A simple penetration test process

PS: I am very technical, cool.
A friend sent me a site and asked me for help. It took a whole morning to get the master site done, but the master site could not get the right to LINUX, and 90% of the Intranet was a WINDOWS Server, making WINDOWS a lot of uncomfortable, in addition, it is still a low-privilege, and NMAP parameters are not available. I also looked at section C from the Internet. Besides the main site, I opened three WEB services. The two gave up statically, and there was only one site with 2K3 + IIS + ASP. It's him!
After a variety of operations, no injection points were found, and the background path was found. Sorry! I found a place where I could leave a message with the Administrator, so the XSS is playing the background blindly. The Administrator is not responsible, and M days later he logs in. After entering the background, I found that the Administrator's password was 123456. I really wanted to blow my mouth, and then I gave it a hand!
I found an upload image in the background. Go around again and find a place to upload files. You should be able to upload webshell (1 ). After successfully uploading an ASP file, click the download link in the background to download the file directly. The upload path cannot be found. I can't even capture the packet.
I suddenly came up with my opinion on this upload: MLGB !! No way. I want to find an injection point to read data in the background and read the download path written in the database. Some are filtered out, some are quoted and an error is reported (figure 2). In MYSQL4 database, UNION queries 9 fields, but the prompt is that the type is incorrect. CINT, type conversion should be forcibly added in ASP code. Continue to find other injection points in the background and find that the UNION query can be performed normally. MYSQL4 database decisive LOAD_FILE. Read the IIS configuration file C: \ WINDOWS \ system32 \ inetsrv \ MetaBase. xml to get the website root directory. After load_file, the database connected to the file could not be connected in the previous linux shell. You can guess the tables and columns of the database, but you cannot guess the columns that store the uploaded storage path. No way. Read the download. asp file and get 3.

For more information about the code, see strAbsFile = Server. MapPath (".") & "\ file \" & strSNO & trim (rs. The original file storage rule is the website root path \ file \ Upload file ID. suffix. The problem is solved! Well, I got the webshell, and then I started to penetrate all kinds of complicated Intranet, so I won't write it .. Because it is work time, the text is quite smooth, please forgive me. Conclusion: The Diaoyu Islands belongs to China!