A server for telecommunications got a MSSQL's ordinary account. After logging in, exec Master.dbo.xp_dirtree 'c: /', 1, 1, found that Mysql, Tomcat, PHP, etc., a lot of things, etc. It seems that a machine for developers is used by the developer. MySQL's password does not seem to be empty, then start with Tomcat, use http: // target: 8080, see the default Tomcat interface, No change, click "Tomcat Manager", and enter the page can list the directory and files under the Tomcat root directory. Here is "UPLOAD A WAR FILE to INSTALL", so I downloaded a JFolder, change the suffix name to WAR, upload Prompt the WAR file error, then a new JFolder directory, copy the jfolder.jsp to this directory, "JAR CVF jfolder / *", (note that if you do not set the JDK path, then you must build the JFolder directory in JDK In the bin directory, otherwise the WAR file will be prompting the path error when the WAR file is decompressed, then upload this WAR file, OK, everything is normal, click on List Applications, now there will be more jfolder directories, enter, click JFolder.jsp, you can get one JSP's WebShell. Since the Tomcat is installed under Windows, many people will install by default, so they basically get System permissions.
SO Easy! All hidden dangers are starting from the default.