Some ideas from the authors of the background to webshell: Super · Hei
Source: BST
Http://www.darkne2s.org Security Angel
http://www.4ngel.net
1.asp ACC / MSSQL program
It is mainly to use the background of the "Backup Database" or "Recovery Database" function of the Access database or "Restore Database" function, "Backup database path", which can change any file suffix to the ASP, which is directly applied to the WebShell, MSSQL version of the program. The Access version of the code, causing the SQL version of the sample. Specific methods and analyzes can refer to Angel's article "Analysis of WebShells" in Angel. As far as I know, there are still a lot of ASP procedures in the background of this vulnerability, and the method is similar to the same.
2.php mysql program
1. Use the background data query function
In some programs background, provide direct Mysql data query functions, we can use it to perform the Select ... INTO OUTFILE query output php file, because all data is stored in MySQL, so we can take us through normal means Webshell code is inserted with MySQL exports shell with the Select ... INTO OUTFILE statement. We use the IPB forum to make a demonstration:
Step 1: Write our Webshell code to the database
Just find a place where you can write (Note that you have to filter it), here we use the new to build a forum with the background, write our shell code in the forum Submitting OK, write our shell into the database.
Step 2: Export WebShell
We came to "MySQL Toolbox" in "SQL Management" in "Run Query":
Select * from 123forums INTO OUTFILE 'D: /SHELL.PHP'
^ ^
The table web directory in the shell code is absolute path
If the host mysql query is successful, we get our Webshell:
http://127.0.0.1/test/shell.php?c=dir
2. Use MySQL data standby
The idea is combined with the above two situations, and some procedures are not limited to the type of alternate files when the spare database is spare, and the PHP files are exported. In the 1 in 1, by writing the WebShell code into the database, WebShell is used to use data standby. We are familiar with the VBB forum to use this method to get WebShell:
We set the user's signature
A little idea from the background to WebShell - Supplementary
Idea:
With the web background system settings, if the system setting is saved in the PHP / ASP file, we can write the WebShell code to save the settings in the setup PHP / ASP file.
Demo:
The basic setting of the program Sablog, Sablog is saved in admin / settings.php Since the background is submitted in the submitted variable ten no filtered, we can write any code to Admin / Settings.php.
Enter the background - "Basic Settings" - "BLOG Name" - Fill in code: SSS "; phpinfo ();" SS - submit. This way we write phpinfo () to admin / settings.php, we can see the information of the PHP normally displayed the admin / settings.php.
summary:
The above is a demonstration of PHP and other systems, and it is also suitable for other systems such as ASP (such as power, thrilling download, etc.). Just pay attention to be careful when writing code, if the code is wrong, it may result in the paralysis of the entire web system.
Another one is to use the upload vulnerability, don't say more, huh :).
