Super · Hei and I mentioned the article "Backup a shell", and said to me, in accordance with this article, is there a way to use the mobile network forum, because DVBS7.0 is actually an ASP file even if the setting is allowed to upload the ASP file, actually It is also possible to upload. Since it is possible to go to the background setting to allow the upload file type, why not use this method to back up a WebShell, we post the post of the special Webshell code, then back up, don't you have WebShell? Can you use the Access database? The experiment proved that this is not feasible, but super · hei tells me another method, because he wants to examine, so I will analyze and write it. I have been working on PHP for a long time, so this analysis of DVBBS may have a deficient place, Please also enlighten me.
Note: How to enter the background, not the scope of this article, the limitations are here, relying on everyone to play.
Analysis of Access Edition
First let's take a look at the UPDATA () function of the admin_data.asp file:
Sub Updata ()
Dbpath = Request.form ("dbpath")
Dbpath = server.mappath (dbpath)
BKFOLDER = Request.form ("BKFolder")
BKDBNAME = Request.form ("BKDBNAME")
SET FSO = Server.createObject ("scripting.filesystemObject")
IF fso.fileexists (dbpath) THEN
IF CHECKDIR (BKFOLDER) = True Then
Fso.copyfile dbpath, bkfolder & "/" & bkdbname
Else
Makenewsdir Bkfolder
Fso.copyfile dbpath, bkfolder & "/" & bkdbname
END IF
Response.write "Backup Database Success, your backed up the database path is" & bkfolder & "/" & bkdbname
Else
Response.write "can't find the file you need to back up."
END IF
End Sub
The above code is to perform the function of the backup operation, it is already easy to understand, as long as dbpath exists, copy the database directly to the specified directory, maybe developers think that the invaders cannot enter the background (if they are lie or listened), So don't check this place, no check is true database, so we can use the "picture" we uploaded here.
Access version of the use
We posted a fake picture written to the ASP code, then remember its upload path, such as UploadFile / 2004-6 / 20046272411024.jpg, then enter the "Backup Database" in the background, follow the format below:
Current database path (relative path): UploadFile / 2004-6 / 20046272411024.jpg
Backup database directory (relative path): Just find a directory
Backup database name (fill in the name): change to Webshell.asp
Then you can get WebShell.
SQL version analysis
Still backup data, don't see how to teach you how to use SQL Enterprise Manager, actually useful, don't be blinded by the phenomenon, let's take a look at the following code of admin_data.asp file: Case "Restoredata " 'Data recovery
Admin_flag = ", 32,"
DIM Backpath
IF NOT DVBBS.MASTER OR INSTR ("," & session ("flag") & ",", admin_flag) = 0 THEN
Errmsg = errmsg "
DVBBS_ERROR ()
Else
If Request ("ACT") = "restore" THEN
Dbpath = Request.form ("dbpath")
Backpath = Request.form ("Backpath")
IF dbpath = "" ""
Response.write "Please enter the full name you want to restore"
Else
Dbpath = server.mappath (dbpath)
END IF
Backpath = server.mappath (backpath)
SET FSO = Server.createObject ("scripting.filesystemObject")
IF fso.fileexists (dbpath) THEN
Fso.copyfile dbpath, Backpath
Response.write "successfully recovered data!"
Else
"There is no backup file in the backup directory!"
END IF
Else
Call restoredata ()
END IF
END IF
In the background, these codes can be seen, you can see that we can use the method like Access, just submit parameters from the local location, because DBPATH, BACKPATH The two variables are used with Request.Form. There is no inspection file type, and many of this file is more than the SQL version! Thereby, there is a safety hazard. The principle of this vulnerability is, like the Access version, there is not much analysis.
SQL version of the use
Still posting a fake picture written to the ASP code, then remember its upload path, such as UPLOADFILE / 2004-6 / 20046272411024.jpg, write a list of local submissions, the code is as follows:
