Access overflow + cross-pants get shell

The last detected website settings are abnormal, with nothing left. Even FSO is deleted. It is difficult to find a valuable injection. After several twists and turns into the background, you can see that you can change the upload type, hi, but it cannot be changed. Finally, we found that the upload type record is in config. in asp, it cannot be changed without FSO, Faint .....

I can only think about this unique injection point. If it is SQL, it would be nice if it is SA permission. AI and YY are useless, I was blocked by poor ACCESS functions.

I looked at the upload type in a daze, gif jpg rar mdb, Wait. When I saw MDB, I suddenly remembered the popular MDB overflow a few years ago. I added the overflow code to the MDB database, execute the overflow code as long as you open the database.

I can upload an overflow MDB, but the upload is useless. How can I make www.2cto.com Overflow Code really run?

When I saw the absolute path of the website in the background, I immediately thought of cross-database, HaHa. I only needed to upload a problematic database and then use cross-database query to implement overflow, this theory is true, Have a try

Create an overflow MDB, specify the Callback IP address and Port, and upload,

Select Count (*) from [D: \ new website \ UploadFiles \ 20077181931188.MDB]. test

Shell appeared successfully in the HoHo local listener. Haha, the overflow was successful. Although the SHELL obtained by the overflow only has the GUEST permission, it is still very happy. You can ECHO the pony and use Serv-u to escalate the permission, pretty good.

To sum up, MDB overflow + cross-database Shell methods must have the following conditions:

1. You must have an absolute website path.

2. You must have an upload point in any format. (even if it is not an MDB suffix, cross-database connection is sufficient if the format is correct)

3. Of course, there must be injection points

These conditions are not harsh than the out-into shell export conditions that were once fired.

Also write down some experiences:

1. Some people on the Internet say that cross-database queries can only be performed using Union. Otherwise, I use

City = 1 and (Select Count (*) from [D: \ new website \ UploadFiles \ 20077181931188.MDB]. test)> 0

This is also feasible

2. When the MDB overflows successfully, ACCESS will die, and any database on the host will not be connected, leading to the direct failure of the webpage, so it must be successful once.

3. regarding the cross-database path problem, I once thought about what to do if the absolute path is not obtained and the relative path is used to report the disk format error. I think this prompt seems a bit ambiguous, he did not say that the path could not be found, but that the disk format was incorrect. Is it because the relative path contains characters? This is to be studied. another point is that the path can use IPC $, for example, input \ localhost \ C $ \ boot. ini, the system can recognize it. I haven't thought about how to use it yet. At least I can guess the directory. ^_^

Webmaster comment:

ODAY details in google "mdb_r_exp"

Microsoft Jet Engine MDB File Analysis Stack Overflow Vulnerability, Microsoft Jet Engine MDB File Parsing Stack Overflow Vulnerability.

 

Reprinted: lcx. cc