A skillful Test

A: once, my buddy lost A site with the words "Weight Loss" and it looks like A page. It's really hard to get the shell. But you should check it out, right .. B: I took out a few scanners and scanned them. I found that the server was opened for 21 and 80, which hurt me .. After scanning, wvs finally got a blind note. The permission was db, but it could not read the path. The password account ran out of Pangolin successfully: Haha .. It turns out there is pork, and it is estimated that it is not far from success .. You can see that C: After logging on to the page, I still watched the site. because there were too many sites, I had no effort to get An aspx shell. The artifact running the D bull combined with aspx to check the registry and finally found an executable file. Sadly, it is only a file that can be written and executable, and this directory cannot be written, so only one cmd can be used. D. The Elevation of Privilege is definitely hopeless .. The next step is how to cross-directory. No tool, but manual commands .. Copy and so on. It is useless to try copy by finding a path, but the type is acceptable, but the target path is not. Khan. After dinner, return to see the path read by aspx .. After sorting it out, there are actually more than 400 .. Fuck .. How to guess? I guessed it through the domain name. I tried a lot and found out whois, as shown below: I saw the name and immediately searched for the name, with type e: \ wwwrot \ xxxxx \ web \ bzg \ index. aspx checked several times and finally determined the important name of the directory... \ hw812 \... I tried a lot of domain name guesses. I checked whois and the following: I guessed it through the domain name. I tried a lot of them, but I checked whois, as shown in the following figure: the name is displayed. Search for the name immediately, with type e: \ wwwrot \ xxxxx \ web \ bzg \ index. aspx checked several times and finally determined the important name of the directory... \ hw812 \... with the path, and the injection point, you are ready to go back to the upload. As a result, the database permission fails to be uploaded .. Wondering .. Out of the stars .. For/d % I in (e: \ wwwroot \ hw812 \ web \ *) do @ echo % I command can be used .. The following table lists all directories: www.2cto. comfor/r e: \ wwwroot \ hwfor/r e: \ wwwroot \ hw812 \ web \ manager \ % I in (*) do @ echo % I lists the page for managing directories as follows: I didn't find that there were so many pages. Copy it back and try it one by one. Then, we finally got the static content: Upload it decisively, and finally get the webshell of the target site. Conclusion: Security Testing is actually very important, with patience and basic skills.