Author: angel article in Nature: Original release date: 2004-06-27 discovery: Super · Hei analysis: angel Environment / Discussion: xiaolu booing: knife preface Super · Hei and I mention "Backup a shell" of this article, and on I said, in accordance with this article, is there a way to get the use of the mobile network forum, because DVBBS7.0 is actually unpredictable even if the setting allows uploading the ASP file, since it can be uploaded, since it is possible to go back to background settings allow for upload file type, why not Use this method to back up a WebShell, we post the post of the special Webshell code, then back up, don't you have WebShell? Can you use the Access database? The experiment proved that this is not feasible, but super · hei tells me another method, because he wants to examine, so I will analyze and write it. I have been working on PHP for a long time, so this analysis of DVBBS may have a deficient place, Please also enlighten me. Note: How to enter the background, not the scope of this article, the limitations are here, relying on everyone to play. Access version of the analysis first let's take a look at the UPDATA () function of admin_data.asp file: SUB
Program code: [Copy code to clipboard]
updata () Dbpath = request.form ( "Dbpath") Dbpath = server.mappath (Dbpath) bkfolder = request.form ( "bkfolder") bkdbname = request.form ( "bkdbname") Set Fso = server.createobject ( "scripting .filesystemobject ") if fso.fileexists (dbpath) then If CheckDir (bkfolder) = True Then fso.copyfile dbpath, bkfolder &" / "& bkdbname else MakeNewsDir bkfolder fso.copyfile dbpath, bkfolder &" / "& bkdbname end if response.write "Backup database is successful, your backed up database path is" & bkfolder & "/" & bkdbname else response.write "can not find the file you need to back up." End if End Sub
The above code is to perform the function of the backup operation, it is already easy to understand, as long as dbpath exists, copy the database directly to the specified directory, maybe developers think that the invaders cannot enter the background (if they are lie or listened), So don't check this place, no check is true database, so we can use the "picture" we uploaded here. Access version of the use
We published a fake picture written to the ASP code, then remember its upload path, such as UploadFile / 2004-6 / 20046272411024.jpg, then enter the "Backup Database" in the background, follow the format below: Current Database Path (relative path): UploadFile / 2004-6 / 20046272411024.jpg Backup database directory (relative path): Ranger to find a directory backup database name (fill in the name): Change to Webshell.asp and submit to get WebShell. SQL version of the analysis or backup data, don't see how to teach you how to use SQL Enterprise Manager, actually useful, don't be blinded by the phenomenon, let's take a look at the following code of the admin_data.asp file. :
Program code: [Copy code to clipboard]
Case "RestoreData" 'Restore Data Admin_Flag = ", 32," DIM Backpath IF NOT DVBBS.MASTER OR INSTR ("," & Session ("Flag") & ",", Admin_Flag) = 0 Then errmsg = errmsg
In the background, these codes can be seen, you can see that we can use the method like Access, just submit parameters from the local location, because DBPATH, BACKPATH The two variables are used with Request.Form. There is no inspection file type, and many of this file is more than the SQL version! Thereby, there is a safety hazard. The principle of this vulnerability is, like the Access version, there is not much analysis. SQL version is still posting a fake picture written to the ASP code, then remember its upload path, such as UPLOADFILE / 2004-6 / 20046272411024.jpg, write a list of local submissions, the code is as follows:
Program code: [Copy code to clipboard]
