http://xxxxx/?name=abc’%20and%20left(userpassword,1)=’a. If you guess correctly, give the user information, and give the prompt that the user does not exist. This is still too slow, so set an asc function outside. ttp://xxxxx/?name=abc’%20and%20asc(mid(userpassword,1,1))>’50 Test whether the ASCII code of the user's password is greater than 50, and constantly narrowing the range. I believe that the range can be reduced to single digits soon. Are you shocked to sweat when you see this? At least I am like this. Relying on the flexible use of several functions, conservatively, you can crack the password in less than half an hour. What a blessing in disgrace. The developers of Dongwang used MD5 encryption after the later version 05**, and were finally relieved, but there are still many places in China using the old version of Dongwang forum.
3. Dynamic Network SQL statement vulnerability
This vulnerability is targeted at the Dynamic Network SQL version.
Test method: Enter the user name at http://ip/bbs/admin_index.asp as this is the password
This will skip authentication
Principle: Utilize SQL syntax. The password and ID entered become a legal SQL statement, and the authentication is directly skipped.
This vulnerability is not targeted at Dynamic Network. Many SQL ASPs have this vulnerability
4. The sp2 vulnerability of the Dynamic Network Forum (This vulnerability has a very large impact range. The official website of the Dynamic Network, the hacker defense line, and the security base have been hacked because of this. You can search for the specific information on Baidu)
Upload vulnerability path: reg_upload.asp and
Qingchuang Article System
Open google enter.tw qcdn (or search on Baidu Powered by: QCDN_NEWS but most of them are from China)
Qingchuang Article System
Upload vulnerability. Add /admin_upfile.asp after the URL if it appears.
Microsoft VBScript pound ︽ top ︿ bang bang bang bang bang bang ’800a01b6’
びぃWear ni┦┪よborn: ’form’
/article/admin_upfile.asp, 21
It means there is already more than 90% hope.
The upload tool of Guilin veteran uploads * horse
During the invasion, I found that admin_upfile.asp was changed. You can also change it to user_upfile.asp and upload horses. Another method is to add admin_upfile.asp user_upfile.asp to the injection worker
Qingchuang Article Management System Injects the Power Fight
Keyword "?un No injection vulnerability was detected yet"; then enter "Unid" in "feature character"
(Tip: "U" in "Unid" must be capitalized
"Feilong Article Management System" vulnerability
Feilong Article Management System Ver 2.0 Build 20040620 Official Version Vulnerability Exploit
Search for "?ArtID="Keyword
The vulnerable file is
admin_upfile.asp
user_upfile.asp
These two files ""
Reappearance of dynamic network vulnerabilities
Add "ArtID=1111;" to the cookie when uploading
phpwind 1.3.6 ’s exploitation of forum vulnerabilities
Search for keyword "POWER BY PHPWIND v1.3.6"
The phpwind1.3.6 forum is uploaded in "Group Sharing"
After saving, the * address is in the current directory
Submit it in this machine using the following form:
<form ENCTYPE="multipart/form-data" ACTION="http://1717t./"
METHOD="POST">
<input NAME="MyFile" TYPE="file">
<input VALUE=" Submit " TYPE="submit">
</form>
The * horse after uploading successfully exists in the forum directory.
Just visit directly!
Vulnerability Collection
1) Co Net MiB Ver1.0~4.0 Use 'or’=’or’ to log in to the administrator (a more classic vulnerability)
2) ASP Calendar vulnerability Please search for Maintained with the Ocean12 ASP Calendar Manager v1.01 on Google. The default database of the program is (non-MD5 encryption, plaintext saved)
http:///tian/Change it to
<%DBPath=("wz520#.mdb")
Set conn=("")
"Driver={Microsoft Access Driver (*.mdb)};DBQ="&DBPath%>
wz520#.mdb, he is the database. #Change it to %23 and you can download the database
4) There is a serious vulnerability in Qingchuang article system. Add /admin_upfile.asp to upload WEBSHELL after the URL
You can also use %5c to storm the library and kill it all.
