Inject into the tools and WIS text / empty deficiency, the manuscript is already in the magazine
Target Description: For convenience of explanation, I enable the IIS service server of the virtual machine to 192.168.0.2, and the folder named DG is a website program with an injection vulnerability. Under the site directory DG, there is a mobile network forum to imitate a station. I finally got the WebShell based on the characteristics of the site. (Tips, for beginners, maybe it is not easy to find the machine. If the virtual machine is installed, it can not only configure it as needed, increase its understanding of the server, but also observe the reflection of the attacked machine at any time, do not worry I have already warned on the other desktop, but I still have fun over the hard drive ...) The address of the site is http://192.168.0.2/dg/index.asp forum Access address is http://192.168.0.2/ DG / BBS / INDEX.ASP (Database is I just took a base of the battle, the hard drive is large, so I like the collection results for the next use). Cheats: WIS and WED are all programs used under MSDOS, first use WIS scanned injection points to see if there is any injection vulnerability, after sweeping the injection point, then use the background of the website, and finally get useful information, use the WED Inject into crack administrator password. You can also use the WIS scanning background directly according to the actual situation. After downloading these two files from Xiaoyu Lab, WIS is except for his own procedures, there is a file admin.txt, and you will know that it is a dictionary form of the website background relative address. Obviously he is automatically added to the suffix .asp when scanning, if you want to join the content, such as logon.asp file (this file is also very important, but not written), you will directly, enter login That is, he will automatically join the suffix. After the WED decompression, there are four files. In addition to ourselves, TableName.txt is the administrator table name, userfield.txt is the column name of the username, passfield.txt is the column name of the user password. (Tips, maybe you have to be inserted or column names, you can go to the internet search site using the name of the site, then download this program, open the database. For example, some of the column names of the classmates are not. Need and experience, grow your dictionary.
Input, running WIS interface, exemplary usage, also written, like my virtual host site, to enter: wis http://192.168.0.2/dg/, this usage is to automatically find it in the website directory Page that is injected into the vulnerability! Before the website must have "/" symbol! If you enter: wis http://192.168.0.2/dg, so less "/" symbol, it will not run the program correctly. After Enter, start running the program, "/ DG / INDEX.ASP? ClassID = 1" is running results, together, the page with injection vulnerability is: http://192.168.0.2/dg/index.asp?classid=1 If you get a vulnerability page, you can break the administrator password, but you don't know the administrator management page, it is useless. So I have to scan the management background. The usage is as follows: wis http://192.168.0.2/dg/ / A, just enter the previous command, continue plus "/ a", as shown in the figure, successfully found the background address: http://192.168.0.2/dg /admin/admin.asp, the server returns the information <200 OK>, where this page exists). Use the WED into this page to crack administrator password, usage: WED http://192.168.0.2/dg/index.asp?classid=1 The result of the run is written, and the certificate "admin" is also "admin". (Tips, sometimes the password that will crack will have an error, which may be your network speed reflection problem, the testor will run again. Be sure to wait until UserName IS: *** Password is: *** message appears, is Operation results. In the middle, it will be paused. If you are guess, don't you have a password at this time, log in to the background from the background interface, there are two points to use one is an upload file, one is backup Data, but tested, this uploaded file is not available, always running an error. So I turned to the upload image of the mobile network. First change your ASP Trojan, the suffix name to .gif, then upload, get the address "UploadFace / 20049823261680401.gif". Since we can't get the permissions of the forum background, return to the background of the website, "Backup Database", uploaded pictures, the address of the website background is "../bbs/uploadface/20049823261680401.gif", backup directory you random It said that if the directory does not exist, it will be automatically created. The result of the results I entered is: http:///192.168.0.2/dg/kxlzx/kxlzx.asp This is WEBSHELL, the attack is completed.
