Author of the article: LvHuaNa [F.S.T] Article Source: http: //lvhuana.blogchina.com/ Published: 2005-04-01 10:40:13
Today, my wife has a music website, there are a lot of mixes, it may be great, who knows, I don't like those stuff. Since I burn the cattle all day, I have to be black, my wife doesn't want to put those mix, I have no way, for marriage happiness, for my second half, someone is washed, someone is done, I will go to see . . . . . First come to http://www.spmix.com/, look at, 嘿, .asp script, good look. Seeing the forum, hurry up, Leadbbs v2.88, dizzy, how did this version have not seen it, in order to save time, I retreat to other sub-stations to find a vulnerability, oh. After reading the station, I didn't find the database or what was a conn.asp vulnerability. It seems that I have to find other places to break through. Then find http://www.spmix.com/all/dj/ This sub-station, open the latest hot file inside, look at the url http://www.spmix.com/all/dj /articleshow.asp?articleid = 379, articleshow.asp? ArticleId = 379 is so familiar, it is to forget what system. Depressed, huh, huh. And 1 = 1 and And 1 = 2 first, return to different pages, basically judgment is existed, take out, D, 嘿, 俺 人, only love with tools. For a while, the administrator account and the password come out (Figure 1), depressed is the 16-bit password of the MD5 encrypted. Take a cute moving network MD5 cutter to run the MD5 password. When running your password, you will use ah D to guess the website's background landing address, hey, reasonable utilization time is important. It is not enough for a few minutes, password and background address run out (Figure 2, Figure 3), happy today, the luck is really good, MD5 runs out. After holding an account password, I will succeed in the background. Silly, it is a major class administrator, I can only add an audit article, and there is no cute to upload or back up a class of functional applications. . Look carefully, suddenly see the common problem (Figure 4), there is a default database name, try it, if the database name is changed, then I seem to admit it to my wife to admit that I buff it before. .... In IE, enter http://www.spmix.com/all/dj/Database/Article.asp This default database address, I am rapping, it seems that he did not change the name of the database, and the database is. ASP suffix, did not do any anti-download processing, I think of the library (嘿, you can get a simple way to Webshell). Go back to the homepage to register a ID first, according to experience, usually do not do what processing will directly put the data into the database. Password problem Fill in the blue screen in a blue screen, then register, then take out the blue screen, a phrase Trojan's use of the page to submit the data to the database. You can be successful. Submit it, huh, huh, lovely WebShell appears (Figure 6). Then use the obtained WebShell to write a big WebShell, I like to use the Haiyang series, powerful, and write in the newly outstanding 2006a, huh, huh.
After writing in 2006, after logging in to 2006A, I browsed it everywhere in the hard disk. I found that this machine is quite strict, I can't browse the directory outside the website, and I didn't find those who want to mix the music, sweat, even WebShell Yes, I can't find those music is not shackled ... Go back to the execution of CMD, I can't execute the cmd command. If there is permission, no matter where he puts the music, we can Got them. Enter the WScriptShell command line operation module Enter net start after the surprise discovery can perform the CMD command, and see the lovely SERV-U FTP server is also in the open service, hey, this is likely to improve the permissions. Not only did the Serv-U service, but also saw the lovely Terminal Services terminal service was also open, hey, it was twice, and it was possible to get a 3389 broiler. When you do Netstat -an, you will see the port first. It is found that there is a 43958 port in TCP. This administrator seems to have not changed and change the default and dangerous things of these Serv-U. Go back to the FSO file browser this module to upload Su.exe to the SERV-U local improvement permissions, here I change Su.exe to the name, change it to Test.jpg upload (don't worry, huh, in the shell mode Next, no matter what suffix is to be used as .EXE executable, ^ _ ^), after passing, return to the WScriptShell command line operation module execution: d: /spmix.com/www.spmix.com/ All / DJ / Database / Test.jpg "Cacls.exe C: / E / T / G Everyone: f" d: /spmix.com/www.spmix.com/all/dj/database/test.jpg "CaCLS. EXE D: / E / T / G EVERYONE: F "D: /spmix.com/www.spmix.com/All/dj/Database/test.jpg" Cacls.exe E: / E: F "Setting C, D, E - E - D" to Everyone can browse control. OK, the implementation is smooth (Figure 7). Then I found a while in each plate, I finally found all the .mp3 music in the D: /MP3.spmix.com/dingshi/ folder, then upload a RAR.exe (here I renamed Test1.jpg) Upload to D: /SPMIX.com/www.spmix.com/all/dj/database/ folder), return to the wscriptshell command line operation module execution package command: d: /spmix.com/www.spmix.com /all/dj/database/test1.jpg a -r d: /spmix.com/www.spmix.com/All/dj/Database/mp3.rar d: /mp3.spmix.com/dingshi/ Put D: / Mp3.spmix.com/dingshi/ File All Music Files are packaged in the D: /SPMix.com/www.spmix.com/all/dj/database/ folder, named mp3.rar.
The execution time is relatively long, because the file is more, beyond the maximum time of the script run, but there is no relationship, wait for a while to D: /SPMix.com/www.spmix.com/all/dj/database/ folder At first, hey, the mp3.rar file is quietly lying there, you can download it. mission completed! In the future, I seem to be able to brag in front of my wife. ^ _ ^. After thinking about it, I decided to break through and get the account number and password of the terminal management. It is not a meat chicken. When you don't have a dry, you will do it, first in d: /spmix.com/www.spmix. Co-all / DJ / Database / Folder Create a newly created file file, the content is: query user> d: /spmix.com/www.spmix.com/AlL/dj/Database/1.txt then return to WScriptShell command line operation module execution: d: /spmix.com/www.spmix.com/All/dj/database/test.jpg "D: /spmix.com/www.spmix.com/All/dj/Database/1 .bat "The use of this is to see the echo execution of the query user command. If there is a connection to the user, I can go up to Token.exe and Findpass.exe to get the user's account and password. After performing the command, return to the FSO file browser, see already there is a 1.txt lying there, click "Edit" to see the content inside, do not expect, there is a terminal user LOGNIC in it (Figure 8 ). Upload Token.exe and FINDPASS.EXE (I changed to T. JPG and F.jpg), then edit the 1.bat file, the content editor is: d: /spmix.com/www.spmix .Com / all / dj / database / t.jpg >> D: /spmix.com/www.spmix.com/all/dj/database/1.txt then return to the wscriptshell command line operation module performed: D: / SPMix .com / www.spmix.com / all / dj / database / test.jpg "d: /spmix.com/www.spmix.com/all/dj/Database/1.bat" After the FSO file browser is then Look at the content of the 1.TXT file, hey, the terminal user LOGNIC PID value and domain come out (Figure 9), we can perform FindPass.exe to get his password. Then edit the 1.bat file, the content is: d: /spmix.com/www.spmix.com/all/dj/database/f.jpg per-71e34d73e lognic 952 >> D: /spmix.com/www.spmix. COM / ALL / DJ / DATABASE / 1.TXT and then return to the WScriptShell command line operation module execution: d: /spmix.com/www.spmix.com/All/dj/Database/test.jpg "D: /spmix.com /Www.spmix.com/all/dj/database/1.bat "Finally, we will return to the FSO file browser, then look at the content of the 1.txt file, haha, the password of Lognic has come out (given personal privacy, I will No longer calling). Dachel, I got the account and password, and there was a terminal broiler.