"?un .tw/?unid= " Existence injection Enter "Unid" in "feature character"
(The "U" in "Unid" must be capitalized)
5) Free Power 3.6 software upload and filtering is not strict, and use and modify upload *s
E-Era Station Loopout
Baidu search "E-Era Station"
Vulnerability exploit page/ Upload directly with veteran
Boiling news system upload vulnerability
Search: Boiling Outlook News System [Core: Chenyuan Yajing] Authorized Use
Vulnerability: There are no strict restrictions on spaces.
So, we directly select the asp * to upload, and then add spaces after it.
Its upload file is
When it comes to vulnerabilities, the first thing that should be mentioned is the upload vulnerability of Dongwang.
The "Dongwang" vulnerability kicks off the prelude to uploading vulnerable files, and other systems are on the
Breakthroughs follow!
Asp Dynamic Network Forum Vulnerability Analysis
1. This vulnerability is not too serious. Anyone who has used the Dynamic Network forum knows that writing JavaScript directly when posting will be filtered and split, and writing http will automatically add links. The vulnerability is here. Modify in these two places, change a letter of the two words into a coding form, and then the system decodes the letters correspondingly, achieving the purpose of avoiding filtering. For example, write [img]javascript:('http://','’)[/img]. It is clear that the letter decoded by #x63 is "c", and the letter decoded by #x70 is "p", and the role of "& is connected, and finally add [img] to make JS trigger. If the forum supports flash insertion, use [swf]. Using this loophole can make some pranks, write tempting topics, click in, and then click on it to his homepage (scam click-through rate, use advertisements), or even more amazing. It connects to a webpage with viruses and *s, making you want to curse. This vulnerability exists in various versions of Dongwang, including the newer version 0519, and the coverage area is astonishing. Everyone believes that certain illegal characters should be detected and eliminated, rather than simply splitting them up. I really hope that Dongwang developers can make up for this vulnerability as soon as possible.
2. Compared with the former, the second vulnerability is a big problem. Using this vulnerability can crack the passwords of all registered members on the forum (horrible~~~). Since the forum administrators usually directly load the forum program and use it as an artist, the image convenience directly leads to the occurrence of the vulnerability. We also load one back. Just look at the database of the Dynamic Network and you will know that the password field is userpassword. Then, for example, to break a user password called abc, first check the user information of abc, and the connection given is http://xx xxx/?name=abc , in which the statement that reads the parameters is: username=trim(request("name")), the statement that the database query is: sql="select * from [user] where username=’"&username&"’”, it can be seen that abc is directly used as a parameter username of the detector. In addition, if the user does not exist, the program will give a prompt , Since this is the case, we will write a condition to query the password, add and userpassword="******" after where username=abc. In theory, this can achieve the cracking of the password. However, in what year and month to break it, it is now the VBS function that shows its skills. You can first use the len function to try out the number of password digits of the user, and write the address http://xxxxx/?name=abc’%20and%20len(userpas sword)=5%20and%20’1’=’1. It may be difficult to understand this way. It actually looks like this in the SQL statement: sql="select * from [User] where username=’abc’ and len(UserPassword)=5 and ’1’=’1’”. Now I understand, %20 is a space. The single quotes after abc and the single quotes in '1’=’1 are all for matching with the SQL statement. Strange, this user does not exist, oh? That means that the user who meets this condition does not have. Continue and replace 5 with 6, 7, 8, and so on. As long as the user information can be displayed, it means that the password digits are guessed correctly. The next thing to do is to test the password for each bit. Continue to use VBS. You can use left or right or mid functions, http://xxxxx/?name=abc’%20and%20left(userpassword,1)=’a. If you guess correctly, give the user information, and give the prompt that the user does not exist. This is still too slow, so set an asc function outside. ttp://xxxxx/?name=abc’%20and%20asc(mid(userpassword,1,1))>’50 Test whether the ASCII code of the user's password is greater than 50, and constantly narrowing the range. I believe that the range can be reduced to single digits soon. Are you shocked to sweat when you see this? At least I am like this. Relying on the flexible use of several functions, conservatively, you can crack the password in less than half an hour. What a blessing in disgrace. The developers of Dongwang used MD5 encryption after the later version 05**, and were finally relieved, but there are still many places in China using the old version of Dongwang forum.
