ASP SQL attack everyone is already familiar, the 大略 步 像 below:
The above summary is just a mess, just my personal experience, which is the main purpose, and a few simple examples.
After Access Injecting, sometimes the administrator can use the upload page, you can directly perform a front step, that is, the ASP upload vulnerability can be detected. When MSSQL is injected, maybe it will encounter SA, but there is no permissions, perhaps only use software to list the directory, it is necessary to play according to the actual situation, so I said that I am writing.
The above paragraph is to lead my intrusion process.
This site is a friend, and their technologies are very good, so they give me a station, there is nothing to grasp, we have a little bit of the procedure in the site, with a little fruit I will discuss it together.
First click on the program used above this site, or a sub-site, from the domain name www.xxx.com See the page is a few forums
Seeing the moving network is excited, the upload utilization tool of Guilin veteran, tried a pass, and the result is not expected.
If there is only a forum, there is no home page, it is obviously a waste of space. Ping, IP is coming out, the result is that only one domain name helped this IP. The friend just told me that I called in, there was a station, sure, asp, holding my way "over", injected, mssql, sa, I am independent IP, shelf TFTP, let friends The result did not respond, the background page did not find it, the NBSI reflected very slow when the injection was injected, so they had another way.
Here is an article system, I haven't seen it, the management page is not found. In fact, I saw the news of the graphic, prove that he can't upload pictures, it is a bit depressed. But you can't let go, enter Edit.asp, prompting the error is to miss one value, see errors, the description page exists. According to this applet, I guess the administrator's habits will add id = as the page of the editorial article, I really can edit the page and do not need to verify the administrator. I entered a space in the article, I got some, I have reached the editorial manner. You can change it is not the purpose, it is WebShell.
Continue to see, look from the picture path (like www.xxx.com/image/aaa.gif is usually put on, there will be no top page, if you find the picture path is UPLOAD / AAA.GIF, Step by step, you can find UPLOAD.ASP, UPPIC.ASP, UPFILE.ASP, etc., ten eight nine can meet. This is also experienced) /image/aaa.gif, it seems that it is like it is uploaded, it really like this no solution anymore.
I suddenly remembered, the front home page of the forum, connected to 3 forums, one is 6.0! A friend said that this forum is not allowed to register. Dizzy, the administrator has a problem? Don't let registration, I have a vulnerability, he didn't make up, so I didn't dare to let registration. Or other reason. But the branches of 6.0 are very fun! If you give me a password, enter the background, you can change the registration Information, put it in the ASP Trojan. I am not dead! Don't believe in your forum is all cattle! A weak password is not! On a page, I finally found an idiot 222111 password. Unfortunately, branches Unsuccessful, harm me for more than 1 hour guess password! See the administrator group, it is obvious, these forums are doing it. So unifying the patch, there will be no problem, or have been come in? Think These, type uploadface / ok.asp, uploadface / image.asp, there is no thing, take a closer look! Depressed! Permissions under UploadFace is set! Do not allow executable files such as CGI, ASP, it seems that this administrator is not a rookie. In order not to let go any place, I started to try to guess the administrator password, each forum is two administrators, a man and a woman, the password is likely to be the same, but unfortunately, it is guess Can't come out ... (Who is taking tomatoes to smash me? First wait! If you don't go in, what do I write this?)
It is still in a dilemma, I am staring at this station, my mouse is removed, suddenly! I saw the friendship forum, the mouse flashed, it seems to be a relative path after the IP address, is it right I have forgotten the address of Ping, come again. Haha, there is a road! Here is not only a forum, one is the forum of Nie Shao, one is the forum of the millennium online game, is 7.0 mobile network, or the old way, first Look at the online upload, hey ... disappointment is used to it, white shocks.
Look at these two forums, the millennium, or that administrator. But this Nie Sha is not, and this Nie Shao's forum has only one layout. It is obviously a new way. It will be in the problem. It is possible that this administrator is a rookie! Enter the default database path, there is no There is nothing in the backup directory. Maybe people will help him first.
Maybe many people will give up here, but I will not die. I look at a station, I feel that it is not a cow station, I feel that it will have a loophole, and I will observe the night. I firmly believe that there will be breakthroughs! The habit will take a deep breath, review the tricks I have used once, then continue to observe. When I started to change my idea, I suddenly thought that the last forum, there is an administrator. I haven't guess the weak password! Keep a calm mood, open this administrator's user information, look, this mailbox is true, just take it to do a password.
Seeing access to the forum page, mood, don't say, don't say, I have been excited. This password is not used, it is also a background, hurry to upload "picture", I fell! How? I can't do it. ! It's not the picture of the Asp's content. Try the picture of the fax. It can be. It is obvious here. He allows upload pictures, but it will check. A few horses tried, still not. I am In the basic settings in the background, no component upload, display server support, but can not upload, it is clear that the author is not supported, deliberately changed
It is deliberately worried about the ASP file, or check the picture, it doesn't matter, there is a way! Insert the tool for the picture with that script, I insert the ice courier.
Finally, the upload is successful, changed to the ASP file in the background, where it cannot be saved in the UPLoadFace directory, where it is not allowed to be accessed. In this way, several passbooks, I got the WebShell
But I got the WebShell but found that there was no write authority, and my purpose was as long as the web directory has write permissions. Since there is SQL Server in this station, I found the database connection file in Webshell:
Conntr = "provider = SQLOLEDB.1; PERSIST security info = true; data source = .; initial catalog = scyg; user ID = sa; password = format C:"
Dizziness, the password is actually format C:, personality! With SqlTools.exe, you cannot perform commands, and XP_cmdshell people have prepared it here. The Trojan client observation process with the deserter alliance has found D: disk has serv-u, which is just writable. Just installing a SERV-U with a broiler version, then download his servudaemon.ini override me, open FTP management, change your password, and browse path, and finally replace his file, but the end result is still failed.
Just as I want to give up, I saw a PCANywhere in the process, happy ING! Turning out in his hard drive, copy it to the web directory and download it, then use PCANywhereCrack.exe to find the username and password. Oh, it's simple in the future.
