Article Source: Perl
In 2004, bringing us too many wonderful things, first-stop hackers did not talk about it. Our country has a growing progress in many aspects of this year: joining the WTO, diplomatic active, international status, the Olympics Guangzhou Shenya and so on, there is no reflection of a Chinese nation that is increasingly prosperous.
The country is progressing, the world is progressing, our learners must make progress, this is not, today I brought everyone to the velvet article system vulnerability, the velvere, the use of a vulnerability, this article What I want to say in the article is actually a learning idea:
Writing the last paragraph in the veteran article:
Admin_upfile.asp
User_upfile.asp
These two files are simply reproduce the upload vulnerability before the network, and these two files can not be logged in or to operate. However, on the uploading tool of this site, pay attention to the artid = 1111 in the cookies column;
The file name is based on ArtID.
Ok, come here, the veterans pointed out the vulnerability, let's find a flying dragon article system, and should first understand the vulnerability in this vulnerability.
Find the admin_upfile.asp file, then find the following code:
dim FilePath, Object, upload, iCount, FormPath, FileExt, ArtID, FileNameif request.Cookies ( "ArtID") = 0 thenconn.execute ( "insert into article (subject, content) values ( 'news', 'news')" ) SET RS = conn.execute ("SELECT TOP 1 Artid from Article Order By Addtime Desc") Artid = Int (RS (0)) rs.close () SET RS = NothingResponse.cookies ("artid") = ArtidelseArtID = Request .Cookies ("artid")
I understand that a friend who will see ASP code will soon understand. Before uploading, this file will read cookies first, see if there is a basis for this file name, if there is, the system meets the requirements, the system will put new Uploaded files read into the database and perform the upload operation, otherwise the words are not executed.
I will look down in the code, that is, the uploaded online online is almost the same, we have been here:
FileName = FormPath & Artid & "-" & iCount 1 & "." & Fileext
This code has been explained by the file name: It is in the form of path artid, here, the veteran: "When uploaded, pay attention to the artid = 1111 in the cookies column; the file name is based on ArtID. "You can understand it very well.
how about it? Is it feeling that it is so simple, just read, huh, huh ...
Ok, I said so much principle, let's take a look at the specific operation:
(1) Preparation Tool:
Veterans upload tools, ASP Trojans, Fpipe.exe, Serv-U, back door (I use Radmin), there is a browser (what, the brothers play him, this thing is not, it is simply Wasting time ..... ^ _ ^!) (2) Search for keyword "Flying Dragon Article Management System Copyright and Disclaimer", this keyword is more than the keyword "Article.asp? Artid = "This is quiz a lot ^ _ ^.
(3) The file searched is copyritht.asp, change it to admin_upfile.asp, if the picture is appeared, indicating that this website has this file and there is a vulnerability.
As for those error messages, don't worry, who is called the invaders who have no authority ~ Oh ......
(4) Open the upload tool of the veteran, write to the upload address of the website, and add a plurality of cookies:
Artid = 1111; as shown in Figure 2:
(5) It is better to wait, it will be fine for a while, see if we are ready? image 3:
Ok, WebShell gets it, then we have to take the administor privilege, this is the highest goal of each Hacker invading.
I wrote a sea Yang with this little horse. It looks intuitive ..., let's see if you can perform a command.
Oops, cmd.exe can't be used, what? Some people have said: "This road does not pass our way." He didn't give it that I can use my own, haha ... In order to hide, I put my cmd.exe to Documents and Settings / All Users / documents, of course, you can also put in other writable directories, such as C: / Winnt / System32 / InetSRV / DATA, but also written by default, don't have to waste Microsoft? ^ _ ^
Ok, let's call this CMD with Haiyang to see
嘿嘿 ... this is not, it is always the real man, ^ _ ^.
Continue, NET Start sees that there is Serv-U, how much is the version, I rarely pay very little, because I use port steering to improve permissions, so I don't need to see whether it is not necessary to watch? Where is the directory? Is it possible to write these,. If the port is connected after the steering, it may be the defense of the firewall, because this method is killing in all versions of Serv-U. We use Haiyang to execute the fpipe -v -l 12345 -r 43958 127.0.0.1, this command means forwarding the data of the local 43958 port to 12345 port. Let me depressing that this CMD executes this command can't be successful. . . Sweating! ! Not afraid! We also have a weapon - WSH, Haiyang 2005 has been prepared for us, directly use it.
Then open the Serv-U for remote connection (this I don't say much, I don't have a small editor to say that I am afraid. ^ _ ^!) Add a Serv-U super user, improve the permissions, upload the back door, give it another ROOTKIT, open a terminal replace the service, be a hidden account, load a super small ASP back door to change the file time these (I am dizzy ... you are enough .....), this is enough for me Half year ^ _ ^. The things of this article are very old technologies, but old things are not necessarily. A "stolen", SERV-U upgrade authority, the second "stolen", and the three "stolen" of the learning method have to say that - 不 光学 HACK, "stolen" Wonderful!