3. Dynamic Network SQL statement vulnerability
This vulnerability is targeted at the Dynamic Network SQL version.
Test method: Enter the user name at http://ip/bbs/admin_index.asp as this is the password
This will skip authentication
Principle: Utilize SQL syntax. The password and ID entered become a legal SQL statement, and the authentication is directly skipped.
This vulnerability is not targeted at Dynamic Network. Many SQL ASPs have this vulnerability
4. The sp2 vulnerability of the Dynamic Network Forum (This vulnerability has a very large impact range. The official website of the Dynamic Network, the hacker defense line, and the security base have been hacked because of this. You can search for the specific information on Baidu)
Upload vulnerability path: reg_upload.asp and
Qingchuang Article System
Open google enter.tw qcdn (or search on Baidu Powered by: QCDN_NEWS but most of them are from China)
Qingchuang Article System
Upload vulnerability. Add /admin_upfile.asp after the URL if it appears.
Microsoft VBScript pound ︽ top ︿ bang bang bang bang bang bang ’800a01b6’
びぃWear ni┦┪よborn: ’form’
/article/admin_upfile.asp, 21
It means there is already more than 90% hope.
The upload tool of Guilin veteran uploads * horse
During the invasion, I found that admin_upfile.asp was changed. You can also change it to user_upfile.asp and upload horses. Another method is to add admin_upfile.asp user_upfile.asp to the injection worker
Qingchuang Article Management System Injects the Power Fight
Keyword "?un No injection vulnerability was detected yet"; then enter "Unid" in "feature character"
(Tip: "U" in "Unid" must be capitalized
"Feilong Article Management System" vulnerability
Feilong Article Management System Ver 2.0 Build 20040620 Official Version Vulnerability Exploit
Search for "?ArtID="Keyword
The vulnerable file is
admin_upfile.asp
user_upfile.asp
These two files ""
Reappearance of dynamic network vulnerabilities
Add "ArtID=1111;" to the cookie when uploading
phpwind 1.3.6 ’s exploitation of forum vulnerabilities
Search for keyword "POWER BY PHPWIND v1.3.6"
The phpwind1.3.6 forum is uploaded in "Group Sharing"
After saving, the * address is in the current directory
Submit it in this machine using the following form:
<form ENCTYPE="multipart/form-data" ACTION="http://1717t./"
METHOD="POST">
<input NAME="MyFile" TYPE="file">
<input VALUE=" Submit " TYPE="submit">
</form>
The * horse after uploading successfully exists in the forum directory.
Just visit directly!
Vulnerability Collection
1) Co Net MiB Ver1.0~4.0 Use 'or’=’or’ to log in to the administrator (a more classic vulnerability)
2) ASP Calendar vulnerability Please search for Maintained with the Ocean12 ASP Calendar Manager v1.01 on Google. The default database of the program is (non-MD5 encryption, plaintext saved)
http:///tian/Change it to
<%DBPath=("wz520#.mdb")
Set conn=("")
"Driver={Microsoft Access Driver (*.mdb)};DBQ="&DBPath%>
wz520#.mdb, he is the database. #Change it to %23 and you can download the database
4) There is a serious vulnerability in Qingchuang article system. Add /admin_upfile.asp to upload WEBSHELL after the URL
You can also use %5c to storm the library and kill it all.
"?un .tw/?unid= " Existence injection Enter "Unid" in "feature character"
(The "U" in "Unid" must be capitalized)
5) Free Power 3.6 software upload and filtering is not strict, and use and modify upload *s
E-Era Station Loopout
Baidu search "E-Era Station"
Vulnerability exploit page/ Upload directly with veteran
Boiling news system upload vulnerability
Search: Boiling Outlook News System [Core: Chenyuan Yajing] Authorized Use
Vulnerability: There are no strict restrictions on spaces.
So, we directly select the asp * to upload, and then add spaces after it.
Its upload file is