Source: Evil Octal Author: Qianjiu City
1. Method
1. Advanced backend. Use CheckUserLogined vulnerability to directly add a background administrator. I have detailed explanation of this CheckUserLogined vulnerability in "Blog's Nightmare" (/forum/htm_data/10/0508/), which roughly means that SQL injection can be used through cookies.
2. There is a "ordinary member upload file type" in the "Website Information Configuration" in the background, and add a aaaspspsp type to it.
3. Log in with an ordinary account and go to the page where the file is uploaded http://blog.***.com/. Have you seen it? There is an additional "aaspsp" type for uploading files. OK, change your horse to and pass it on.
4. Go to your own blog background to check it out. Has it been successfully uploaded? :)
2. Principle
At the beginning, I directly added a "|asp" to the "Ordinary Member Upload File Type" in the background, but I found that the upload failed. So I went to Down oBlog 2.52. After reading the code, let’s take a look:
'Initialize upload restricted data
Sub InitUpload()
……
Select Case cint(DecodeCookie((cookiesname)("userlevel")))
Case 7
if rs("upfile_user")="true" then
themax=round(user_maxsize-theuped/1024)
sAllowExt = rs("upfile_user_type") 'Note here, get the type of uploadable file we set in the background, and put it in the sAllowExt variable.
if themax>rs("upfile_user_size") then
nAllowSize = rs("upfile_user_size")
else
nAllowSize = themax
end if
else
sAllowExt = "No upload permission yet"
nAllowSize = 0
end if
……
End Select
sAllowExt = filtfilename(sAllowExt) 'Here is checking sAllowExt
……
End Sub
The above code means that if you are an ordinary user, then the string sAllowExt will be assigned the "ordinary member upload file type" we set in the background: jpg|png|bmp|rar|zip|asp. But please note that sAllowExt then also has to be checked by filterfilename(). Let's continue watching:
'Save operation
Sub DoSave()
Set oFile = ("uploadfile")
sFileExt = UCase()
osize =
Call CheckValidExt(sFileExt) 'Check if the file extension is available in sAllowExt
sFileExt=filtfilename(sFileExt) 'Oh, the filterfilename is here again
……
(sUploadDir & "/"& sFileName)
……
End Sub
The above code means that the file extension must be found in sAllowExt before it can be uploaded. After uploading, the extension will be filtered by filtername once when saved to the target computer. So what exactly is that filtername? Let's take a look:
Function filtfilename(filename)
If IsEmpty(filename) Then Exit Function
filename = Lcase(filename)
filename = Replace(filename,Chr(0),"")
filename = Replace(filename,".","")
filename = Replace(filename,"asp","")
filename = Replace(filename,"asa","")
filename = Replace(filename,"aspx","")
filename = Replace(filename,"cer","")
filename = Replace(filename,"cdx","")
filename = Replace(filename,"htr","")
filename = Replace(filename,"asax","")
filename = Replace(filename,"ascx","")
filename = Replace(filename,"ashx","")
filename = Replace(filename,"asmx","")
filename = Replace(filename,"axd","")
filename = Replace(filename,"vsdiso","")
filename = Replace(filename,"rem","")
filename = Replace(filename,"soap","")
filename = Replace(filename,"config","")
filename = Replace(filename,"cs","")
filename = Replace(filename,"csproj","")
filename = Replace(filename,"vb","")
filename = Replace(filename,"vbproj","")
filename = Replace(filename,"webinfo","")
filename = Replace(filename,"licx","")
filename = Replace(filename,"resx","")
filename = Replace(filename,"resou","")
filename = Replace(filename,"jsp","")
filename = Replace(filename,"php","")
filename = Replace(filename,"cgi","")
filtfilename=filename
End Function
It is a filter function, and this is what makes us unsuccessful.
1. Method
1. Advanced backend. Use CheckUserLogined vulnerability to directly add a background administrator. I have detailed explanation of this CheckUserLogined vulnerability in "Blog's Nightmare" (/forum/htm_data/10/0508/), which roughly means that SQL injection can be used through cookies.
2. There is a "ordinary member upload file type" in the "Website Information Configuration" in the background, and add a aaaspspsp type to it.
3. Log in with an ordinary account and go to the page where the file is uploaded http://blog.***.com/. Have you seen it? There is an additional "aaspsp" type for uploading files. OK, change your horse to and pass it on.
4. Go to your own blog background to check it out. Has it been successfully uploaded? :)
2. Principle
At the beginning, I directly added a "|asp" to the "Ordinary Member Upload File Type" in the background, but I found that the upload failed. So I went to Down oBlog 2.52. After reading the code, let’s take a look:
'Initialize upload restricted data
Sub InitUpload()
……
Select Case cint(DecodeCookie((cookiesname)("userlevel")))
Case 7
if rs("upfile_user")="true" then
themax=round(user_maxsize-theuped/1024)
sAllowExt = rs("upfile_user_type") 'Note here, get the type of uploadable file we set in the background, and put it in the sAllowExt variable.
if themax>rs("upfile_user_size") then
nAllowSize = rs("upfile_user_size")
else
nAllowSize = themax
end if
else
sAllowExt = "No upload permission yet"
nAllowSize = 0
end if
……
End Select
sAllowExt = filtfilename(sAllowExt) 'Here is checking sAllowExt
……
End Sub
The above code means that if you are an ordinary user, then the string sAllowExt will be assigned the "ordinary member upload file type" we set in the background: jpg|png|bmp|rar|zip|asp. But please note that sAllowExt then also has to be checked by filterfilename(). Let's continue watching:
'Save operation
Sub DoSave()
Set oFile = ("uploadfile")
sFileExt = UCase()
osize =
Call CheckValidExt(sFileExt) 'Check if the file extension is available in sAllowExt
sFileExt=filtfilename(sFileExt) 'Oh, the filterfilename is here again
……
(sUploadDir & "/"& sFileName)
……
End Sub
The above code means that the file extension must be found in sAllowExt before it can be uploaded. After uploading, the extension will be filtered by filtername once when saved to the target computer. So what exactly is that filtername? Let's take a look:
Function filtfilename(filename)
If IsEmpty(filename) Then Exit Function
filename = Lcase(filename)
filename = Replace(filename,Chr(0),"")
filename = Replace(filename,".","")
filename = Replace(filename,"asp","")
filename = Replace(filename,"asa","")
filename = Replace(filename,"aspx","")
filename = Replace(filename,"cer","")
filename = Replace(filename,"cdx","")
filename = Replace(filename,"htr","")
filename = Replace(filename,"asax","")
filename = Replace(filename,"ascx","")
filename = Replace(filename,"ashx","")
filename = Replace(filename,"asmx","")
filename = Replace(filename,"axd","")
filename = Replace(filename,"vsdiso","")
filename = Replace(filename,"rem","")
filename = Replace(filename,"soap","")
filename = Replace(filename,"config","")
filename = Replace(filename,"cs","")
filename = Replace(filename,"csproj","")
filename = Replace(filename,"vb","")
filename = Replace(filename,"vbproj","")
filename = Replace(filename,"webinfo","")
filename = Replace(filename,"licx","")
filename = Replace(filename,"resx","")
filename = Replace(filename,"resou","")
filename = Replace(filename,"jsp","")
filename = Replace(filename,"php","")
filename = Replace(filename,"cgi","")
filtfilename=filename
End Function
It is a filter function, and this is what makes us unsuccessful.